ROLLING MEADOWS, Ill., Nov 13, 2008 (BUSINESS WIRE) — Four out of 10 Americans ages 18-24 will spend up to five hours shopping online using their work computer this holiday season. This same age group is the least worried about the vulnerability of their work computers, creating an increased risk of spam, viruses and phishing attacks in the workplace, according to the recent “Shopping on the Job: Online Holiday Shopping and Workplace Internet Safety” survey conducted on behalf of ISACA, a global, nonprofit association of IT professionals.

The survey examined how much time employees will spend in November and December shopping online from work, how aware they are of online security, and whether they comply with employer policies for online shopping.
Overall, 63 percent of people of all ages surveyed plan to shop online during the holiday season from their workplace computers. Older Americans are less likely to shop from work than those in the 18 to 24 group, who make up the majority of “Millennials”–a demographic typically described as being more tech-savvy, more concerned about work/life balance and less loyal to their employers than other age groups.

Millennials were also found to worry less about the vulnerability of their work computer than their personal computer. Close to half (49 percent) pay more attention to the security of their home computer, whereas almost two-thirds of workers over age 25 are equally concerned with both.

“This survey clearly shows that younger employees are more likely to engage in online activities at work that put a business’s IT infrastructure at risk,” said Kent Anderson of ISACA’s Security Management Committee. “The fact that Millennials are planning to spend the equivalent of more than half a work day doing holiday shopping from their work computer, combined with their lack of concern for how secure their computer is, points to an urgent need for employee education.”

Anderson added that the key is to educate people of all ages on ‘why’ they need to care about security in addition to ‘how’ they should ensure their transactions are secure.

Providing a workplace e-mail address to an online retailer can leave a computer network open to a variety of threats and productivity wasters including spam, phishing attacks and viruses. Yet more than two in 10 (22 percent) respondents have clicked on an e-mail link to go to a retailer’s web site from their workplace computer and used their company e-mail address as the contact for a purchase. In addition, one in four (26 percent) respondents either does not check or is unsure how to check the security of a web site before making a purchase.

Cost of Holiday Shopping –$3,000 or More per Employee

These findings are reflected in a parallel version of the survey that was administered to IT professionals who are members of ISACA. According to responses, nearly half (46 percent) of US-based ISACA members believe their company is losing an average of $3,000 or more in productivity per employee from online holiday shopping at work.

More than half (55 percent) also reported that their company permits workers to shop online but has no strategy for educating them about the risks. More than 3,100 respondents across the US participated in the parallel survey in October 2008.
“With the economy in such a volatile state, people are working long hours and are facing increased pressure to succeed,” said John Pironti of ISACA’s Education Board. “The survey results show that there needs to be a common-sense balance between security awareness and employee compliance.”
Tips for Safer Holiday Shopping From the Office Computer

ISACA recommends that employees and IT departments take the following steps to reduce the risk of spam, viruses and inadvertent downloading of backdoor “agents” that can highjack corporate data.

For online shoppers:

1) Make sure web sites you connect to are using SSL encryption while you are entering personal information.

2) Do not allow sites to save your username or password. Avoid providing your work email address as your contact information.

3) Delete cookies from your computer after you are finished shopping.

4) Use separate browser sessions for your holiday shopping versus your work-related browsing.

5) If it looks too good to be true, it probably is. Do not download free games, ringtones, wallpapers or animations onto your work computer.

For the IT department:

1) Train employees on safe computing just prior to the holiday shopping season and follow up with periodic reminders.

2) Tailor education programs to match the various demographics, attitudes and technology know-how of groups within the workplace.

3) Conduct formal risk and threat assessments and update your Acceptable Use Policy and security measures appropriately.

4) Make sure that patches are deployed, security functions are enabled, and firewall rules, intrusion detection system (IDS) signatures, and spam filters are updated regularly.

5) Monitor networks for high-volume or suspicious traffic and respond immediately to threats. Remind employees to sound the alarm if suspicious events occur.

About the ISACA Shopping on the Job Survey

The “Shopping on the Job: Online Holiday Shopping and Workplace Internet Safety” survey is based on online polling of 973 consumers in late September 2008 and 3,191 IT professionals in October 2008. The study, which was designed to capture insights about online holiday shopping at work and employee compliance with workplace policies governing online shopping, was conducted by M/A/R/C Research and ISACA, respectively. The M/A/R/C study results contain a margin of error of 3.1 percent at the 95 percent confidence level.

About ISACA

With more than 86,000 constituents in more than 160 countries, ISACA ( www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal, develops international information systems auditing and control standards, and administers three globally respected certifications.

Entire Article

Popularity: 60% [?]

