Given the round-the-clock demands made on many American workers, a little holiday shopping on company time is no big deal, right? Not according to security experts like Troy Saxton-Getty. And especially not this season. In an uncertain economy, shoppers are more likely to seek out bargain sites and ultimately put themselves, and their companies, at risk.
A lunchtime shopping expedition can give rise to a zombie (an insecure Web server), and the computer in cubicle C become a node for spamming. "So now your company's IP address becomes a known spammer, and you're wondering why your email doesn't get delivered to your customers," Saxton-Getty said.
According to a pair of surveys conducted for online retailer association Shop.org, 72 million people planned to shop online on Cyber Monday, the first working day after the year's busiest shopping weekend; actual traffic was up 26% over last year.
The phenomenon is hyped as a testament to the growing market of online commerce and a colossal time waster for employers. Chicago-based outplacement firm Challenger, Gray & Christmas (no joke) Inc. estimates the Monday shopping spree will cost employers $488 million in lost time. The estimate is based on average salaries and minutes devoted to online shopping, spokesman James Pedderson said. A BusinessWeek article disputes the online traffic numbers, however; other reports question the productivity loss, as well.
Still, browsing on company time is not confined to the Christmas rush. St. Bernard calculates an average 10% to 14% of the "typical knowledge worker's" Web activity at work is used for personal business, from buying concert tickets to sending in the rent check.
"If you track bill-paying services, you would be amazed at how many people go onto their bank site while they are at work," Saxton-Getty said.
Ease is a big factor. Company pipes are bigger, so the Internet connectivity is better, and people are time-challenged. Personal browsing habits vary, he said. Some employees opt for first thing in the morning, or lunchtime, while others tend to take their browsing break after finishing a chunk of work. "The line in the sand ethically is also all over the place. Some people see their breaks are employer-sanctioned personal time. Others feel, 'Hey this place works me awfully hard, I'm going to take care of myself first.'"
Spyware voted biggest threat
The 10% to 14% statistic is invariably an eye-opener for executives, said Saxton-Getty, who addresses executive member organizations like Vistage International Inc. and the Young Entrepreneurs' Organization on this topic. Some head honchos get upset over the bandwidth hogging and loss of productivity implied by the statistics. But in a 24/7 work culture, the bigger issue, security experts say, should be the company's vulnerability to cyberattacks and the potential reputational damage risked by this extracurricular activity.
"So, yes, CIOs need to be concerned about peer-to-peer networks and online shopping, but more important, there needs to be good training, something many companies are deficient in, " Oltsik said.
As for risks related to employee use of company bandwidth for personal use, executives tend to gravitate toward two extremes, said St. Bernard's Saxton-Getty -- the trusters and the vigilantes. "I tell these CEOs you're going to go blind and you're going to get p----- when you figure out what is really going on inside your company, but you are foolish not to have some sort of mechanism that tracks and logs Internet use," Saxton-Getty said. His company recommends a middle ground: Use appliances to monitor what your employees are doing on the Web so you have the data available if a problem arises.
Some tidbits for you CIOs: Watch your back. According to Saxton-Getty, a former IT manager and CIO, "a lot of the nefarious" Internet abuse resides within the IT organization. He chalks it up to the "entitlement" that permeates many IT organizations, in which employees are both overworked and not subject to the same checks and balances (double-entry accounting) as other areas of the company.
"You've got people running their own personal Web sites, their own personal email servers. We actually have an appliance that sees that and can tell us, 'Hey, we don't have an email domain called giftsmarts.com.'"
One more (off-color) word to the wise. Although bandwidth is not the primary problem related to holiday online shopping at work, be very wary of the goofing-off videos making the rounds, courtesy of YouTube. The folks at St. Bernard's call it a tube storm. "It's amazing how fast a little clip will traverse the email system. All of a sudden your whole company is looking at the monkey who scratches his butt, sniffs his finger and falls off a tree," Saxton-Getty said. "No harm, no foul, but it absolutely consumes bandwidth."
Let us know what you think about the story; email: Linda Tucci, Senior News Writer