Popular sites such as Facebook, LinkedIn and Twitter have had a phenomenal impact in the workplace – both as a corporate channel for communication and marketing, as well as a vehicle for employees to communicate both professionally and personally.

The latter is a key point.  According to a new survey conducted by Trend Micro, employees increasingly are using social networks while in the office and on the clock.

It is debatable how much the rise in social networking has compromised employee productivity, but it’s indisputable that much of this activity is occurring in the absence of formal policies.

“In its simplest terms, there is anarchy in the absence of social media policy and training,” says John Pironti, ISACA board member and president of IP Architects, LLC.  “Without proper direction and clarity, it is hard to enforce appropriate consequences on someone.”

Because of this anarchy, organizations are starting to take action.  Fear of compromised productivity, reputational damage, data loss and inappropriate behavior is leading many employers to introduce strict controls on staff access to social media sites.  Robert Half Technology, an IT staffing company, recently reported that 54 percent of U.S. companies have banned workers from using social networking sites while on the job.  The study found that 19 percent of companies allow social networking use only for business purposes, while 16 percent allow limited personal use.

ENTIRE ARTICLE (Click Here)

But they’re also struggling to rein in potential problems.  Employers cringe at the thought of employees revealing proprietary information, hackers making mischief or a roomful of workers busy reconnecting with old high school friends on Facebook instead of doing their jobs.

The ubiquity of social networking – 77 percent of workers have a Facebook account, for example, and 61 percent of those access Facebook on the job, according to Boston-based Nucleus Research – complicates matters.

Nucleus Research last July estimated that on-the-job use of Facebook alone costs companies 1.5 percent of total employee productivity.

Policies on employee use of social networks are all over the map, from total bans on Internal access to no policy at all.

A 2009 survey by the Minneapolis-based Society of Corporate Compliance and Ethics found that just one in three businesses have a general policy for employee online activity including use of social networks.

“Most (employers) are playing catch-up on this,” said Alden Parker, an employment attorney at Sacramento law firm Balsam Parker.  “You have to make sure that you’re not losing employee hours to these time-sucking activities.”

ENTIRE ARTICLE (Click Here)

You may be a champ at Mafia Wars and Farmville, but what do you know about the security risks of social media sites?

The collaboration and sharing made possible by Web 2.0 technologies also bring along a specific set of risks. In Slapped in the Face: Social Networking Dangers Exposed, security researchers Nathan Hamiel and Shawn Moyer explain how attacks are made easy because of the very nature of these sites, where users can upload and exchange pictures, text, music and other types of information with little effort.

“Social networking sites are meant to get as many users in one place as possible on one platform, and for attackers there’s a lot of return-on-investment in going after them,” Moyer said, describing the climate as a perfect storm of social engineering and bad programming.

In this guide, we outline the many risks posed by social media sites and social networks, and how to keep yourself and others from falling victim to a scam or security hole.

• How common are scams and hacks on social networks?
• What are the most basic risks involved?
• Give me some examples of this type of scam.
• If my company allows employees to use social media and access networking sites, should we have a social media security policy in place?
• New scams and threats pop up all the time. How can employees stay on top of these new concerns?

How common are scams and hacks on social networks?

In 2009, Facebook officials announced they had surpassed 300 million users. Twitter claims to have 6 million unique monthly visitors and 55 million monthly visitors. With that kind of reach, it’s not surprising that criminals view these sites as a great venue for finding victims. As a result, security stories about Twitter and Facebook have dominated the headlines in the past 12 months. In one high-profile story from 2009, hackers managed to hijack the Twitter accounts of more than 30 celebrities and organizations, including President Barack Obama and Britney Spears (See: Hackers Hijack Obama’s, Britney’s Twitter Accounts. Hacked accounts had been used to send malicious messages, many of them offensive. According to Twitter, the accounts were hijacked using the company’s own internal support tools.

Twitter has also had problems with worms as well as spammers who open accounts and then post links on popular topics that actually link to porn or other malicious sites. Facebook, too, is regularly chasing down new scams and threats.

