ISACA Survey: Hong Kong and China IT Professionals Expect Employees to Do More Online Shopping at Work

Taken from BlogHONG KONG (1 November 2011)— With more freedom given to employees for shopping online and accessing daily deal and social networking sites (SNS), such as Groupon and Facebook, with a work-supplied computing device, IT professionals in China and Hong Kong anticipate that employees will do more holiday online shopping at work this year, increasing risk to the enterprise, a new survey finds.


The global 2011 ISACA Shopping on the Job Survey: Online Holiday Shopping and BYOD Security survey, conducted among more than 4,700 business and IT professionals who are members of nonprofit IT association ISACA, shows the current attitudes and behaviors related to the risk and rewards associated with online shopping and the use of personal and work devices around the world.


4 in 10 IT professionals estimate that employees will spend an average of more than 12 hours shopping online during work hours

More than 50% of respondents in China and Hong Kong predict that employees will do more online shopping during work hours this year. More than half also predict that employees at their enterprises will spend more than six hours shopping online using a work-issued computer during the holiday season (November and December) and another six hours or more using a personal computer or smartphone during work hours.


In China and Hong Kong, 34% of respondents state that their enterprises allow employees to shop online, and an additional 26% allow it with some restrictions. Nearly 40% allow them to access SNS or daily deal sites using a work-supplied device, with another 23% allowing it with restrictions. Respondents in the US say their enterprises are more likely to prohibit or limit access to SNS and daily sites, as well as limit the use of work-supplied mobile devices for personal use.


“The survey shows that companies in Hong Kong and China tend to have more flexibility regarding the use of work-supplied devices for personal purposes, such as online shopping and social networking, compared to other parts of Asia and the United States. It is positive that organizations here are taking an ‘embrace and educate’ perspective, which allows them to get the benefits of using the technology available, while equipping employees with the training and awareness needed to minimize security incidents,” said Michael Yung, president of the ISACA China Hong Kong Chapter.


In some areas, the results are more similar. For instance, respondents in the US, China and Hong Kong, and the entire Asian region all reported that the following three activities pose a high risk to the enterprise:

  • Clicking on an e-mail link to access an online shopping site from a work-supplied computer or smartphone;
  • Downloading personal files, such as music and pictures, onto a work-supplied computer or smartphone;
  • Losing/misplacing a work-supplied computer or smartphone. 

“To make sure that access to SNS and daily deal sites, as well as online shopping, are done safely with work-supplied devices, employees should be very careful with the company information on their devices, password-protect the devices, and ensure that the security tools and processes protecting the work-supplied devices are kept up to date,” said  Yung. “From the IT department side, promoting awareness of the security policy is always key for effective risk management. It is also important to use secure browsing technology, encrypt data on devices, and take advantage of some of the industry best practices and governance frameworks like the Business Model for Information Security (BMIS).”


Additionally, 28 percent of both US respondents and those in China and Hong Kong say that their enterprise prohibits the use of personal mobile devices for work purposes—a trend known as “bring your own device” (BYOD). Respondents in both areas say that the risk currently outweighs the benefits, but as employers increasingly allow BYOD, it is critical for IT professionals to put the proper controls to mitigate the risk. Information on securing mobile devices is available at 

View full survey results.


ISACA Survey: IT Professionals in Latin America Say Online Shopping at Work Increases Risk during the Holiday Season

Taken from BlogMexico City (1 November 2011) – As online shopping via mobile devices increases worldwide, risks for enterprises’ information systems grow, too. According to the 2011 Shopping on the Job Survey: Online Holiday Shopping and BYOD Security, conducted by global IT professional  association ISACA, 52% of the 272 IT professionals surveyed in Latin America believe that employees will increase their online holiday shopping during work hours this year.

The increase in online holiday shopping is driven largely by the use of smartphones or tablets worldwide, according to a recent e-Marketer study. Using mobile devices for shopping, especially work-supplied devices, is a high-risk activity. More than half of the ISACA survey respondents in Latin America (59%) say that clicking links to online stores from e-mails presents a high risk to corporate networks and information.

 Despite concerns about employees using work devices for personal activities, only 24% of respondents say their enterprises ban it; 38%  set limits, and 35% allow work devices  to be used for personal activities. The widespread use of geolocation technology is also increasing risk. Yet, 57% of respondents report that their organization has not established security guidance on its use for employees.

