‘Tis the season for cheer and shopping, and while small business owners openly welcome the cheer, some have mixed feelings about letting employees do their online holiday shopping from the office.
Online shopping may sound harmless, but the reality is that many businesses are not aware of the security risks associated with online shopping or know how to protect their business computers from the threats.
The easy solution would be to prohibit employees from shopping online while at work, but not many small business owners really want to be known as the “The Grinch” for seasons to come.
An Acceptable-Use Policy
Steve Yin, vice president of global sales and marketing for St Bernard, the company behind the iPrism Internet filtering appliance, recommends small businesses deal with holiday shopping by establishing an acceptable use policy (AUP) or updating your existing policy to include terms for shopping site access.
An acceptable use policy defines what employees can and cannot do at work, and it outlines unacceptable use of work computers and Internet access. An AUP typically prohibits access to online gambling and adult Web sites and peer-to-peer file sharing networks. The policy also details a company’s right to access e-mail, includes policies for liability disclaimers and lists of actions or behaviors that will result in termination.
According to Yin, some of the best and well-received policies allow personal computer time during work hours (including holiday shopping), but also require employees to stay within standard Internet security safeguards to protect work computers.
A holiday shopping policy should include guiding principles for two main areas of concerns; security risks and potential productivity loss associated with online shopping at work.
What Are the Security Risks?
Holiday shopping comes wrapped in real security risks. The number of fraudulent Web sites increases, as do phishing scams that offer amazing online deals, which makes it easier for employees to unintentionally introduce malware and other vulnerabilities to work computers.
A new ISACA survey of 4,000 consumers and ISACA members found that sixty-three percent of employees planned to shop online from their work computer. One in four of those surveyed said they didn’t know how to determine if the Web site they were shopping on was a secure site.
The ISACA reports that nearly half of the employees who responded to the survey have clicked an e-mail link to go to a retail site from their workplace computer. This is the type of innocent action that could expose a small business to malware from unscrupulous Web sites.
Minimize Shopping Risks with Secure Practices
John Pironti, chief information risk strategist for CompuCom said that most people do not know that November and December are peak months for malware infestations and fraudulent Web sites.
He recommended businesses that allow online shopping at work also educate employees about holiday shopping risks and make certain that employees can spot fraudulent or unsecure Web sites, and that they are aware of holiday scams.
You need to make sure that employees know the difference between a secure and unsecure retail site and that they look for the padlock symbol or protected message on their browser. Employees can also minimize risks by not opening shopping sites in the same browser window they’re using to load work pages in, deleting cookies and not saving data in the browser on a work computer.
Pironti also recommended that you use knowledgeable sites like MacAfee, Symantec, Bank Info Security to help your employees stay safe on shopping sites.
While common sense and secure shopping practices has to take precedence, businesses still need to have standard security safeguards in place.
Steve Yin said, “Just because you are making allowances for online shopping, you still have to work that around standard safeguards, such as blocking downloads, adult sites, and access to peer-to-peer sharing networks.”
Both security experts agree that employees should not use their work e-mail address for personal shopping. Instead, use a free service like Gmail to reduce security risks to work computers. Pironti e also suggests that shoppers not opt-in to receive future mailings because your information is often shared with unknown third parties. Saving your information on retail Web sites is also risky.
Don’t Forget Productivity Loss
Security issues associated with holiday shopping is a big concern, but productivity loss is also a worry for some small business owners.
More than forty percent of the organizations taking part in the ISACA survey thought they would lose an average of $3,000 USD in productivity per employee from online holiday shopping at work during November and December.
Yin recommends that small business owners develop a policy that prevents productivity drain. One way to do this is to allow holiday shopping only during off-peak hours. For example, allow online shopping in the early morning, before and after lunch, or when your office typically experiences downtime. This encourages employees to stay on task and they can happily fit in some personal shopping time.
A Good Policy Is the Best Place to Start
Remember that employees are not intentionally inviting security risks into the workplace or wasting away work hours. Many shop at work simply because the Internet connection speed is usually faster than at home and no family members are around to spoil the gift-giving surprise. There’s no malicious intent in that.
The best way to deal with holiday shopping at work is to create a policy that protects your computers from security risks, keeps employees on task during the holidays and still allows some personal time to shop on work computers.
Small business owners playing Santa with guidelines is better than being considered a Scrooge by your employees. Knowing the holiday shopping risks and provisioning for them in your AUP will protect your business computers and also keep employees productive during the holiday season.
Vangie Beal is a seasoned online marketplace seller and an avid online bargain hunter. She is also managing editor of Webopedia.com.
This article was first published on SmallBusinessComputing.com.