Insecure devices extend shopping risks

Shopping online for the holidays is up, with a 15 point increase in the percentage of Americans who say they will spend more time shopping online than in 2010. But according to ISACA, more than half the time spent shopping will be on devices also used for work, which poses significant risk to corporate networks and information.

ISACA found that online shoppers plan to spend 32 hours on average shopping online this holiday season, with 18 of those hours on a work-supplied device or a personal device used for work – a trend called “BYOD” (bring your own device). People are increasingly tech-savvy: use of mobile applications has nearly tripled since last year’s survey, 29 percent click on deal sites such as Groupon, and 7 percent scan quick response (QR) codes.

“The consumer survey shows that two-thirds of employees ages 18 to 34 have personal devices they use for work purposes. BYOD is here to stay, so education and precautions are needed,” said Robert Stroud, CGEIT, CRISC, past international VP of ISACA and VP and service management, cloud computing and governance evangelist at CA Technologies.

Location tracking

Consumers are concerned about new features like mobile device location tracking. Fully 74 percent say they would turn off tracking due to potential stalking or identity theft. A third of consumers (34 percent) have clicked on a link in a social media site (up from 19 percent in 2010) and more than 1 in 10 (13 percent) click on e-mail links from unknown sources.

“ISACA’s survey shows that employees are unwittingly adding risk to businesses. The role of BYOD is bigger this season, so organizations must embrace its use and educate employees about security,” said Ken Vander Wal, international president of ISACA.

The consumer survey shows that 16 percent of respondents say their organization does not have a policy prohibiting or limiting personal activities on work devices, and another 20 percent do not know if their enterprise has one.

“There is a gap between what IT departments may do and what employees understand,” said John Pironti, CISA, CISM, CGEIT, CRISC, CISSP, security advisor with ISACA and president of IP Architects. “Many employees don’t realize that, as part of the process of connecting their personal device to the organization’s network, they may have agreed to allow their personal smartphone or tablet to be remotely or locally wiped clean if they lose it or the organization believes it has become compromised while storing confidential data.”

ISACA offers tips for employees with personal devices also used for work:

  • Understand policies you agree to for connecting to corporate networks.
  • Understand what happens if your organization considers your device a security risk.
  • Follow ISACA’s five-step “ROUTE” for geolocation.
  • Enable security features, including encryption and passcodes.
  • Ensure you have current operating systems and updates.



Share this