Holiday shopping with personal devices at work could pose security risk

Almost half of IT members in ISACA survey say bring-your-own-device trend is worrisome

Workers are planning to do more online holiday shopping this year while on the job, with many using their own personal smartphones and tablets, a new survey shows.

As a result, many IT managers are worried about corporate network security since personal devices may face a greater risk of being hacked during shopping forays, according to ISACA, a non-profit IT advisory group with 95,000 members. Most are IT workers and managers.

In two surveys, ISACA found that the average American will spend 32 hours shopping online this holiday season, with 11 of those hours on a personally-owned smartphone or tablet that is also used for work tasks. Because the device connects to corporate networks and accesses data at times, its use for personal online transactions can post a significant hacker risk to companies unless precautions are taken, ISACA officials said.

"Our key point is that we want to ensure the 'bring-your-own-device' trend works in a secure manner and that workers are following processes that the organization has put in place," said Rob Stroud, past international vice president for ISACA and vice president of strategy and innovation at CA.

The so-called BYOD trend has escalated in the past 12 months, Stroud noted, as companies such as IBM and others have allowed workers to bring in their favorite devices to connect to corporate VPNs and email systems. The "consumerization of IT" has flourished with abundant apps and smarter devices such as Android and iOS smartphones and tablets, he said.

Separately, analysts have taken note of the trend. Companies have sometimes allowed workers to use their own devices in the office because even when a certain smartphone is required to access corporate networks, a worker will circumvent that requirement using his or her own device.

"Employers are saying we realize you are a valued employee so if you spend the odd hour here and there doing the odd piece of shopping at work, it makes for a happier employee," Stroud explained.

At the same time, connected devices can pose security risks to corporations, and employees need to be educated to lessen potential risks. "Educating good behavior is better than putting up total brick walls," he advised corporate IT shops.

The kind of training companies need to offer BYOD workers is fairly mundane: advising users to remember to download OS updates, use strong passwords and VPNs, avoid clicking on email attachments from strangers and be careful when using GPS tracking services.

Stroud said he has heard anecdotally of corporate security problems caused by BYOD activities, but didn't offer any examples. He personally once left his iPhone in an airport coffee shop, and it could have been wiped clean of all data -- including sensitive corporate information -- if he hadn't found it quickly.

While security policies for BYOD devices might seem to be for the benefit of employers, they can also help workers. For example, a worker could lose personal data and shopping transaction confirmations if smartphone data is wiped clean by IT. Knowing a company's policy for when a device may be wiped of data is essential.

With GPS, workers need to learn to turn geo-location features on and off, depending on their level of perceived risk, Stroud said. Conceivably, a hacker could track a user's whereabouts with GPS and know he or she has left home -- leaving the home vulnerable to burglary, Stroud said.

"In this world of consumerized IT, we need to reinforce education of users...," Stroud said. He suggested IT shops have annual refresher security courses for users. "The challenge is not to do it too much, or it's like the boy who cried wolf."

In one of two polls that ISACA conducted, 4,740 ISACA members in 84 countries were asked in October about online shopping on the job and BYOD Security. For North America, 48% of the ISACA members said the risks of allowing BYOD outweighed the benefits. Also, 44% said allowing workers to shop and do other personal activities on work time was designed to promote a better work-life balance.

A second poll ISACA coordinated with 1,224 consumers found that 32% plan to do more holiday shopping than last year using a BYOD device or one supplied by the workplace. On average, they expect to spend 32 hours shopping online this season.

Stroud said that the increase in shopping is expected partly because it is easy to use a mobile device to shop, especially for daily deal sites such as Groupon and Living Social.

Almost half of consumers shopping with a work-supplied device or a personal device used for work said they have clicked on a link in an email sent by a company other than their employer. And 22% said they had used their work email address for personal online shopping or other non-work online activities.

Matt Hamblen covers mobile and wireless, smartphones and other handhelds, and wireless networking for Computerworld. Follow Matt on Twitter at @matthamblen or subscribe to Matt's RSS feed. His e-mail address is mhamblen@computerworld.com.

Copyright © 2011 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon