‘Tis the season to educate smartphone-bearing and tablet-toting employees about safe computing. That was the strongest message coming through in ISACA’s fourth annual Shopping on the Job Survey: Online Holiday Shopping and BYOD Security.
A poll of 1,224 US consumers conducted in late September 2011 found that shopping online for the holidays is up this year, with a 15-point increase in the percentage who say they will spend more time shopping online than in 2010. The numbers add up to 32 online shopping hours on average, with 18 of those spent on a work-supplied device or personally owned device also used for work activities—a trend commonly called “BYOD” for “bring your own device.”
A parallel online polling of more than 4,700 ISACA members from 84 countries in October 2011 reinforces these findings. The majority of respondents in the six regions (Africa, Asia, Europe, Latin America, North America and Oceania) believe that online shopping among employees will either remain at the same levels or increase this year. (BTW, thanks to everyone who took the time to respond to the survey.)
The approach to allowing employees to use IT assets for non-work purposes is mixed. More ISACA members in Europe, North America and Oceania say that their enterprises allow employees’ use of IT assets and time for personal purposes to promote work-life balance, while those in Asia, Latin America and Africa say that their enterprises generally restrict this practice due to security concerns. But almost all of them agree that the BYOD trend needs attention¾five of six regions say the risk outweighs the benefits.
Why does it matter? As many IT professionals know, personally owned PCs or mobile devices that are also used for work purposes are usually more difficult to secure than work-issued devices and are often used for higher-risk online activities (like clicking on links on social network sites or downloading music files). Ultimately, this means that sensitive corporate information may be compromised if the employee’s device is lost, stolen or attacked by malware.
But the solution is not as obvious as banning personal devices at work or forbidding the use of work IT assets outside of the office. The BYOD trend is a perfect illustration of the balance that is continually needed between trust and value, and between risk and benefit. For many employees, one aspect of the perceived value in their enterprise’s information systems is the ability to access these systems anywhere, any time¾and from any device. Establishing and demonstrating that these systems can be trusted means finding ways to secure them without imposing impractical restrictions that many employees will ignore or work around.
I believe we can find that balance. With the right governance frameworks, business unit support and employee communication, we can, in most cases, replace “restrict or limit” with “embrace and educate.” It is simply the latest evolution in the need to keep pace with the rapidly changing technology environment.
If you would like to learn more about this year’s Shopping on the Job survey and tips on how employees can manage their BYOD devices, please visit www.isaca.org/online-shopping-risk.
Ken Vander Wal, CISA, CPA
International President, ISACA and the IT Governance Institute
We welcome your comments! Please log in using the Sign In button at the top right of this page and then leave your comment in the box at the end of the post. To view all blog posts, please click on the ISACA Now button in the blue box on the left.