Both sites have been criticized for their lack of security, but have made improvements in recent months. Facebook, for example, now has an automated process for detecting issues in Facebook users’ accounts that might indicate malware or hacker attempts. The site also recently announced a partnership with security software vendor McAfee aimed at improving security for Facebook users. See: Facebook, McAfee Team on Facebook Security Effort.

What are the most basics risks posed by social media and social networking?

Password sloth is a simple and prevalent mistake by users of social networking sites. As described in Seven Deadly Sins of Social Networking Security, password sloth refers to using the same password on all sites—if that password is discovered via a hack or accidental leak on one site, it provides hackers a way into all the other sites. In a worst case scenario, it might mean a Twitter password hack gives someone the key to your online banking account.

Plain old TMI—too much information. It’s a great idea to let your neighbors know you’re headed out on vacation so they can keep an eye on your house or apartment. It’s NOT a great idea to post those vacation plans on public Internet sites. It’s also not a great idea to freely reveal lots of personal details&your birthday, your town of birth, your family tree—as that information can be used for identity theft.

(continued)

Your personal brand is another thing to consider in your online interactions.

Don’t engage in “Tweet rage”. Scott Hayes, president and CEO of Database-Brothers Inc., notes that “Posting any content when angry is about as dangerous as sending flaming emails, if not more so. Think twice about clicking ’submit’ because the world may be looking at your angry, immature rant for years.”

That include present and potential future employers, your parents, your kids, your co-workers. Think before you post.

Another risk to consider is your company’s brand and reputation. Can you be sure your employees aren’t leaking data, either intentionally or unintentionally, on social network sites? Can you be sure they are not disparaging your brand? According to legal expert Michael Overly, new FTC guidelines that went into effect on December 1, 2009, may impose liability on businesses for statements their employees make on social networking sites, as well as personal blogs, and other sites  even if the company had no actual knowledge those statements were being made. See Overly’s blog for more information on the new rules.

Then there is a big set of risks that we can put under the general heading of scams. These are active attempts by bad guys to get you to do one of two things:
- Share information you shouldn’t (passwords, sensitive data, company secrets) or
- Click on a link you shouldn’t (because it leads to a website infected with malware).

Give me examples of this type of scam.

In 5 Facebook, Twitter Scams to Avoid and 5 More Facebook, Twitter Scams to Avoid we outline many examples of the types of come-on scammers use, including:

Secret details about Michael Jackson’s death!
People love gossip and celebrity news is always a hit. These scams often claim to have secret information on a celeb and include links that actually lead to malicious sites or that install malware onto a computer.

I’m trapped in Paris! Please send money.
Known as a 419 scam, fraudsters break into Facebook accounts accounts and then message the victims “friends” asking for money.

OMG! Did you see this picture of you?
Both Facebook and Twitter have been plagued by several phishing scams that involve a question that piques the user’s interest and then directs them to a fake login screen.

(continued)

Test your IQ
Facebook members often add quirky applications that allow them to take quizzes and fill out polls. One recently caused members to unwittingly subscribe to a text messaging service that cost approximately $30 a month.

Join State University’s Class of 2013 Facebook group
A college guide book publisher called College Prowler was recently criticized for creating Facebook communities for students in the class of 2013 that appeared to be organized by their college or university, but were not.

Tweet for cash!
This scam takes many forms. “Make money on Twitter!” and “Tweet for profit” are two common come-ons security analysts say they’ve seen lately.

Ur Cute. Msg me on MSN
The sexual solicitation is a tactic spammers have been trying for many years via email, said Graham Cluley, senior technology consultant with U.K.-based security firm Sophos. In the updated version of this ruse, Twitter “tweets” that feature scantily-clad women and include a message embedded into the image, rather than in the 140-character tweet itself.

Protect your family from swine flu
Bad guys will always take advantage of what is in the headlines, such as the world’s concern over swine flu, to snare unsuspecting users. These days it is even easier for a user to end up clicking on a bad link looking for news because of the prevalent use of the shortened URL (See: New Spam Trick: Shortened URLs).

Mike Smith commented on your post!
Reading friends’ comments is one of the major features of Facebook. But some malicious applications have names such as “Your Photos” and “Post” and begin with a notification that someone has “commented on your post.” However, once the user clicks on that notification, they are lead to a harvesting site called “fucabook.com” which looks like a Facebook log-in page and asks users to enter their log-in information in order to “enjoy the full functionality” of the application. It then steals that log-in information and then spams friends.

