- Category: January 2012 - Marketing Trends 2012
ISACA’s fourth annual "Shopping on the Job" survey examines employees’ risky online activities while using work-issued computers.
Their survey also examines the growing “bring your own device” (BYOD) trend that is blurring the lines between personal and corporate devices, revealing:- The number of employees who plan to use a work-supplied device to shop online - and how much time they’ll spend shopping
- The risky activities employees say they do online
- Cost of lost productivity that business and IT professionals expect their enterprises to experience
- Whether companies permit BYOD - and if the risk outweighs the benefits
- Whether companies tend to ban, limit or freely allow employees to shop online and visit social networking sites
The study is based on an October 2011 online poll of 4,740 ISACA members from 84 countries, and the following results came from questions for the Asian region: one third of the respondents work in India (34%), 10% in Japan, Singapore and the United Arab Emirates make up 7% each followed by Hong Kong and the Philippines with 5% each, Malaysia and China with 4% each, Indonesia, Thailand, Pakistan and Saudi Arabia with 3% each, Sri Lanka with 2% and Bahrain, Bangladesh, Lebanon, Macau, Oman 1%, and Taiwan with around 1% each.
During the holiday season (November and December), how much total time do you think an average employee at your enterprise spends shopping online using:
A work-supplied computer or smartphone, at work or elsewhere? |
A personal computer or smartphone during work hours |
|
0 hours | 12% | 9% |
1 - 2 hours | 37% | 34% |
3-5 hours | 18% | 21% |
6-8 hours | 10% | 10% |
9-12 hours | 7% | 10% |
13-16 hours | 4% | 4% |
17-20 hours | 4% | 4% |
21-29 hours | 3% | 2% |
30-39 hours | 2% | 1% |
40-49 hours | 1% | 2% |
50 hours or more |
2% | 3% |
Compared to last year, do you think your employees will do more, less or about the same amount of holiday shopping online during work hours? (n=961)
• | More | 41% |
• | Less | 19% |
• | About the same | 40% |
How much money (in US dollars) in terms of productivity do you think your enterprise loses in November and December as a result of an employee shopping online during work hours? (n=960)
• | $0 | 12% |
• | $1-$999 | 34% |
• | $1,000-$4,999 | 23% |
• | $5,000-$9,999 | 11% |
• | $10,000-$14,999 | 5% |
• | $15,000 or more | 10% |
• | Other | 5% |
Which of the following statements is most accurate about your enterprise? (n=961)
• | My enterprise allows employees’ use of IT assets and time for personal purposes to promote work-life balance | 27% |
• | My enterprise restricts employees’ use of IT assets and time for personal purposes due to productivity concerns | 17% |
• | My enterprise restricts employees’ use of IT assets and time for personal purposes due to security concerns | 53% |
• | Other | 3% |
My enterprise does the following when it comes to: (n=898)
Allows | Limits | Prohibits | Unsure | |
The use of work-supplied mobile devices for personal use | 32% | 37% | 28% | 4% |
The use of personal mobile devices for work purposes | 40% | 25% | 32% | 4% |
Online shopping using a work-supplied device | 26% | 26% | 41% | 7% |
Accessing social networking or daily deal sites from a work-supplied device | 22% | 23% | 52% | 3% |
Use of work email addresses for personal online shopping or non-work-related activities | 27% | 19% | 45% | 9% |
Approximately what percentage of your enterprise’s information security incidents do you think are the result of employees’ use of: (n=893)
Work devices (e.g. PC, laptop, netbook, smartphone, tablet) for personal activities? |
Personal devices (e.g. PC, laptop, netbook, smartphone, tablet) for work activities? |
|
0 | 8% | 13% |
1-9 | 32% | 35% |
10-19 | 19% | 16% |
20-29 | 10% | 11% |
30-39 | 7% | 6% |
40-49 | 4% | 5% |
50-59 | 5% | 5% |
60-69 | 4% | 2% |
70-79 | 3% | 2% |
80-89 | 3% | 2% |
90-99 | 2% | 1% |
100 | 2% | 2% |
What security measures, if any, has your enterprise put in place to limit or prevent employees from shopping online using a work computer or smartphone? (n=886)
a) | Has a policy in place that addresses online shopping | 51% |
