Third AnnualThird Annual

Shopping on the Job: Shopping on the Job: ISACA’s Online Holiday Shopping ISACA’s Online Holiday Shopping

and Workplace Internet Safety and Workplace Internet Safety SurveySurvey

Third AnnualThird Annual

Shopping on the Job: Shopping on the Job: ISACA’s Online Holiday Shopping ISACA’s Online Holiday Shopping

and Workplace Internet Safety and Workplace Internet Safety SurveySurvey

Commissioned by ISACA (www.isaca.org)

November 2010

© 2010 ISACA.. All Rights Reserved.

Two Surveys in One

Two separate but related surveys make up the Shopping on the Job: ISACA’s Online Holiday Shopping and Workplace Internet Safety Survey.

• One survey was conducted with US consumers/employees.

• A second survey was conducted with business and IT professionals

who are members of ISACA, a nonprofit global membership

association, in all geographic regions.

Full details are available at www.isaca.org/online-shopping-risks.

Two Surveys in One

Part One—Consumers/Employees:

Determine online behaviors of US residents who use a work-supplied computer, laptop, netbook, notebook, tablet and/or smart phone to shop online, especially during the 2010 holiday season.

Learn about:•Extent of online shopping•Motivation for online shopping •Approach to security•Knowledge of and adherence to corporate IT policies

© 2010 ISACA . All Rights Reserved.

Two Surveys in One

Part Two—Business/IT Professionals Who Are Members of ISACA:

Determine attitudes and experiences of global IT and business professionals regarding their policies and expectations of employees doing online shopping on work devices.

•Survey results from 3,307 business and IT professionals who are members of ISACA in five geographic regions around the world. Results are available in the global aggregate or broken down by region at www.isaca.org/online-shopping-risks.

Key Takeaways

Consumer/Employee Survey:

•Employees will shop less, but take bigger risks online during the 2010 holiday season.

– Approximately half as many as last year (23 percent vs. 52 percent) plan to use a work-supplied device to shop online.

– They plan to spend an average of six hours shopping online (vs. 14 hours in 2009) using a work-supplied device.

– BUT, more people are doing activities that could put their employer at risk, e.g., clicking on links in e-mails (52 percent in 2010; 40 percent in 2009), providing work e-mail addresses to online shopping outlets (28 percent in 2010; 21 percent in 2009) and clicking on a link at social networking sites (19 percent in 2010; 15 percent in 2009).

(continued on next slide)

Key Takeaways

Consumer/Employee Survey (continued):

•Cost to the employer is estimated at US $1,000 or more per employee, with many IT professionals putting the number as high as US $15,000.

•Increase in the number of people who assume that the IT department is ensuring that their work-supplied computer or smart phone has the most recent security patches (41 percent in 2010; 30 percent in 2009)

•Increase in the number of people not concerned that online shopping at work may affect their organization’s IT network (24 percent in 2010;17 percent in 2009).

•The increasing use of mobile devices is making “shopping on the job” riskier.

•Almost half of those who will be shopping online with a company device will use a laptop, tablet, smart phone or similar device.

Key TakeawaysBusiness/IT Professional (ISACA Member) Survey:

• The IT mindset is shifting from prohibiting online shopping to setting limits. The number of organizations prohibiting employees from shopping online using a work computer has dropped to 11 percent. Instead, IT staffs are allowing use but setting limits: 49 percent limit online shopping using a work computer.

• Similarly, the number of organizations prohibiting employees from accessing social networking sites has dropped to 11 percent.

• 53 percent of respondents believe their organization loses US $1,000 or more per employee as a result of an employee shopping online during work hours in November and December. Almost one-fifth put the number at US $15,000 or higher.

• For mobile devices, an overwhelming majority (84 percent) ranked the risk of using a mobile shopping application on a work-supplied device as high or moderate. Despite that, 42 percent allow employees to use work-supplied mobile devices for personal use and 41 percent use their own mobile devices for work.

Key Takeaways

Why are more employees taking risky actions online?

Organizations are doing a better job of educating employees about computer security, but that may be creating complacency, causing employees to assume that IT can handle all security breaches.

ISACA’s survey found that 25 percent of people are not concerned that their online shopping behavior may affect their organization’s IT network. This shows that educating employees about security needs to be ongoing and that it needs to gain the employee’s personal buy-in.

Key Takeaways

Online Shopping Risks:•Social engineering and phishing attacks, malware and information breaches that can cost companies thousands per employee to correct, millions in compromised corporate data and severe damage to their reputation

Mobile Device Usage Risks:•The same social engineering and phishing attacks, plus “mobile malware” and data breaches due to lost or stolen devices

Key TakeawaysHow should organizations address these risks?

Organizations should use an “embrace and educate” approach. They should apply proper risk management and implement security controls to mitigate the risks of phishing attacks, malware and data breaches. All of this needs to be supported by workplace communications and education.

A ban of mobile devices is usually not effective. Mobile technology can offer enterprises a range of highly valued benefits, from increased productivity to improved employee morale to better customer service. Organizations should create an easily understood and executable policy that protects against risks related to leaking confidential data and malware. This policy should also take into account the growing “personalization of IT”—i.e., the fact that many employees are using their own mobile devices for work activities.

Compare Consumer Results

Changes Between 2009 and 2010 Surveys:•Fewer people are shopping online in 2010, but those who are doing it are taking bigger security risks and are less concerned about their own role in reducing risk.•Approximately half as many plan to use a work-supplied device to shop online (23 percent in 2010 vs. 52 percent in 2009).•Average amount of time shopping online on work devices is six hours (vs. 14 hours in 2009).•More people are taking risky actions—clicking on an e-mail link (52 percent in 2010; 40 percent in 2009); clicking on link on social networking site (19 percent in 2010; 15 percent in 2009); using a work e-mail address (28 percent in 2010; 21 percent in 2009).•More people assume the IT department is ensuring that their work-supplied computer or smart phone has the most recent security patches (41 percent in 2010; 30 percent in 2009).

Methodology

For Part One (consumer/employee version) of the survey: •ISACA included 10 questions in a weekly national omnibus conducted by M/A/R/C Research.

•The survey was fielded online between 27 September and 4 October 2010.

•The total sample was 2,853 respondents; 638 qualified for the survey based on having shopped online using employer computers.

•Study results have a margin of error of 3.9 percent at the 95 percent confidence level.

Methodology

For Part Two (IT/business professionals who are ISACA members) of the survey:

•A related online survey was conducted by ISACA between 27 September and 4 October 2010 among 3,307 ISACA members in North America, Central/South America, Europe, Asia and Oceania.

ISACA

With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control (CRISC) designations. ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.

Contact for further information: news@isaca.org

www.isaca.org/online-shopping-risks