Amber alert issued!!
This one is not so much as scam as it is a hoax. Amber alerts are pasted into status updates that turn out to be untrue.

If my company allows access to social media sites, should we have a social media security policy in place?

IANS, a Boston-based research company that focuses on information security, regulatory compliance and IT risk management, surveyed companies in 2008 and found most did not have a security policy in place with regard to social media. But the same survey conducted just a year later in 2009 turned up a dramatic increase. Policies might touch upon appropriate usage of social media and networking sites at work as well as the kind of conduct and language an employee is allowed to use on the sites.

“We saw about a third of the audience now has something in place and another large percentage is considering these kinds of policies,” said Jack Phillips, IANS co-founder and CEO.

Specifically, just under ten percent of respondent enterprises said their social media policy was fully implemented and communicated in 2008. That jumped to 34 percent in 2009, with another third responding that they had either created or implemented a policy for social media use. The take away, according to Phillips, is that social media is front and center now in organizations and the discussion is taking place not only among the security team, but within marketing, sales, human resources and even executives.

Phillips believes this is an opportunity for security folks to raise their profile and take part in an important issue from its inception. He gives security pros tips in 4 Tips for Writing a Great Social Media Security Policy. The include:

1. Don’t start from scratch
The media landscape is so dynamic that if you create policy for today’s hot technology, tomorrow it will be obscure. Instead, said Phillips, use this as an opportunity to draw attention to existing policies.

2. Use social media policies to raise security awareness
“This issue is an opportunity for info sec leaders to refocus attention on information security and risk management, said Phillips.

(continued)

3. Use social media access to raise security’s positive profile within the organization
While the initial security reaction to new media is often to block, Phillips said most organization now need to consider that not only may allowing access be necessary, but also useful from an info sec perspective.

4. Be prepared for the next phase
As social media platforms come and go, some will ultimately become commonplace and integral to an enterprise. While creating entire new policies around social media doesn’t make sense right now, at some point, said Phillips, it will become necessary for policies to be more specific.

New scams pop up all the time. How can employees stay on top of these new threats?

The threats posed by social media and social networks are ever evolving, so it’s important to keep users up to date on what the latest and greatest “come-ons” might be as part of a solid security awareness program. In 9 Dirty Tricks: Social Engineers Favorite Pick Up Lines we lay out some of the underlying tactics seen on social networks. And, to help users identify what THEY might be doing wrong, mistakes folks make using social networks are outlined in Seven Deadly Sins of Social Networking Security.

As with many security slip-ups, the mistake, and the lesson that needs to be learned, often goes back to the individual. As Peter Soderling points out in Why a Twitter Hack is NOT a Cloud Security Wake-up Call, many of the hacks that take place on these sites are the result of weak passwords. Check out these tips for How to Write Great Passwords for great advice to give users when it comes to creating secure log-in credentials.

ENTIRE ARTICLE

By Joan Goodchild, CSO
June 16, 2010 03:52 PM ET

How many minutes, or hours, did you spend on Facebook today? Even if you spent just a few minutes on the popular social networking site during office hours, you’re not alone. Data from Nucleus Research finds 77 percent of workers who have a Facebook account use it during work hours.

Sports events, online games, and entertainment sites, many of which cross the line between interesting and inappropriate, are all common distractions in today’s office. It’s not that these things are entirely new, but the Web 2.0 era–think social networks, URL shortners, video sites and more–presents wrinkles that require rethinking acceptable use policies.

iTunes and Facebook: Productivity versus personal use

Studies reveal a great deal of employee internet use is for personal, not professional, reasons. As much as 40 percent of internet surfing done during work hours is personal, according to IDC Research.

This isn’t news to Kevin Quinlan, senior director of IT for restaurant chain Bertucci’s. Quinlan is a realist. His policy is to allow employees six 15-minute slots each day to log on to websites for personal use and fun; that includes Facebook, Twitter, or any other site they want to see (within reason).

“People should be allowed to do what they want on their breaks,” he said. “Coming into the office shouldn’t be a bad thing. I know what I like to do when I’m using my computer. I don’t want to set rules I can’t follow myself.”

