menu image
AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
menu shadow
Overview & History
What's New
Certification
Education & Conferences
Standards
Research
Publications
Chapters
Membership
Bookstore
Downloads
COBIT
Risk IT
Career Centre
spacer image
Print this page
spacer image

Home

Survey: Millennials’ Online Holiday Shopping Habits Put Employers at Risk
Extensive shopping plus lack of security awareness make workplace vulnerable to spam and viruses

Rolling Meadows, IL, USA (13 November, 2008)—Four out of 10 Americans ages 18-24 will spend up to five hours shopping online using their work computer this holiday season. This same age group is the least worried about the vulnerability of their work computers, creating an increased risk of spam, viruses and phishing attacks in the workplace, according to the recent “Shopping on the Job: Online Holiday Shopping and Workplace Internet Safety” survey conducted on behalf of ISACA, a global, nonprofit association of IT professionals.

The survey examined how much time employees will spend in November and December shopping online from work, how aware they are of online security, and whether they comply with employer policies for online shopping.

Overall, 63 percent of people of all ages surveyed plan to shop online during the holiday season from their workplace computers. Older Americans are less likely to shop from work than those in the 18 to 24 group, who make up the majority of “Millennials”—a demographic typically described as being more tech-savvy, more concerned about work/life balance and less loyal to their employers than other age groups.

Millennials were also found to worry less about the vulnerability of their work computer than their personal computer. Close to half (49 percent) pay more attention to the security of their home computer, whereas almost two-thirds of workers over age 25 are equally concerned with both.

“This survey clearly shows that younger employees are more likely to engage in online activities at work that put a business’s IT infrastructure at risk,” said Kent Anderson of ISACA’s Security Management Committee. “The fact that Millennials are planning to spend the equivalent of more than half a work day doing holiday shopping from their work computer, combined with their lack of concern for how secure their computer is, points to an urgent need for employee education.”

Anderson added that the key is to educate people of all ages on ‘why’ they need to care about security in addition to ‘how’ they should ensure their transactions are secure.

Providing a workplace e-mail address to an online retailer can leave a computer network open to a variety of threats and productivity wasters including spam, phishing attacks and viruses. Yet more than two in 10 (22 percent) respondents have clicked on an e-mail link to go to a retailer’s web site from their workplace computer and used their company e-mail address as the contact for a purchase. In addition, one in four (26 percent) respondents either does not check or is unsure how to check the security of a web site before making a purchase.

Cost of Holiday Shopping --$3,000 or More per Employee

These findings are reflected in a parallel version of the survey that was administered to IT professionals who are members of ISACA. According to responses, nearly half (46 percent) of US-based ISACA members believe their company is losing an average of $3,000 or more in productivity per employee from online holiday shopping at work.

More than half (55 percent) also reported that their company permits workers to shop online but has no strategy for educating them about the risks. More than 3,100 respondents across the US participated in the parallel survey in October 2008.

“With the economy in such a volatile state, people are working long hours and are facing increased pressure to succeed,” said John Pironti of ISACA’s Education Board. “The survey results show that there needs to be a common-sense balance between security awareness and employee compliance.”

Tips for Safer Holiday Shopping from the Office Computer

ISACA recommends that employees and IT departments take the following steps to reduce the risk of spam, viruses and inadvertent downloading of backdoor “agents” that can highjack corporate data.

For online shoppers:
  1. Make sure web sites you connect to are using SSL encryption while you are entering personal information.
  2. Do not allow sites to save your username or password. Avoid providing your work email address as your contact information.
  3. Delete cookies from your computer after you are finished shopping.
  4. Use separate browser sessions for your holiday shopping versus your work-related browsing.
  5. If it looks too good to be true, it probably is. Do not download free games, ringtones, wallpapers or animations onto your work computer.
For the IT department:
  1. Train employees on safe computing just prior to the holiday shopping season and follow up with periodic reminders.
  2. Tailor education programs to match the various demographics, attitudes and technology know-how of groups within the workplace.
  3. Conduct formal risk and threat assessments and update your Acceptable Use Policy and security measures appropriately.
  4. Make sure that patches are deployed, security functions are enabled, and firewall rules, intrusion detection system (IDS) signatures, and spam filters are updated regularly.
  5. Monitor networks for high-volume or suspicious traffic and respond immediately to threats. Remind employees to sound the alarm if suspicious events occur.

About the ISACA Shopping on the Job Survey

The “Shopping on the Job: Online Holiday Shopping and Workplace Internet Safety” survey is based on online polling of 973 consumers in late September 2008 and 3,191 IT professionals in October 2008. The study, which was designed to capture insights about online holiday shopping at work and employee compliance with workplace policies governing online shopping, was conducted by M/A/R/C Research and ISACA, respectively. The M/A/R/C study results contain a margin of error of 3.1 percent at the 95 percent confidence level.

About ISACA

With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor (CISA) designation, earned by more than 60,000 professionals since 1978; the Certified Information Security Manager (CISM) designation, earned by more than 9,000 professionals since 2002; and the new Certified in the Governance of Enterprise IT (CGEIT) designation.

Media Contacts:

Kristen Kessinger, +1.847.660.5512, kkessinger@isaca.org
Marv Gellman, Ketchum, +1.646.935.3907 (office), +1.917.446.0429 (mobile), marv.gellman@ketchum.com

ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008
USA
nav menu image
spacer image
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us
spacer image
menu shadow

Terms Of Use | Privacy Policy | IP Guidelines
© 2010 ISACA All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA