Rolling Meadows, IL, USA (21 October 2009)—Employees plan to spend nearly two full working days (14.4 hours) on average shopping online from a work computer this holiday season, according to a survey conducted on behalf of ISACA, a nonprofit association of 86,000 information technology (IT) professionals. One in 10 plans to spend at least 30 hours shopping online at work. Convenience (34%) and boredom (23%) are the biggest motivators, according to those polled.

Despite an economy expected to show flat or declining holiday retail sales, the second annual “Shopping on the Job: Online Holiday Shopping and Workplace Internet Safety” survey found that fully half of those surveyed plan to shop online for the holidays using a work computer. Less surprising is a growing uncertainty—the number of employees who are unsure about whether they will spend more or less time shopping online compared to a year ago has doubled.

The potential danger of shopping online is that it can open the door to viruses, spam and phishing attacks that invade the workplace and cost enterprises thousands per employee in lost productivity and potentially millions in destruction or compromise of corporate data.

Employees who shop online using a work computer are also likely to engage in other high-risk behaviors. Survey participants also bank online (51%), click on e-mail links redirecting them to shopping sites (40%) and click on links from social network sites (15%). Yet nearly one in five says they are not concerned that their online shopping habits may affect the safety of their organization’s IT infrastructure.

“With the Internet now available to almost any employee in the workplace, it’s unrealistic to think that companies can completely stop the use of work computers for online shopping,” said Robert Stroud, international vice president of ISACA and vice president of IT service management and governance for the service management business unit at CA Inc. “What companies can and should do is educate employees about the risks of online shopping and remind them of their company’s security policy. This is especially important this year, when the convenience of shopping online may be very appealing to employees whose workloads have doubled or tripled because of downsizing.”

Upwardly Mobile Shopping
This survey also found that more than one in 10 Americans who use a mobile work device such as a BlackBerry or iPhone plan to use it for holiday shopping. The increasing use of mobile work devices for personal business such as shopping can lead to additional security issues and exposure to data loss for a company.

“The lines between work and personal data are becoming more and more blurred as a growing number of people check work e-mail from their own phone or PDA, or use a work-supplied mobile device to shop or update their Facebook page. As our mobility increases, so does the risk to our corporate IT systems,” said John Pironti, a member of ISACA’s Certification Task Force and chief information risk strategist for Archer Technologies.

A significant percentage of those surveyed do not actively manage their work computer’s security. Thirty percent report that they leave security up to their company’s IT department. Of those who connect via a wireless connection, 30% don’t or don’t know how to check the security of wireless settings and just 21% personally check their work computer for the most recent security patches.

Reality Gap Between Employees and the IT Department
A separate ISACA survey of more than 1,500 IT professionals, who are ISACA members in nine countries, conducted during the same time period shows a major gap between what the IT department believes and what the employees are planning when it comes to online holiday shopping. Close to half (48%) of those in IT believe employees will spend just over one work day, or nine hours, shopping online from a work computer—yet ISACA’s consumer survey shows that employees will average closer to two work days, or 14.4 hours.

IT professionals are realistic about the potentially staggering costs of shopping online for the holidays from workplace computers. One in four estimates that their company will lose US $15,000 or more per employee in productivity during this year’s holiday season.

“The reality gap between the IT department’s perceptions and the online shopping behaviors of the rest of the company actually represents an important opportunity for IT,” said Paul Williams, a member of ISACA’s Governance Advisory Council and a past president of the association. “By educating employees and communicating common-sense online policies, IT can better protect one of the most critical assets a company has—its IT systems.”

5 Tips for Safe Shopping From the Office Computer
ISACA recommends that employees and IT departments take the following steps to reduce the risk of spam, viruses and accidental downloading of backdoor “agents” that can highjack corporate data.

For online shoppers:

1. Use your desktop PC, not your mobile device, to shop, because your desktop browser is likely to be more secure.
2. Protect sensitive information, like credit card numbers, by password-protecting both your mobile device and its memory card.
3. Make sure you update your anti-virus and anti-malware programs continually.
4. Treat social networking sites with the same caution as other web sites—social sites are a growing target for fraudsters and virus writers.
5. Be cautious of special offers. If it looks too good to be true, it probably is. Fake online offers and coupons may lead to harmful sites, so be suspicious.

For the IT department:

1. Educate employees. Blocking sites can do more harm than good, causing employees to seek out less secure ways to get around your blockade. Education works better.
2. Get employees on board with learning by teaching them how to protect both their work computers and their home computers.
3. Reinforce what you teach by having employees sign an acceptable-use policy every year.
4. Offer a “safe zone” for holiday shopping—create an online sandbox that can be taken down after the holidays.
5. Don’t wait until Cyber Monday to step up security. Think of “Cyber Season” as the time from September to January and be extra-diligent throughout that time.

About the ISACA Shopping on the Job Survey
The second annual “Shopping on the Job: Online Holiday Shopping and Workplace Internet Safety” survey is based on online polling in September 2009 of 1,210 US consumers and 1,513 IT professionals who are ISACA members in nine countries. The study, which was designed to capture insights about online holiday shopping at work and employee compliance with workplace policies governing online shopping, was conducted by M/A/R/C Research and ISACA, respectively. The M/A/R/C study results contain a margin of error of 3.9% at the 95% confidence level.

About ISACA^®

With more than 86,000 constituents in more than 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA^® Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA^®), Certified Information Security Manager^® (CISM^®) and Certified in the Governance of Enterprise IT^® (CGEIT^®) designations.

ISACA developed and continually updates the COBIT^®, Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.

Media Contacts:

Kristen Kessinger, +1.847.660.5512, kkessinger@isaca.org
Marv Gellman, Ketchum, +1.646.935.3907, marv.gellman@ketchum.com

ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008
USA

ENTIRE ARTICLE

Popularity: 74% [?]

“I guarantee you a significant portion of that 54 percent just looked at it and said, ‘We don’t know what it is, but it looks like a waste of time and we’re just going to shut it down,’ ” said attorney Tobias Butler of the Internet and new media team in the Atlanta office of Bryan Cave LLP.

The reticence to use social media, however, may diminish quickly because the corporate world already has adopted technologies that were at one time called unnecessary employee distractions – instant messaging, e-mail and even access to the Internet itself, said Kailash Ambwani, chief executive officer of FaceTime Communications Inc., a Belmont firm that develops enterprise communications technology.

“All those technologies have paved the way,” Ambwani said. “We’re seeing a much different attitude with respect to social networking in two years than we saw with instant messaging in five years. They now recognize the Web is no longer about shopping and information, it’s about collaboration and cooperation.”

At Comcast, employee Frank Eliason took the initiative last year to use his own Twitter account to contact customers who were tweeting about service problems. Now known as “Famous Frank,” Eliason has been credited with almost single-handedly turning around Comcast’s reputation. He heads a staff of 11 who monitor social networks and offer help to customers.

During a question-and-answer session at last month’s Web 2.0 conference, Comcast’s Roberts said the Twitter strategy has played a big part in changing the corporate culture “from inside the organization, not just the top down.”

Quick change

“It’s fascinating for me to watch how quickly you can change a company,” Roberts told the audience.

Another example cited by Butler: An employee of San Diego’s Petco Animal Supplies Inc. began using social media to write about pets being dyed different colors, which turned into a controversial topic. The company found it could harness the passion of its own employees to create its own community, he said.

Butler’s team advises companies on developing a clear policy about the use of social networking by employees, both to take advantage of opportunities and to ensure their legal bases are covered.

Some Bay Area companies are seeing a wider interest in integrating social media in the workplace.

For example, Saba Software Inc., a Redwood City people management software firm, has introduced beta versions of new programs, Saba Social and Saba Impressions, which are scheduled to be released next year. The programs use social-media features such as status updates and creating networks of experts.

“To me, social networking will become the next e-mail,” said Ben Willis, Saba’s senior director of product strategy. “It will become the platform that people will use to communicate.”

Ambwani said he’s been talking to firms about FaceTime’s new United Security Gateway technology, which allows social media use while still addressing concerns about security and letting private information leak out.

One example of such concerns involved a Canadian bank that blocked social media but became the object of a wave of complaints from outraged customers about poor service on Facebook and Twitter.

Twitter firestorm

“People within the company weren’t used to dealing with these things when the firestorm broke out over Twitter,” he said. “And when they found out, they had no real mechanism to respond because they were blocked. And even if they weren’t blocked, they didn’t know how to respond.”

He’s also spoken with officials of a large brokerage that had blocked social media, but began noticing that referrals coming through brokers’ personal Facebook or LinkedIn accounts were far more likely to become clients.

“Human beings are tribal in nature,” Ambwani said. “I know that I am more likely to respond to a stranger if that stranger reaches me through Facebook or LinkedIn than my e-mail account, because I feel some connection.”

E-mail Benny Evangelista at bevangelista@sfchronicle.com.

 

 

 

This article appeared on page DC – 1 of the San Francisco Chronicle

ENTIRE ARTICLE

Popularity: 76% [?]

Ralph Schaefer

Social networking is creating workplace havoc.

Employers are faced with decisions varying from a total ban of the services to developing policies that allow the use of on MySpace, Facebook, Twitter and other new communication methods.

Employees must deal with the ability to maintain contact with people outside the workplace in a timely fashion without violating any company policies that could cost them their job.

Social responsibility on both sides is a fine line, according to Tony G. Puckett, a member of the McAfee & Taft Law Firm.

Puckett, from the Oklahoma City office, was among speakers at the LEEB (Labor & Employment and Employee Benefits) University presented by McAfee & Taft to human resource managers.