Also see The 7 deadly sins of social networking security

Quinlan is one of a growing number of managers at companies that find new ways of communicating, and younger employees that demand access to varied online content, are leading to a redefining of acceptable computer use in the workplace. Research from security firm Clearswift found 79 percent of workers in several countries around the globe value being trusted to manage their own time, and being trusted to use the Internet as they wish, over pay. Additionally, 62 percent of employees feel they should be able to access web/social networking content from their work computer for personal reasons in order to complete personal tasks.

In fact, many said they would decline to work at a company with anti-Facebook restrictions.

This creates a dilemma on several levels for organizations. There are the implications for productivity, but also the potential security risks that are posed when employees are given free rein to surf the web as they wish.

For Quinlan, the changing tide arrived a few years ago as the iPod crazed touched off and he found scores of employees downloading iTunes onto company computers without his consent. Not malicious activity on the part of the employees, he notes, but activity that was messing up his network.

“I had issues with remote users saying ‘Oh, I can’t connect anymore.’ I was trying to chase down the problem and finally discovered some piece of software iTunes was running was knocking out our VPN connection every 15 minutes.”

That launched a new realization for Quinlan, and he started using Bit9’s Parity Suite, several products that control unauthorized software and malware from running on endpoints, while still allowing workers to have access to a range of web content.

“When we hire folks, they have a session with the network administrator and they sit down and go over what you can do on your computer, what the policies are,” he explained.

Goal! Keeping workers on task through major sporting events

With the World Cup kick-off this month, managers around the globe are bracing for what is expected to be an inevitable drain on productivity. In the U.K., which tends to have many more soccer fans than the U.S., productivity losses tied to the World Cup could total approximately $1.45 billion, according to Chartered Management Institute.

The same story usually gets told every March in the U.S. The annual NCAA tournament rolls around and many offices form betting pools and employees monitor games and statistics from their desks. An annual report from firm Challenger, Gray and Christmas claims employees waste about 20 minutes each workday researching teams online, talking to colleagues about their picks, and watching online and TV broadcasts of the games during work hours.

But it’s not the games that concern Michael Counes, Director of Information Technology & Education for the Hanley Center, a non-profit addiction recovery center in Florida, where patient data privacy is of the utmost importance. Social networks are today’s biggest time suck, but he has so far resisted removing access to them.

“We don’t want to take that away from them. But we dont want them to spend all day on social media sites. We want them to use it as a tool on their break. If someone is spending all day on Facebook, it’s hard to believe the rest of the job is getting done.”

Also see “Employee monitoring – good for the employee?”

Counes does not block any sites, but uses a product from SpectorSoft called Spector 360 to monitor employee computer activity, which he says can get as granular as logging keystrokes of typing and goes as broad as a general report of a worker’s internet visitation for the month. He has seen a 15-17 percent increase in productivity since he began using the product, and employees learned they were being monitored.

“Once you talk to five people in the organization, it’s like a virus,” he said. “People learn that ‘These guys are serious, they really do look at what is going on.’”

Even so, companies find that drawing a hard line isn’t as clear-cut as it used to be. Streaming sports video might be verboten, but what about score updates? If those alerts are outlawed from company PCs, can employees check the scores on their mobile phones? Productivity-wise, is that any different than keeping the sports section in the restroom?

YouTube, URL shorteners, and “gentlemen’s” sites

It’s probably obvious to most that surfing for pornography at work isn’t OK. Despite ever-more-advanced monitoring capabilities, however, porn viewing on the job is still quite common. Research conducted in March by media-information firm Nielsen Co. found that almost 30 percent of employees have visited an adult site using a computer at work; and 20.6 million Americans visited an adult site from a work computer an average of 8.1 times in a month, according to Nielsen.

Other research also bares out the enormity of inappropriate surfing and downloading at work. According to a survey by the American Management Association and the ePolicy Institute, 60 percent of e-mail users admit to having sent e-mail with adult content at work. A survey commissioned by email management company Proofpoint found out that a third of office workers claimed to have watched inappropriate content on their office computers.

A government report released earlier this year found many Securities and Exchange Commission employees were found to have viewed pornography at work–while the financial crisis was unfolding. One senior attorney at SEC headquarters in Washington spent up to eight hours a day accessing Internet porn, according to the report.

Counes said despite the monitoring he does, he has seen this kind of activity and needed to take action.

“Not everyone believes you have the ability to do what you say you can do. There have been cases where I’ve intervened in ways of a higher punitive level than a stern talking-to,” he said. “But for the most part it’s been the exception, not the rule.”

Of course, there are many web sites out there that aren’t technically pornographic, but feature material that managers may be less than pleased to see if they walk by a desk and catch a glimpse of the computer screen.

Maxim.com, for instance, bills itself as a site for men that features “hot girls, sexy photos & videos.” Nude-pictures pioneer Playboy is set to launch TheSmokingJacket.com, a site that will exclusively include content that is “safe for work,” according to the advertising.

As for his company, “most managers here feel it’s to be left at home in the gray situations and is not part of Hanley Center mission vision and values,” said Counes.

Even closer to the mainstream, plenty of music videos on YouTube tiptoe on the lines of propriety. Lady Gaga’s videos may be offensive to one employee, but no problem for others–what about slightly less controversial pieces by Beyonce or Miley Cyrus?

Even in the case of obvious pornography, today there is a more realistic chance that an employee might accidentally see questionable images unintentionally. Shortened URLsin Twitter tweets and elsewhere obscure the actual content of the link. Etiquette on social media sites such as Digg dictates that questionable links and images should be labeled “NSFW”, but compliance is less than 100 percent.

It’s also possible to happen upon a malicious site that loads porn images, unbeknownst to the user.

“We treat each case individually as an opportunity to educate,” said Counes. “There are lines in the sand like anything else, but most are left to managers discretion outside the obvious severe violations.”

Also see CSOonline.com’s Security Tools and Templates page for sample acceptable use policies

At the end of the day, said Counes, he believes most of what employees do is with good intent. Anything they do wrong is usually the result of a lack of knowledge, as opposed to malicious intent. He believes the monitoring he does serves more as an education tool than a “Big Brother” scare tactic, and employees get that.

“As long as you maintain strong education and advocacy, they understand that the bottom line is to serve the client.”

All contents copyright 1995-2010 Network World, Inc. http://www.networkworld.com

ENTIRE ARTICLE

Mark Ruquet with National Underwriter writes that oversight of employee Internet use is important to protect an independent insurance agency from computer viruses, legal exposures and time wasting, according to an industry expert.

Chris Borchert, business development executive with iPrevision, made his comments during the 34^th annual AMS Users Group meeting, now called Network of Vertafore Users Group (NetVU).

Mr. Borchert, whose firm is an Internet security solutions provider based in Yorba Linda, Calif., reviewed how susceptible today’s producer technology systems are to outside attacks.

He said studies show that employees can spend a lot of work time – as much as two hours of company time – on personal Internet browsing, which can amount to an average of close to $5,500 in lost productivity.

However, many employers may not realize that there are legal liabilities that such activity can expose them to, he said.  Also, activity on these sites can inadvertently expose the company’s network to viruses and malware that can infect a single computer or the entire agency system.

ENTIRE ARTICLE

When an employee connects to the Internet, your company is exposed to these four threats:

- Productivity Threats: Just 20 minutes of recreational surfing a day can cost a company with 30 employees over $1000 per week (at $25/hr per employee).

- Legal Threats: Employees can sue if you don’t provide a work environment free of gender and minority harassment.  This means taking reasonable care to block offensive Internet content.

- Network Threats: An employee can crash your network just by logging into the wrong website.  Other activity like recreational surfing and downloading MP3 files can divert valuable bandwidth from critical business needs.

- Security Threats: Viruses enter networks through a variety of sources, such as web-based email, Instant Messenger file transfer, email attachments or through other files directly downloaded from a website.

ENTIRE ARTICLE

By: Staff Writer

Over the past decade, there has been a technological revolution in the workplace as businesses have increasingly turned to technology as the primary tool to communicate, conduct business, and store information.  As the use of technology has increased, so has the concern of employers that their technology resources may be abused by employees.  As a result, companies have developed various “computer conduct” policies and implemented strategies to monitor their employees’ use of e-mail, the Internet, and computer files. National surveys have reported that many companies are engaged in such practices. Federal and state laws and judicial decisions have generally given private sector companies wide discretion in their monitoring and review of employee computer transmissions, including the Internet and e-mail. However, some legal experts believe that these laws should be more protective of employee privacy by limiting what aspects of employee computer use employers may monitor and how they may do so. 

