ISACA’s fourth annual "Shopping on the Job" survey examines employees’ risky online activities while using work-issued computers.

Their survey also examines the growing “bring your own device” (BYOD) trend that is blurring the lines between personal and corporate devices, revealing:
  • The number of employees who plan to use a work-supplied device to shop online - and how much time they’ll spend shopping
  • The risky activities employees say they do online
  • Cost of lost productivity that business and IT professionals expect their enterprises to experience
  • Whether companies permit BYOD - and if the risk outweighs the benefits
  • Whether companies tend to ban, limit or freely allow employees to shop online and visit social networking sites

The study is based on an October 2011 online poll of 4,740 ISACA members from 84 countries, and the following results came from questions for the Asian region: one third of the respondents work in India (34%), 10% in Japan, Singapore and the United Arab Emirates make up 7% each followed by Hong Kong and the Philippines with 5% each, Malaysia and China with 4% each, Indonesia, Thailand, Pakistan and Saudi Arabia with 3% each, Sri Lanka with 2% and Bahrain, Bangladesh, Lebanon, Macau, Oman 1%, and Taiwan with around 1% each.

During the holiday season (November and December), how much total time do you think an average employee at your enterprise spends shopping online using:

A work-supplied computer
or smartphone, at work or elsewhere?
A personal computer
or smartphone during work hours
0 hours 12% 9%
1 - 2 hours 37% 34%
3-5 hours 18% 21%
6-8 hours 10% 10%
9-12 hours 7% 10%
13-16 hours 4% 4%
17-20 hours 4% 4%
21-29 hours 3% 2%
30-39 hours 2% 1%
40-49 hours 1% 2%
50 hours or more
2% 3%

Compared to last year, do you think your employees will do more, less or about the same amount of holiday shopping online during work hours? (n=961)

More 41%
Less 19%
About the same 40%

How much money (in US dollars) in terms of productivity do you think your enterprise loses in November and December as a result of an employee shopping online during work hours? (n=960)

$0 12%
$1-$999 34%
$1,000-$4,999 23%
$5,000-$9,999 11%
$10,000-$14,999 5%
$15,000 or more 10%
Other 5%

Which of the following statements is most accurate about your enterprise? (n=961)

My enterprise allows employees’ use of IT assets and time for personal purposes to promote work-life balance 27%
My enterprise restricts employees’ use of IT assets and time for personal purposes due to productivity concerns 17%
My enterprise restricts employees’ use of IT assets and time for personal purposes due to security concerns 53%
Other 3%

My enterprise does the following when it comes to: (n=898)

Allows Limits Prohibits Unsure
The use of work-supplied mobile devices for personal use 32% 37% 28% 4%
The use of personal mobile devices for work purposes 40% 25% 32% 4%
Online shopping using a work-supplied device 26% 26% 41% 7%
Accessing social networking or daily deal sites from a work-supplied device 22% 23% 52% 3%
Use of work email addresses for personal online shopping or non-work-related activities 27% 19% 45% 9%

Approximately what percentage of your enterprise’s information security incidents do you think are the result of employees’ use of: (n=893)

Work devices
(e.g. PC, laptop, netbook, smartphone, tablet)
for personal activities?
Personal devices
(e.g. PC, laptop, netbook, smartphone, tablet)
for work activities?
0 8% 13%
1-9 32% 35%
10-19 19% 16%
20-29 10% 11%
30-39 7% 6%
40-49 4% 5%
50-59 5% 5%
60-69 4% 2%
70-79 3% 2%
80-89 3% 2%
90-99 2% 1%
100 2% 2%


What security measures, if any, has your enterprise put in place to limit or prevent employees from shopping online using a work computer or smartphone? (n=886)

a) Has a policy in place that addresses online shopping 51%
b) Communicates the policy 54%
c) Provides security awareness training 63%
d) Educates employees on the risk of online shopping 44%
e) Has technology in place to protect against web-based attacks 61%
f) Blocks retail web sites 42%
g) Monitors employees’ internet usage 54%
h) Provides a “guest” or segregated network and computing resources for employees to use for shopping and personal online activities 9%

Which of the following do you believe is the most accurate statement about employees using personal mobile devices for work activities? (n=894)

a) The benefits outweigh the risk 19%
b) The risk outweighs the benefits 54%
c) The risk and benefits are appropriately balanced 28%

Does your enterprise provide guidance on security issues regarding the use of geo-location services on smartphones and other devices? (n=897)

a) Yes 35%
b) No 45%
c) Unsure 20%

In what industry do you work? (n=889)

a) Finance/banking/insurance 31%
b) Technology services/consulting 29%
c) Manufacturing/engineering 7%
d) Public accounting 5%
e) Government/military 5%
f) Telecommunications/communications 4%
g) Retail/wholesale/distribution 3%
h) Transportation/aerospace 2%
i) Mining/construction/petroleum/agriculture 2%
j) Health care/medical/pharmaceutical 2%
k) Advertising/marketing/media 1%
l) Utilities 0%
m) Legal/law/real estate 0%
n) Education/non-profit 2%
o) Other 6%


Which of the following is closest to your job title? (n=883)

a) External consultant 8%
b) Professor/teacher 1%
c) Professional 28%
d) Supervisor 8%
e) Manager 42%
f) Director 7%
g) Vice President 5%
h) President/CEO 1%

 

Click to Enlarge Graphic

The majority of respondents in the six regions (Africa, Asia, Europe, Latin America, North America and Oceania) believe that online shopping among employees will either remain at the same levels or increase this year, according to Ken Vander Wal, CISA, CPA, International President, ISACA and the IT Governance Institute. Further, the approach to allowing employees to use IT assets for non-work purposes would be mixed.

More ISACA members in Europe, North America and Oceania say that their enterprises allow employees’ use of IT assets and time for personal purposes to promote work-life balance, while those in Asia, Latin America and Africa say that their enterprises generally restrict this practice due to security concerns. Almost all of them agree that the BYOD trend needs attention, with five of six regions saying the risk outweighs the benefits.

As many IT professionals know, personally owned PCs or mobile devices that are also used for work are usually more difficult to secure than work-issued devices and are often used for higher-risk online activities, like clicking on links in social network sites or downloading music files. Ultimately, this means that sensitive corporate information may be compromised if the employee’s device is lost, stolen or attacked by malware. The solution is not as obvious as banning personal devices at work or forbidding the use of work IT assets outside of the office.

The BYOD trend is a perfect illustration of the balance that is continually needed between trust and value, and between risk and benefit. For many employees, one aspect of the perceived value in their enterprise’s information systems is the ability to access these systems anywhere, any time and from any device. Establishing and demonstrating that these systems can be trusted means finding ways to secure them without imposing impractical restrictions that many employees will ignore or work around.

ISACA believes that with the right governance frameworks, business unit support and employee communication, “restrict or limit” could be replaced with “embrace and educate”. It is important to keep pace with the rapidly changing technology environment.

If you would like to learn more about this year’s Shopping on the Job Survey and tips on how employees can manage their BYOD devices, please visit www.isaca.org/online-shopping-risk