In an article from the Dayton Business Journal, Jacod Dirr writes, for small- to medium-sized businesses, managers must do everything in their power to ensure productivity, high morale and keep a competitive edge.

As such, employers might need to know if workers are frittering away hours searching social networking sites, adjusting fantasy sports team rosters or even peeking at obscene material.

Across the board, employment experts said companies should establish a broad user policy to protect themselves in court from employees who claim an invasion of privacy. With a good policy in place, it must be presented to employees, who should sign a compliance statement.

Companies should not go on fishing expeditions, but an airtight policy will protect them should a dire situation occur and it be challenged in court. For example, an employee could get caught looking at smut or texting threats, then get fired, but could sue over an invasion of privacy.

In almost every court case brought against an employer, the linchpin of the case depends on whether the employee had the “expectation of privacy,” experts said.

But if the company has a documented policy with a signature, which hypothetically states: “The company can at any time monitor employee communications or activities and the employee should not have any expectation of privacy,” then the employee’s case loses merit.

“That nullifies any expectation of privacy,” said Karen Dunlevey, an employment law attorney at Dayton-based Bieser, Greer & Landis. “The policy is imperative to protect the employer.”

When creating a policy, companies need to construct one that is broad enough to cover any conceivable situation, whether it is checking mobile devices for messages sent, to employees forfeiting privacy whenever they use company networks on a private device.

However, companies should also be proactive in reminding employees about policy.

Mikki Clancy, vice president and chief information officer for Premier Health Partners, said regular education that the policies are there to protect employees and the organization is key.

“If they think of you as Big Brother, you are missing the boat,” Clancy said.

At Premier Health Partners, Clancy said the company has an established board who regularly reviews its electronic communications policy and compares it to best practices in the marketplace.

However, she cautioned against making constant changes, and encouraged companies to instead create a broad definition that would allow for varying circumstances — which could only confuse employees about what is expected and not.

Having a defined policy does not give employers carte blanche, though.

Once companies wade into private devices and accounts, they should be weary and make sure their policy allows it, experts said.

To date, there is no court case yet that has given a glimpse into how much leeway companies can have in peering into personal communication devices.

The exception appears to be if a personal mobile device, be it phone or laptop, is accessing the company network — such as the office wireless Internet — then it could give companies just cause if their policy is broad enough.

The key is to ask employees to sign waivers that relinquish any right to privacy while on company time or equipment.

In monitoring employee communications, employers are never allowed to “intercept” the information in transit. This could mean, for example, listening to phone calls through a third party device, like a wire tap. That would violate the Electronic Communications Privacy Act, which prevents illegal wiretaps and such.

Bob Dunlevey, an employment law specialist at Dayton-based Dunlevey, Mahan & Furry, said companies viewing e-mails from a private account, even if they accessed while at work, should be a last resort.

“I think the employer is on shaky ground to go into that private account, unless there is some strong reason to get in there,” he said, adding that perusing old e-mails, not accessed on the company system, is off limits.

Entire Article

Popularity: 52% [?]

In a recent article by Byron Acohido, USA TODAY, An innocuous posting appeared on a Houston-based technology company’s internal website on a recent Friday afternoon.

A couple of workers saw it, and obeyed instructions to click on a Web link. The posting seemed trustworthy. It was on an employees-only message board. And the link referenced news about a favorite company charity.

By clicking on the link, the workers infected their PCs with a virus that shut down the company’s antivirus defenses.

The virus swiftly located — and infected — some 300 other workstation PCs, silently copying the contents of each computer’s MyDocuments folder. It transmitted the data across the Internet to a gang of thieves operating out of Turkey.

Often employees use such free tools to expand their business contacts and to back up clunky, company-supplied systems. But corporations have been slow to come to grips with security holes intrinsic to such free tools, or to restrict their use. “Corporations need to accept the fact that these tools are here to stay and secure them,” says Jose Nazario, senior security researcher at Arbor Networks.

The most fertile turf: AOL, Yahoo and MSN instant messaging; YahooMail, HotMail and Gmail; and MySpace and FaceBook, the free tools that on any given day you’ll find open on millions of workplace PCs. The most coveted loot: e-mail address books, instant-messaging buddy lists, PowerPoint slide presentations, engineering drawings, partnership agreements, price lists, bid proposals, supply contracts, executive e-mail exchanges and the like.

The military and many financial services firms block access to YouTube and other popular websites on work computers. But most organizations pay little heed to how employees use free Web programs; only a small minority actually pay for secure alternatives, such as company-supplied instant messaging, says Chris King marketing director at security firm Palo Alto Networks.

Entire Article

Popularity: 57% [?]