No matter where people stand on the issue of privacy, one thing continues to be critical in the courts, in the media and in the work place.  Employers are expected to clearly communicate the organizations position to employees as it pertains to employee conduct and privacy.

As an employer, one of the challenges has been keeping up with written policies that describe and make clear what the employee should know about the organizations expectations of technology use when the technologies available change at such a rapid rate.  Many organizations have an “Email Policy” an “Internet Use Policy” a “Communications Policy” and often a general section outlining general office technology use in an “Employee Handbook”. 

The situation above has developed because organizations tend to layer additional policies as new technologies present themselves in the work place.  As a response to this situation, more and more organizations are creating a single “Technology Use Policy” that pertains to all of the various technologies and communication mediums in the organization. 

There is now a broad enough understanding of the interaction between employees and the internet enabled world to refine the employer’s expectations in a single “Technology Use Policy” that will address elements such as email, webmail, web surfing, telephone/cell phones, social networking sites (i.e. Facebook, YouTube, Twitter etc.), Blogs, instant messaging (IM) and texting.

The courts, specific industry associations and experts agree that establishing a comprehensive policy on employee technology use is incomplete without strategies to disseminate the information. Experts pointed out that informing employees about these policies not only established the limits of employee expectations about privacy but also allowed the employee the opportunity to conform their behavior to the circumstances of having limited privacy.  Don’t allow your organization to send conflicting messages to employees because technology specific policies have been layered on top of each other as new technologies make their way into the work place.  Focus on replacing multiple policies with a single “Technology Use Policy”.

Lora Bentley

Social networking is part of the new normal in business, according to Gartner. Understandably, not every company can go so far as, say, Zappos.com or Southwest Airlines in their enthusiasm. But it’s also not smart to ignore it. At some level, employee use of social networking tools should be addressed and a policy adopted.

In fact, just a couple of weeks ago, a friend noted that he had attended a seminar on social media in business and found it very helpful. One of the attorneys who presented that seminar is Mitzi Wyrick, from the Louisville offices of Wyatt, Tarrant & Combs. After looking at the slide deck my friend sent my way, I contacted Wyrick. Tuesday, I got the chance to speak with her.

Essentially, she said, employers have two choices when it comes to employee use of social networking tools on company time: They can ban it completely, or allow it and decide how they’re going to regulate it.

“In some ways I think it’s easier to treat social networking use the same way the company treats employee Internet use,” she told me. “If they’re allowed to use it, as long as they’re not using it excessively, social networking shouldn’t be any different.”

But there are certain things companies should be mindful of when creating their social networking policies. They want to protect their intellectual property, so employees shouldn’t be posting about things they’re working on, Wyrick said. Policies should also prohibit harrassment or discrimination against other employees, as well as posting “anything that would cast the company in a bad light.”

Once the policy is created, employers should communicate it to employees. Post it in the breakroom, include it in the employee handbook, distribute it separately in a memo or a letter. And have employees sign to acknowledge that they’ve received it and read it. That way, Wyrick said, you avoid situations later where an employee says he doesn’t understand why you’re disciplining him since he didn’t even know there was such a policy.

After the policy has been created and communicated, it must be consistently enforced. It does no good to have a policy if some violations have consequences and others do not. Not that someone has to devote all of his or her time to monitoring employee activity on different social networking sites. In fact, Wyrick said she wouldn’t recommend that. But once the company becomes aware of a post that violates company policies, it must be addressed in accordance with the policy. Then, the second (and third, fourth, etc.) time that kind of violation occurs, it must be addressed in the same way as the first.

ENTIRE ARTICLE

Shoppers spent about $900 million Monday not by going to the mall but by pointing a computer mouse and clicking from the comfort of their desks. Undoubtedly, many of those sales on what retailers bill as Cyber Monday came from workplace computers on company time, raising the uncomfortable question: Was anyone actually working on Monday?

