Untitled Document

Online holiday shopping expected to cost employers
average of $3,000 - or more - per employee in lost time

These findings are reflected in a parallel version of a survey that was administered to information technology professionals who are members of ISACA (Information Systems Audit and Control Association).

According to responses, nearly half (46 percent) of U.S.-based ISACA members believe their company is losing an average of $3,000 or more in productivity per employee from online holiday shopping at work.

More than half (55 percent) also reported their company permits workers to shop online but has no strategy for educating them about the risks. More than 3,100 respondents across the U.S. participated in the parallel survey in October 2008.

“With the economy in such a volatile state, people are working long hours and are facing increased pressure to succeed,” said John Pironti of ISACA’s Education Board. “The survey results show that there needs to be a common-sense balance between security awareness and employee compliance.”

Tips for safer holiday shopping from the office computer
ISACA recommends that employees and IT departments take the following steps to reduce the risk of spam, viruses and inadvertent downloading of backdoor “agents” that can highjack corporate data.

For online shoppers:

1. Make sure Web sites you connect to are using SSL encryption while you are entering personal information.
2. Do not allow sites to save your username or password. Avoid providing your work email address as your contact information.
3. Delete cookies from your computer after you are finished shopping.
4. Use separate browser sessions for your holiday shopping versus your work-related browsing.
5. If it looks too good to be true, it probably is. Do not download free games, ringtones, wallpapers or animations onto your work computer.

For the IT department:

1. Train employees on safe computing just prior to the holiday shopping season and follow up with periodic reminders.
2. Tailor education programs to match the various demographics, attitudes and technology know-how of groups within the workplace.
3. Conduct formal risk and threat assessments and update your Acceptable Use Policy and security measures appropriately.
4. Make sure that patches are deployed, security functions are enabled, and firewall rules, intrusion detection system (IDS) signatures, and spam filters are updated regularly.
Monitor networks for high-volume or suspicious traffic and respond immediately to threats. Remind employees to sound the alarm if suspicious events occur.