Malware real threat to holiday shopping on company time

It's not so much the slacking off that concerns CIOs. Record online shopping and a shaky economy could black hole your company.

Given the round-the-clock demands made on many American workers, a little holiday shopping on company time is no

big deal, right? Not according to security experts like Troy Saxton-Getty. And especially not this season. In an uncertain economy, shoppers are more likely to seek out bargain sites and ultimately put themselves, and their companies, at risk.

More on online security
CIOs: Monitoring employees thwarts Internet abuse

Companies fear dark corners of the virtual world

Cyber Attacks: Keeping up with Evolving Threats
"Phishing sites commonly use low-cost shopping sites as a way to embed some type of malware in your browser," said Saxton-Getty, vice president of technical operations at St. Bernard Software Inc., a San Diego-based provider of security products that monitor online traffic.

A lunchtime shopping expedition can give rise to a zombie (an insecure Web server), and the computer in cubicle C become a node for spamming. "So now your company's IP address becomes a known spammer, and you're wondering why your email doesn't get delivered to your customers," Saxton-Getty said.

According to a pair of surveys conducted for online retailer association Shop.org, 72 million people planned to shop online on Cyber Monday, the first working day after the year's busiest shopping weekend; actual traffic was up 26% over last year.

So now your company's
IP address becomes a known spammer
and you're wondering why your email doesn't get delivered
to your customers.

Troy Saxton-Getty
vice president of technical operationsSt. Bernard Software Inc.

The phenomenon is hyped as a testament to the growing market of online commerce and a colossal time waster for employers. Chicago-based outplacement firm Challenger, Gray & Christmas (no joke) Inc. estimates the Monday shopping spree will cost employers $488 million in lost time. The estimate is based on average salaries and minutes devoted to online shopping, spokesman James Pedderson said. A BusinessWeek article disputes the online traffic numbers, however; other reports question the productivity loss, as well.

Still, browsing on company time is not confined to the Christmas rush. St. Bernard calculates an average 10% to 14% of the "typical knowledge worker's" Web activity at work is used for personal business, from buying concert tickets to sending in the rent check.

"If you track bill-paying services, you would be amazed at how many people go onto their bank site while they are at work," Saxton-Getty said.

Ease is a big factor. Company pipes are bigger, so the Internet connectivity is better, and people are time-challenged. Personal browsing habits vary, he said. Some employees opt for first thing in the morning, or lunchtime, while others tend to take their browsing break after finishing a chunk of work. "The line in the sand ethically is also all over the place. Some people see their breaks are employer-sanctioned personal time. Others feel, 'Hey this place works me awfully hard, I'm going to take care of myself first.'"

Spyware voted biggest threat

The 10% to 14% statistic is invariably an eye-opener for executives, said Saxton-Getty, who addresses executive member organizations like Vistage International Inc. and the Young Entrepreneurs' Organization on this topic. Some head honchos get upset over the bandwidth hogging and loss of productivity implied by the statistics. But in a 24/7 work culture, the bigger issue, security experts say, should be the company's vulnerability to cyberattacks and the potential reputational damage risked by this extracurricular activity.

Spyware No. 1 threat
A study out this week from the Computing Technology Industry Association (CompTIA), shows that spyware, a blip on the security radar screen a few years ago, is now the No. 1 security threat.

A majority of the 1,070 businesses responding to the CompTIA survey, 55%, said the volume of spyware has increased over the past 12 months. Lack of user awareness (54%); viruses and worms (49%); authorized user abuse (44.2%); and browser-based attacks (41.5%) raised nearly as much concern. And, while worms and browser-based attacks posed less of a risk than a year ago, when asked to name the types of security attacks looming for the next three years, viruses and worms climbed to the top of the list.

-- LT
Security risks related to employee online behavior are always with us, said Jon Oltsik, a senior analyst at Enterprise Strategy Group in Milford, Mass. There is more malicious code, and more botnets, out than ever before. But the holiday season is as good a time as any to trot out company policy on acceptable and unacceptable online behavior, he said. Aside from prohibitions on the big no-nos, such as gambling and pornography, it's probably wise to review basic online etiquette, such as don't click on pop-ups, and if a deal sounds to good to be true, it is.

"So, yes, CIOs need to be concerned about peer-to-peer networks and online shopping, but more important, there needs to be good training, something many companies are deficient in, " Oltsik said.

As for risks related to employee use of company bandwidth for personal use, executives tend to gravitate toward two extremes, said St. Bernard's Saxton-Getty -- the trusters and the vigilantes. "I tell these CEOs you're going to go blind and you're going to get p----- when you figure out what is really going on inside your company, but you are foolish not to have some sort of mechanism that tracks and logs Internet use," Saxton-Getty said. His company recommends a middle ground: Use appliances to monitor what your employees are doing on the Web so you have the data available if a problem arises.

IT offenders

Some tidbits for you CIOs: Watch your back. According to Saxton-Getty, a former IT manager and CIO, "a lot of the nefarious" Internet abuse resides within the IT organization. He chalks it up to the "entitlement" that permeates many IT organizations, in which employees are both overworked and not subject to the same checks and balances (double-entry accounting) as other areas of the company.

"You've got people running their own personal Web sites, their own personal email servers. We actually have an appliance that sees that and can tell us, 'Hey, we don't have an email domain called giftsmarts.com.'"

One more (off-color) word to the wise. Although bandwidth is not the primary problem related to holiday online shopping at work, be very wary of the goofing-off videos making the rounds, courtesy of YouTube. The folks at St. Bernard's call it a tube storm. "It's amazing how fast a little clip will traverse the email system. All of a sudden your whole company is looking at the monkey who scratches his butt, sniffs his finger and falls off a tree," Saxton-Getty said. "No harm, no foul, but it absolutely consumes bandwidth."

Let us know what you think about the story; email: Linda Tucci, Senior News Writer

Dig deeper on Leadership and strategic planning

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCompliance

SearchHealthIT

SearchCloudComputing

SearchMobileComputing

SearchDataCenter

Close