With online sales growing steadily each year, the Internet has become a regular venue for Christmas shopping for many. And the omnipresence of desktop computers has made it possible to shop without ever leaving the office.

Many are doing exactly that, found the Information Systems Audit and Control Association, an information technology trade group. Employees will spend on average, nearly two working days – 14.4 hours – shopping from a work computer this holiday season, its survey of more than 1,200 consumers found. Ten percent plan to spend at least 30 hours browsing the Web pages of retailers while at work.

That’s great news for online retailers such as Amazon, Macys.com and Bestbuy.com, but not so great for the companies those shoppers work for. A separate survey by the same group found that a quarter of information technology professionals estimate their company will lose $15,000 or more per employee in productivity during the holiday season.

Online shopping can also lead to viruses, spam and phishing attacks that can invade workplace computers.

“It’s unrealistic to think that companies can stop the use of work computers for online shopping,” said Robert Stroud, the trade group’s vice president.

That doesn’t mean they won’t try to keep a lid on all the cybershopping. But policies on personal use of the Internet at work generally vary by size of the employer, said Kelly Schoening, a lawyer with Crestview Hills-based law firm Dressman Benzinger Lavelle. “The smaller they are, the less likely they are to have a policy or the looser they are about it,” Schoening said.

Some large companies forbid any personal use of the Internet, and some have the technology and manpower to monitor employee Internet use, she said. “I have one client who monitors all usage,” she said. “I encourage employers to do it.”

But the policies of large employers vary. Procter & Gamble says it has no policy forbidding personal use of the Internet as long as it doesn’t interfere with productivity.

The region’s largest employer, University of Cincinnati, has a policy that states “university resources may only be used for official university business and not for personal gain or convenience.”

Most firms allow limited personal use on work computers during free time or before or after work, said Mary Spadaro, a manager with Employee Management Services, which handles human resources administration for other companies.

Some stretch that into company time, she said. “The reality is, employees are going to be on the Internet,” Spadaro said.

“Especially with small- to mid-sized companies, they don’t really monitor because they don’t have the resources,” she said.

One small company that does is Bottom Line Systems of Crescent Springs. The health care consulting firm uses Internet tracking software and can block Web sites, said Lynette Koenig, human resources manager. But it can only do that for about half of its 180 employees. The rest work offsite. “We’re pretty much on the honor system there,” she said.

Some employees may be counting on the cluelessness of their IT department. The trade group survey found that IT staffers estimated employees would spend only nine hours shopping on their work computers, 37 percent less than what the employees actually said they would spend.

ENTIRE ARTICLE

 

Rolling Meadows, IL, USA (21 October 2009)—Employees plan to spend nearly two full working days (14.4 hours) on average shopping online from a work computer this holiday season, according to a survey conducted on behalf of ISACA, a nonprofit association of 86,000 information technology (IT) professionals. One in 10 plans to spend at least 30 hours shopping online at work. Convenience (34%) and boredom (23%) are the biggest motivators, according to those polled.

Despite an economy expected to show flat or declining holiday retail sales, the second annual “Shopping on the Job: Online Holiday Shopping and Workplace Internet Safety” survey found that fully half of those surveyed plan to shop online for the holidays using a work computer. Less surprising is a growing uncertainty—the number of employees who are unsure about whether they will spend more or less time shopping online compared to a year ago has doubled.

The potential danger of shopping online is that it can open the door to viruses, spam and phishing attacks that invade the workplace and cost enterprises thousands per employee in lost productivity and potentially millions in destruction or compromise of corporate data.

Employees who shop online using a work computer are also likely to engage in other high-risk behaviors. Survey participants also bank online (51%), click on e-mail links redirecting them to shopping sites (40%) and click on links from social network sites (15%). Yet nearly one in five says they are not concerned that their online shopping habits may affect the safety of their organization’s IT infrastructure.

“With the Internet now available to almost any employee in the workplace, it’s unrealistic to think that companies can completely stop the use of work computers for online shopping,” said Robert Stroud, international vice president of ISACA and vice president of IT service management and governance for the service management business unit at CA Inc. “What companies can and should do is educate employees about the risks of online shopping and remind them of their company’s security policy. This is especially important this year, when the convenience of shopping online may be very appealing to employees whose workloads have doubled or tripled because of downsizing.”

