HONG KONG (1 November 2011)— With more freedom given to employees for shopping online and accessing daily deal and social networking sites (SNS), such as Groupon and Facebook, with a work-supplied computing device, IT professionals in China and Hong Kong anticipate that employees will do more holiday online shopping at work this year, increasing risk to the enterprise, a new survey finds.

The global 2011 ISACA Shopping on the Job Survey: Online Holiday Shopping and BYOD Security survey, conducted among more than 4,700 business and IT professionals who are members of nonprofit IT association ISACA, shows the current attitudes and behaviors related to the risk and rewards associated with online shopping and the use of personal and work devices around the world.

4 in 10 IT professionals estimate that employees will spend an average of more than 12 hours shopping online during work hours

More than 50% of respondents in China and Hong Kong predict that employees will do more online shopping during work hours this year. More than half also predict that employees at their enterprises will spend more than six hours shopping online using a work-issued computer during the holiday season (November and December) and another six hours or more using a personal computer or smartphone during work hours.

In China and Hong Kong, 34% of respondents state that their enterprises allow employees to shop online, and an additional 26% allow it with some restrictions. Nearly 40% allow them to access SNS or daily deal sites using a work-supplied device, with another 23% allowing it with restrictions. Respondents in the US say their enterprises are more likely to prohibit or limit access to SNS and daily sites, as well as limit the use of work-supplied mobile devices for personal use.

“The survey shows that companies in Hong Kong and China tend to have more flexibility regarding the use of work-supplied devices for personal purposes, such as online shopping and social networking, compared to other parts of Asia and the United States. It is positive that organizations here are taking an ‘embrace and educate’ perspective, which allows them to get the benefits of using the technology available, while equipping employees with the training and awareness needed to minimize security incidents,” said Michael Yung, president of the ISACA China Hong Kong Chapter.

In some areas, the results are more similar. For instance, respondents in the US, China and Hong Kong, and the entire Asian region all reported that the following three activities pose a high risk to the enterprise:

• Clicking on an e-mail link to access an online shopping site from a work-supplied computer or smartphone;
• Downloading personal files, such as music and pictures, onto a work-supplied computer or smartphone;
• Losing/misplacing a work-supplied computer or smartphone. 

“To make sure that access to SNS and daily deal sites, as well as online shopping, are done safely with work-supplied devices, employees should be very careful with the company information on their devices, password-protect the devices, and ensure that the security tools and processes protecting the work-supplied devices are kept up to date,” said  Yung. “From the IT department side, promoting awareness of the security policy is always key for effective risk management. It is also important to use secure browsing technology, encrypt data on devices, and take advantage of some of the industry best practices and governance frameworks like the Business Model for Information Security (BMIS).”

Additionally, 28 percent of both US respondents and those in China and Hong Kong say that their enterprise prohibits the use of personal mobile devices for work purposes—a trend known as “bring your own device” (BYOD). Respondents in both areas say that the risk currently outweighs the benefits, but as employers increasingly allow BYOD, it is critical for IT professionals to put the proper controls to mitigate the risk. Information on securing mobile devices is available at www.isaca.org/mobiledevices.