ISACA leader warns companies to prepare for a Frantic Friday of employee online shopping

London, UK  (9th December 2010)—The big freeze that hit the UK at the start of December is likely to be felt in more ways than one, says a business IT leader with ISACA, the not-for-profit IT security association.

According to Peter Wood, member of ISACA Security Advisory Group and CEO of First Base Technologies whose experience with IT security spans back to the very earliest days of the Internet, the big freeze means that this year's online shopping surge is likely to be pushed back from previous years.

"All the signs are that this coming Friday - the 10th of December - is likely to be among the busiest days for pre-Christmas online shopping, and the bad news is that, as it's a working day, business productivity could take a severe hit," he said.

"But perhaps more important, ISACA's research suggests that, in the rush to get all the Christmas present shopping done online, many employees will be opening up their employers to online security attacks, as their normally high guards will be lowered," he added.

Wood points to the fact that IBM's Coremetrics operation reported a 94 per cent increase in the value of goods purchased online in last year's pre-Christmas run-up, as well as the fact that the average number of presents bought online had increased from 2.7 to 3.7 presents per person in 2009 (

If these figures are extrapolated to this year's online Christmas, it becomes clear that, coupled with the big freeze, consumers' retail shopping is certain to be curtailed in favour of the bargains to be found online, he went on to say.

Wood, whose company specialises in penetration testing, adds that further analysis of last year's pre-Christmas online shopping trends showed that the busiest day tended to be towards the end of week.

Factoring in the data from Experian Hitwise’s analysis of last year’s Christmas  (, it's fairly obvious that, coupled with the big freeze,  the 10th of December will be a Frantic Friday as far as online retailing goes, he explained.

As ISACA's own research has shown, he says, organisations need to be aware that the enthusiasm of their employees to do their holiday shopping online means that their normal security procedures may be compromised.

According to the association, which has more than 95,000 constituents around the world, its recent `Shopping on the Job' survey - which took in responses from 360-plus workers in the UK and 630-plus staff in the US,  57 per cent of employers do not prohibit the use of work email addresses for online shopping by staff.

As well as increasing the risk of malware infections, Wood says that ISACA researcher s also found that managers underestimated the productivity losses due to all their staff's online shopping.

ISACA'a 2010 Shopping on the Job survey also  found that 18 per cent of those surveyed said that they thought the financial cost per employee due to productivity losses were between £500 and £3000, whilst a further 9 per cent said that the losses were between £3000 and £6,000 per member of staff.

And, says Wood, a further 5 per cent said they believed losses were between £6,000 and £10,000 and per person.

The survey, says the ISACA security professional, shows the real risks that organisations are taking for failing to differentiate between employees’ working activities and obvious leisure activities in the workplace.

No one likes to be accused of being a scrooge by banning a little fun in the workplace, especially at this time of year, but the lack of security policies - and their enforcement - that is highlighted by this analysis is very worrying, he said.

It's against this backdrop that I advise employers to seriously consider the use of separate computers - isolated from the corporate IT systems where appropriate - for online shopping in the workplace during breaks and mealtimes, and for the issue of Web email addresses such as Gmail and Hotmail, exclusively for employee's leisure time usage, he added.

"Using this approach makes sound business and security sense, since it isolates the problem. Employers should also use IT security systems to enforce the rules, and so defend their company IT resources from a potentially devastating infection," he said.

"As our annual ISACA online shopping report clearly shows,  allowing staff relatively unfettered access to the Internet for shopping purposes in the workplace can be  dangerous. There is no point in employers taking unnecessary risks with their IT assets," he added.

For more on the topic of managing risky online behaviour in the workplace, download ISACA's  new free white paper, E-Commerce and Consumer Retailing: Risks and Benefits, at

With 95,000 constituents in 160 countries, ISACA® ( is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations. ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.

Follow ISACA on Twitter:

Source: Eskenzi PR

This press release is presented without editing for your information only.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.