Organizations allow employees to shop online but do not educate users about risks, exposing employees and employers alike to spam, malware, phishing and loss of productivity in the workplace. ISACA has carried out three simultaneous surveys (two in the US and one in the UK) to look at the latest trends in online shopping and workplace Internet safety.

The UK survey of ISACA members found that a mere 21% of respondents said their organization's employees fully understood the risks associated with shopping online from their workplace computers. More than 82% said their organisation either does not have or they are not aware of a policy that prohibits employees from shopping online. There was also an expectation that there would be more online shopping from the work place than last year with over 51% predicting an increase.

Only 32% of organizations that allow online shopping educate employees about the risks. Slightly over 31% of organizations prohibit using a work e-mail for online shopping or other online non-work related activities, even though allowing the use of work e-mails can expose the organization to greater volumes of spam. Over 40% of organizations thought they were going to lose an average of £2,000 or more in productivity per employee from online holiday shopping at work during November and December. Slightly more than one in 10 organisations had security measures in place to prevent employees from shopping online at work. The age groups that respondents felt posed the greatest threat to their organizations infrastructure were Millennials (born 1977-94).

In a separate survey of 973 US consumers, ISACA found that 63% of employees plan to shop online from their work computer during November and December, but 26% do not know how to or do not bother to check whether a web site is secure. They also found that nearly half of employees (49%) had clicked on an e-mail link to go to a retailer’s web site from their workplace computer, potentially exposing their employer to Trojans or malware from infected or unscrupulous web sites. Over a fifth of all employees, 22%, had compounded the problem by clicking on a link to order goods while also using their work e-mail address as a contact address for purchases, exposing themselves to a greater risk of attack by spammers.

One third of workers were more concerned about the security of their personal computer than their work computer, but for younger workers aged 18-25, this figure shot up to 49% paying less attention to the security of their employer’s computer. A quarter of employees either did not check or were not sure how to check if a web site was secure before they made a purchase.

The survey of ISACA members in the US revealed similar findings to the survey of ISACA members in the UK but with a few striking differences; 71% either do not think that or are unsure whether their organisation has a policy in place that prohibits employees from shopping online. There was less expectation that there would be an increase in online shopping from the work place with only 34% predicting an increase compared to last year. Over 16% of organisations had security measures in place to prevent employees from shopping online at work. Again the age groups that respondents felt posed the greatest threat to their organisations infrastructure were Millennials (born 1977-94).