ISACA Survey: Online Holiday Shopping Puts Hong Kong Businesses at Risk

HONG KONG--(BUSINESS WIRE)--According to a recent survey by ISACA, an international nonprofit organization that provides professional advice to businesses on best I.T. governance and security practices, the integrity of Hong Kong companies’ IT investments is at risk as the Christmas and new year holiday season is approaching and employees are spending an increasing amount of time shopping online. The net result is increased risks of spam, viruses and phishing attacks in the workplace, subsequently, making companies’ IT structures more vulnerable and undermining their overall business success.

According to this survey, entitled “Shopping on the Job: Online Holiday Shopping and Workplace Internet Safety”, 42 percent of Hong Kong employees are likely to spend two or more hours shopping online using a work computer between November and December. Yet, more than half (54 percent) of the respondents’ companies do not educate their employees about the risks that online shopping can pose to their companies’ IT security. While approximately 60 percent of the companies said they have no security measures in place to prevent employees from shopping online at work, more than 55 percent of these companies think their employees do not fully understand the risks to which they are exposing their companies with shopping online from their workplace computer.

“Clearly, more can be and should be done to educate employees, business managers and IT planners about the risks that online shopping at work brings to businesses in Hong Kong. From our perspective, both IT security structures and users’ awareness or consciousness of the risks they are facing are equally importantly against IT security threats,” says Vincent Chan, president of ISACA’s Hong Kong chapter. “Sensible IT investment, governance and protection are instrumental to business success. Companies are now more cost conscious given the current global business environment, and because of this they need to be even more prudent about protecting of their IT investments.”

The ISACA Hong Kong survey was conducted concurrently with similar surveys with consumers and ISACA members in the U.S., and the results from the Hong Kong survey largely reflect a similar pattern among U.S. businesses regarding their lack of awareness or attention toward the risks of online shopping at work.

Tips for Safer Holiday Shopping from the Office Computer

Providing a workplace e-mail address to an online retailer can leave a computer network open to a variety of threats and productivity wasters including spam, phishing attacks and viruses. ISACA recommends that employees and IT departments take the following steps to reduce the risk of spam, viruses and inadvertent downloading of backdoor “agents” that can highjack corporate data.

For online shoppers:

1) Make sure web sites you connect to are using SSL encryption while you are entering personal information.

2) Do not allow sites to save your username or password. Avoid providing your work email address as your contact information.

3) Delete cookies from your computer after you are finished shopping.

4) Use separate browser sessions for your holiday shopping versus your work-related browsing.

5) If it looks too good to be true, it probably is. Do not download free games, ringtones, wallpapers or animations on to your work computer.

For the IT department:

1) Train employees on safe computing just prior to the holiday shopping season and follow up with periodic reminders.

2) Tailor education programs to match the various demographics, attitudes and technology know-how of groups within the workplace.

3) Conduct formal risk and threat assessments and update your Acceptable Use Policy and security measures appropriately.

4) Make sure that patches are deployed, security functions are enabled, and firewall rules, intrusion detection system (IDS) signatures, and spam filters are updated regularly.

5) Monitor networks for high-volume or suspicious traffic and respond immediately to threats. Remind employees to sound the alarm if suspicious events occur.

About ISACA

With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor (CISA) designation, earned by more than 60,000 professionals since 1978; the Certified Information Security Manager (CISM) designation, earned by more than 9,000 professionals since 2002; and the new Certified in the Governance of Enterprise IT (CGEIT) designation.