SINGAPORE, 1 DECEMBER 2008 - With the holiday season approaching, computer networks of Hong Kong companies are at risk from external attacks as employees start to spend more time shopping online, according to a survey by governance and security organisation ISACA (Information Systems Audit and Control Association).
The study, titled Shopping on the Job: Online Holiday Shopping and Workplace Internet Safety, 42 per cent of Hong Kong employees are likely to spend two or more hours shopping online using a work computer between November and December.
However, more than half (54 per cent) of the respondents’ companies indicate that they do not educate their employees about the risks that online shopping poses.
While approximately 60 per cent of the companies said they have no security measures in place to prevent employees from shopping online at work, more than 55 per cent of these companies think their employees do not fully understand the risks to which they are exposing their companies with shopping online from their workplace computer.
ISACA recommends that employees and IT departments take the following steps to reduce the risk of spam, viruses and inadvertent downloading of back-door ‘agents’ that can highjack corporate data.
For online shoppers:
• Make sure Web sites you connect to have SSL encryption while you are entering personal information.
• Do not allow sites to save your username or password. Avoid providing your work e-mail address as your contact information.
• Delete cookies from your computer after you are finished shopping.
• Use separate browser sessions for your holiday shopping versus your work-related browsing.
• If it looks too good to be true, it probably is. Do not download free games, ringtones, wallpapers or animation onto your work computer.
For the IT department:
• Train employees on safe computing just prior to the holiday shopping season and follow up with periodic reminders.
• Tailor education programmes to match the various demographics, attitudes and technology know-how of groups within the workplace.
• Conduct formal risk and threat assessments and update your Acceptable Use Policy and security measures appropriately.
• Make sure that patches are deployed, security functions are enabled, and firewall rules, intrusion detection system (IDS) signatures, and spam filters are updated regularly.
• Monitor networks for high-volume or suspicious traffic and respond immediately to threats. Remind employees to sound the alarm if suspicious events occur.