“Smartphones are quickly becoming part of our personal and work lives, and the line between the two is increasingly blurring as a result. Implementing security policies and training on using mobile devices will improve risk prevention," said Gustavo Solis-Montes, CISA, CISM, CGEIT, CPA, President of the ISACA Mexico City Chapter.

Global results
The 2011 ISACA Shopping in the Job project surveyed 4,740 ISACA members in 84 countries in Africa, Asia, Europe, Latin America, North America and Oceania. Each region’s results help IT professionals identify trends attitudes and behaviors related to online shopping and use of personal and work devices.

Among the similarities found in all regions, most participants agreed that their employees will spend between 1-2 hours shopping online using company-issued computers during work hours and another 1-2 hours using personal mobile devices during work hours. The regional differences lie in the policies regarding use of IT resources and time for personal activities. In North America and Europe, about 40% of respondents say that their enterprises allow employees’ use of IT assets and time for personal purposes to promote work-life balance. In contrast, about 50 % of respondents from Asia and Latin America said their companies restrict the use of IT resources and time for personal purposes due to security concerns.

As part of its system of risk management and security, companies have specific measures to prevent or limit security incidents related to employees’ risky activities:

  • In North America and Europe, 75% of respondents say their enterprises use technology to protect against web-based attacks.
  • In Asia, 63% say their companies offer training on security awareness.
  • In Latin America, 61% say their enterprise monitors employees’ Internet use.

The majority of respondents in all countries believe that the risk that results from using personal mobile devices for work activities—a growing trend known as “bring your own device” (BYOD)—currently outweigh the benefits. However, as companies increasingly allow employees to BYOD, enterprises must take an “embrace and educate” approach: embrace the technology and the benefits it brings, while educating employees about minimizing the risk. 

View full survey results.

Guidance on securing mobile devices:


ISACA Survey: Bring Your Own Device (BYOD) Trend Heightens UK Online Shopping Risk

Taken from BlogLondon, UK (1 November 2011)—UK consumers say they’ll spend more time shopping online than in 2010. But according to the UK edition of ISACA’s fourth Shopping on the Job Survey, two-thirds of this time will be on devices also used for work, posing significant risk to enterprises. 

The 2011 ISACA Shopping on the Job Survey: Online Holiday Shopping and BYOD Security found that UK respondents plan to spend 29 hours shopping online this holiday season, 23 of which will be spent on a work device or a personal device also used for work—the BYOD (bring your own device) trend—and 9 of which will take place during work hours.  

Research published independently during October, by the Office of National Statistics, shows that £1 in every £10 is now spent online. Unsurprisingly, ISACA’s study found that 50 percent of employees say they will spend more time holiday shopping online this year than last year, so enterprises need to manage risky behaviours.


ISACA, an independent nonprofit association of 95,000 IT audit, security and governance professionals, conducted the Shopping on the Job Survey in two parts: consumer surveys in the US and the UK, and a global survey of more than 4,700 of its members in 84 countries. 



Use of personal devices for work—typically more difficult to secure than work devices—means sensitive corporate information may be compromised.

 “The UK consumer survey shows that 54 percent of employees have a personal device they use for work. BYOD is here to stay,” said Marc Vael, director, ISACA. “However, since most ISACA members say the risk outweighs the benefits, education is strongly needed.” 

Fully 75 percent of UK consumers say they would turn off location tracking because of risk like stalking or identity theft. More than a third of UK consumers (40 percent) have clicked on a social media link and 15 percent click on e-mail links from unknown sources.


“ISACA’s fourth online holiday shopping survey shows employees are unwittingly risking bringing viruses and malware into work. New this holiday season is growing BYOD, so organizations must focus on embracing emerging technology and educating employees on security,” said Ken Vander Wal, CISA, CPA, international president of ISACA.


ISACA offers tips for employees:

  • Find out if your company has a policy for using personal devices for work.
  • Understand what happens if that device is lost.
  • Follow ISACA’s five-step “ROUTE” for geolocation.
  • Encrypt and password-protect sensitive data on the device.
  • Only load apps from a trusted provider. 

The UK consumer survey shows that 10 percent say their organizations don’t have a policy prohibiting or limiting personal activities on work devices and 20 percent don’t have a policy regarding work activities on personal devices. 

“There is a gap between what IT departments do and what employees understand,” said Christos Dimitriadis, international vice president, ISACA, and head, information security, INTRALOT S.A. “Corporate IT security professionals need to raise their game to secure systems against the risk involved.”


View global survey results.