Taking Steps to Protect the Network on Cyber Monday
Cyber Monday is coming soon – many SMBs aren’t protected from the threats posed by employees online shopping from work.
Online holiday season retail sales grew 12 percent (Forrester Research Inc.) last year and much of this was done by employees using company computers in the workplace. Last year, 55.8 percent of workers with Internet access said they planned to shop online on Cyber Monday (National Retail Federation). This year does not look like it will be any different with over 40 percent of online shoppers stating they shop online because of the ability to shop at any hour of the day (Shop.org). Further, some say they shop online because of the new websites and tools that are springing up to help consumers locate the bargains they want (MarketingVox).
According to a study published by ISACA, a nonprofit association of IT professionals, the most prolific shoppers are those in the 18-24 age bracket, as 40 percent of those in this bracket said they will spend up to five hours doing online shopping from their desks. Ironically, this group is also typically the least concerned about the security of their work PCs.
“The fact that so many plan to do holiday shopping from their work computers, combined with their lack of concern for how secure their computers are, points to an urgent need for employers to pay closer attention to what employees are doing online during office hours and to educate employees to be careful what sites they are visiting and what files they are downloading”, says David Kelleher at GFI Software.
According to a recent GFI survey of small-medium businesses (SMBs) only 9 percent said they are concerned about internal threats and only 36 percent monitor employee browsing activity. There are two points that merit discussion. First, companies are still ignoring the fact that employees are the weakest link in security and that their actions can cause serious problems. Second, if so much time is spent shopping online during office hours, then that business has a productivity problem.
Business should be more concerned during the holiday season because an increase in online activity and browsing of non-work related websites is both a security risk and a business problem.
The following are some tips that can help businesses to improve both security and productivity.
- Monitor user’s activity 24 x 7 – If your business is concerned that people are spending too much time online and downloading non-work related material, then you need to exert some form of control. Monitoring user activity will cut down on abuse while implementing web security measures will prevent malicious code from entering your network through irresponsible browsing. With proper measures in place, there is no harm in allowing employees to shop online during the lunch break – So long as you know what’s happening.
- Acceptable usage policies. In small organizations, security policies are either non-existent or never enforced. Every organization should provide new employees with an acceptable usage policy that defines how they use corporate computers, what is acceptable in terms of Internet use and what is not tolerated nor accepted. Moreover, this document should be signed by the employee the day he or she joins. This will greatly reduce the risk of an employee who is dismissed for breach of the policy fighting back by saying that he or she was never told what they could or could not do.
- Education – Explain to employees why they have to be careful when browsing the Internet. The usual ‘because I say so’ approach does not work with them. It only spurs them to bypass whatever the IT manager is telling them not to do. Employees are intelligent and will understand basic concepts of security especially when they can associate actions with the result it will have on their ability to do their job. Gaining an employee’s understanding is essential if an organization wants their cooperation. Even more so during this holiday season.
- Everybody is a potential security threat – SMBs need to approach security without allowing emotions and friendship to interfere. Every employee, including the CEO, is a security risk. Employees need to understand that controls are there for good reason and not because the company doesn’t trust them. The IT manager is employed to ensure the network is as secure as possible; and if that means stepping on people’s toes, so be it.
- Invest in technology – Security should not be considered an expense but a cost of doing business in an online age. It is also recommended that you invest in a security awareness program too. Technology and awareness need to be managed together and not separately.