Employers always are concerned about losing sensitive information about the company that could hurt employees and damage operations, Puckett said. This technology makes it easy to leak that data. As a result, employers always are looking for ways to prevent those problems before they occur.

Employees often use the sites to vent frustrations about the company, co-workers and other workplace issues they might be experiencing at that time. Unfortunately, they sometimes also make derogatory remarks about others in the workplace, that if known to others, would be harmful.

New forms of communication, blogs, texting, microblogs — twitter — social networking sites, digital cameras, YouTube, cell phones with cameras and videos, GPS tacking on vehicles and phones are wonderful devices when properly used, he said. Facebook alone currently boasts a membership of 250 million subscribers.

Real difficulties happen when employees want their privacy on these social networks while using them on company time.

The best way to get around those difficulties is to train everyone in the company about policies and then make certain they are equally enforced, Puckett said. Standards can be put in place on workplace productivity, confidentiality of information, injury to business reputations and a reminder that digital information, unlike phone calls and letters, last forever and can show up as evidence many years later.

Putting employee expectations on the line when someone is hired can be the first step to help reduce possible breaches in any confidential information that might be shared. It is better to have these policies in place at the start of employment than later and try to make up for lost time.

Questions often raised leave employers wondering how to control work time spent on the Internet, texting, blogging and other communication methods, Puckett said. Then the question about whether or not policies are in place to legally monitor employee activity and discipline accordingly.

An important rule to remember is that electronic behavior is a means, not an end, he said. If behavior is prohibited, it is prohibited via computer as well.

The corollary is that thoughtful, well-communicated policies will set employee expectations regarding all types of workplace behavior. That is followed by a balance of a reasonable expectation of privacy with legitimate business purpose and scope.

The U.S. Constitution tops the governing laws and legal authorities that govern workplace monitoring programs. That is followed by the Federal Electronic Communications Privacy Act — Title II, the Stored Communications Act. Then there is the National Labor Relations Act, case law and Oklahoma laws protecting invasions of privacy.

That said, Puckett related a case where courts found that a workplace hidden camera was not an invasion of the employee’s privacy rights.

Everything started when the employer learned that someone in the company was using a computer for viewing pornographic material in the early morning hours. Determined to identify the culprit, a hidden camera was installed in the office that was locked after hours.

The two employees using the office sued because they felt their right to privacy had been invaded.

However, the court noted the camera was turned on only at the close of the business day and was installed for a legitimate business concern.

A Federal appeals court also held that a Washington State teacher’s blog attacking co-workers was not protected speech of public concern, but rather than the comments were ‘‘racist, sexist and bordered on vulgar,’’ and were ‘‘mean spirited.’’

Referring to the Electronic Communications Privacy Act of 1986, Puckett said that Title I protects wire, oral and electronic communications while in transit. It also protects communications held in electronic storage, most notably messages stored on computers.

General provisions of the law protect wire, oral and electronic communications form interception, access and disclosure.

Employers may not intercept a communication, that is tap a phone line; disclose or use contents of an illegally intercepted communication, or use an electronic, mechanical or other device to intercept oral communications — hide a tape recorder.

Important exceptions also are provided.

First is the employee can consent, either expressed or implied to the recording; business extension or business use and provider exception.

Oklahoma law allows one party to a telephone conversation to make a recording.

Employers are watching the electronic activity within the company according to a June 2009 study of decision-makers at companies with more than 1,000 employees.

The study showed that 43 percent reported investigating an e-mail based leak in the past 12 months; 33 percent employ staff whose exclusive job is to monitor the control of outbound e-mail, up from 24 percent in 2008; that 31 percent reported firing workers for misuse of e-mail and 8 percent reported terminating employees for use of social media, up from 4 percent a year earlier.

Various reasons were cited for the monitoring efforts including quality and reputation control; risk of defamation or invasion of privacy claims by other employees or outside parties and misappropriation of trade secrets or confidential information.

Suspicious activity by employees was given as another reason for monitoring that sometimes led to disciplining or termination of an employee.

Make certain that computer use and monitoring policies are transparent and evenly enforced, Puckett said. Employees will feel less violated when they know what will be happening and continuation of employment with knowledge of the policy is in place.

Make certain that employees understand they cannot expect privacy in company communications, he said. Use of the computer system equals consent of the employee and passwords are for external security only, not for the privacy of the user. All passwords must be disclosed upon request.

Puckett reminded his audience that companies must have a system and policy in place for storage, backup and retrieval of electronic documents, including emails.

He also noted that federal rules require production of all electronic evidence unless it is cost prohibitive.

Plan ahead, Puckett said, consult with computer personnel. Do not destroy documents related to pending or known claims or litigation. Anything can be retrieved if a part is willing to spend the money.

Controlling the social networking is impossible, Puckett said. The best way to control difficulties is to have a clearly stated policy in place, train everyone about the rules and make certain they are enforced equally.

ENTIRE ARTICLE

Popularity: 78% [?]