b) | Communicates the policy | 54% |
c) | Provides security awareness training | 63% |
d) | Educates employees on the risk of online shopping | 44% |
e) | Has technology in place to protect against web-based attacks | 61% |
f) | Blocks retail web sites | 42% |
g) | Monitors employees’ internet usage | 54% |
h) | Provides a “guest” or segregated network and computing resources for employees to use for shopping and personal online activities | 9% |
Which of the following do you believe is the most accurate statement about employees using personal mobile devices for work activities? (n=894)
a) | The benefits outweigh the risk | 19% |
b) | The risk outweighs the benefits | 54% |
c) | The risk and benefits are appropriately balanced | 28% |
Does your enterprise provide guidance on security issues regarding the use of geo-location services on smartphones and other devices? (n=897)
a) | Yes | 35% |
b) | No | 45% |
c) | Unsure | 20% |
In what industry do you work? (n=889)
a) | Finance/banking/insurance | 31% |
b) | Technology services/consulting | 29% |
c) | Manufacturing/engineering | 7% |
d) | Public accounting | 5% |
e) | Government/military | 5% |
f) | Telecommunications/communications | 4% |
g) | Retail/wholesale/distribution | 3% |
h) | Transportation/aerospace | 2% |
i) | Mining/construction/petroleum/agriculture | 2% |
j) | Health care/medical/pharmaceutical | 2% |
k) | Advertising/marketing/media | 1% |
l) | Utilities | 0% |
m) | Legal/law/real estate | 0% |
n) | Education/non-profit | 2% |
o) | Other | 6% |
Which of the following is closest to your job title? (n=883)
a) | External consultant | 8% |
b) | Professor/teacher | 1% |
c) | Professional | 28% |
d) | Supervisor | 8% |
e) | Manager | 42% |
f) | Director | 7% |
g) | Vice President | 5% |
h) | President/CEO | 1% |
The majority of respondents in the six regions (Africa, Asia, Europe, Latin America, North America and Oceania) believe that online shopping among employees will either remain at the same levels or increase this year, according to Ken Vander Wal, CISA, CPA, International President, ISACA and the IT Governance Institute. Further, the approach to allowing employees to use IT assets for non-work purposes would be mixed.
More ISACA members in Europe, North America and Oceania say that their enterprises allow employees’ use of IT assets and time for personal purposes to promote work-life balance, while those in Asia, Latin America and Africa say that their enterprises generally restrict this practice due to security concerns. Almost all of them agree that the BYOD trend needs attention, with five of six regions saying the risk outweighs the benefits.
As many IT professionals know, personally owned PCs or mobile devices that are also used for work are usually more difficult to secure than work-issued devices and are often used for higher-risk online activities, like clicking on links in social network sites or downloading music files. Ultimately, this means that sensitive corporate information may be compromised if the employee’s device is lost, stolen or attacked by malware. The solution is not as obvious as banning personal devices at work or forbidding the use of work IT assets outside of the office.
The BYOD trend is a perfect illustration of the balance that is continually needed between trust and value, and between risk and benefit. For many employees, one aspect of the perceived value in their enterprise’s information systems is the ability to access these systems anywhere, any time and from any device. Establishing and demonstrating that these systems can be trusted means finding ways to secure them without imposing impractical restrictions that many employees will ignore or work around.
ISACA believes that with the right governance frameworks, business unit support and employee communication, “restrict or limit” could be replaced with “embrace and educate”. It is important to keep pace with the rapidly changing technology environment.
If you would like to learn more about this year’s Shopping on the Job Survey and tips on how employees can manage their BYOD devices, please visit www.isaca.org/online-shopping-risk