Upwardly Mobile Shopping
This survey also found that more than one in 10 Americans who use a mobile work device such as a BlackBerry or iPhone plan to use it for holiday shopping. The increasing use of mobile work devices for personal business such as shopping can lead to additional security issues and exposure to data loss for a company.

“The lines between work and personal data are becoming more and more blurred as a growing number of people check work e-mail from their own phone or PDA, or use a work-supplied mobile device to shop or update their Facebook page. As our mobility increases, so does the risk to our corporate IT systems,” said John Pironti, a member of ISACA’s Certification Task Force and chief information risk strategist for Archer Technologies.

A significant percentage of those surveyed do not actively manage their work computer’s security. Thirty percent report that they leave security up to their company’s IT department. Of those who connect via a wireless connection, 30% don’t or don’t know how to check the security of wireless settings and just 21% personally check their work computer for the most recent security patches.

Reality Gap Between Employees and the IT Department
A separate ISACA survey of more than 1,500 IT professionals, who are ISACA members in nine countries, conducted during the same time period shows a major gap between what the IT department believes and what the employees are planning when it comes to online holiday shopping. Close to half (48%) of those in IT believe employees will spend just over one work day, or nine hours, shopping online from a work computer—yet ISACA’s consumer survey shows that employees will average closer to two work days, or 14.4 hours.

IT professionals are realistic about the potentially staggering costs of shopping online for the holidays from workplace computers. One in four estimates that their company will lose US $15,000 or more per employee in productivity during this year’s holiday season.

“The reality gap between the IT department’s perceptions and the online shopping behaviors of the rest of the company actually represents an important opportunity for IT,” said Paul Williams, a member of ISACA’s Governance Advisory Council and a past president of the association. “By educating employees and communicating common-sense online policies, IT can better protect one of the most critical assets a company has—its IT systems.”

5 Tips for Safe Shopping From the Office Computer
ISACA recommends that employees and IT departments take the following steps to reduce the risk of spam, viruses and accidental downloading of backdoor “agents” that can highjack corporate data.

For online shoppers:

1. Use your desktop PC, not your mobile device, to shop, because your desktop browser is likely to be more secure.
2. Protect sensitive information, like credit card numbers, by password-protecting both your mobile device and its memory card.
3. Make sure you update your anti-virus and anti-malware programs continually.
4. Treat social networking sites with the same caution as other web sites—social sites are a growing target for fraudsters and virus writers.
5. Be cautious of special offers. If it looks too good to be true, it probably is. Fake online offers and coupons may lead to harmful sites, so be suspicious.

For the IT department:

1. Educate employees. Blocking sites can do more harm than good, causing employees to seek out less secure ways to get around your blockade. Education works better.
2. Get employees on board with learning by teaching them how to protect both their work computers and their home computers.
3. Reinforce what you teach by having employees sign an acceptable-use policy every year.
4. Offer a “safe zone” for holiday shopping—create an online sandbox that can be taken down after the holidays.
5. Don’t wait until Cyber Monday to step up security. Think of “Cyber Season” as the time from September to January and be extra-diligent throughout that time.

About the ISACA Shopping on the Job Survey
The second annual “Shopping on the Job: Online Holiday Shopping and Workplace Internet Safety” survey is based on online polling in September 2009 of 1,210 US consumers and 1,513 IT professionals who are ISACA members in nine countries. The study, which was designed to capture insights about online holiday shopping at work and employee compliance with workplace policies governing online shopping, was conducted by M/A/R/C Research and ISACA, respectively. The M/A/R/C study results contain a margin of error of 3.9% at the 95% confidence level.

About ISACA^®

With more than 86,000 constituents in more than 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA^® Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA^®), Certified Information Security Manager^® (CISM^®) and Certified in the Governance of Enterprise IT^® (CGEIT^®) designations.

ISACA developed and continually updates the COBIT^®, Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.

Media Contacts:

Kristen Kessinger, +1.847.660.5512, kkessinger@isaca.org
Marv Gellman, Ketchum, +1.646.935.3907, marv.gellman@ketchum.com

ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008
USA

ENTIRE ARTICLE