The Information Systems Audit and Control Association (or ISACA to its friends) has completed its fourth annual “Shopping on the Job” survey. The study examines “risky online activities” that workers engage in while using their own devices as well as company-owned computers.


The ubiquity of Internet connectivity and Internet-connected devices means that we are rarely far from the web at any time, especially during our working hours in an office environment. With our favorite browser just one click away, companies are realizing that the cost of lost employee productivity has become a very real factor impacting their business.


Typical activities include social networking, chat and even gaming – but of course November and December also bring a surge in electronic shopping as we approach the holiday season; and none of these activities come without an associated risk in terms of exposure to malicious links, phishing scams and identity theft etc.


ISACA’s total sample of 1,224 respondents found that 775 of workers spend time online shopping using either work-supplied or personal devices. Nearly one-third of consumers say that they plan to do more shopping than last year using their work-issued or their own device (32%), potentially increasing IT security risks for their employers.


Although consumers using work devices are becoming increasingly concerned about the risk of new technology such as location-based tracking (suggesting that there is increased awareness of the consequences of compromising work information) they are still doing it — on average, consumers with a work-supplied device or personal device used for work purposes plan to spend 32 hours shopping online.


According to ISACA, “While the number of hours spent shopping while at work may have decreased year-over-year in 2011, the use of personally owned devices with corporate access, coupled with uncertainty about policy, and the assumption of IT backup, threatens company security and proprietary information.”


But is the tide turning?


Whether they are using work or personal devices, 37% of workers say that they are starting to use PayPal or other secure payment services to protect their purchases, their money and their identity. However encouraging this may be, the facts also state that 28% of consumers using work devices to do holiday shopping assume their IT department is ensuring their work-supplied computer or smartphone’s security.


To compound this reality, the younger the worker/consumer is, the greater the level of assumptive carelessness they tend to exhibit.


Many companies will be keen to promote the work-life balance ethic and allow a limited “reasonable” amount of social networking, holiday shopping and even non-work related socializing while employees are using company machines. The problem is that 16% of workers questioned said that their employer has no formal policy prohibiting or limiting personal activities on work devices. In addition, about one-fifth (20%) do not even know if their firm has a policy on these topics, indicating a need for better communication.


Interestingly, men appear to be more intent on online shopping than women at this time and, again to make matters worse, men exhibit less awareness of online security risks.


In summary, the results of this study are somewhat sobering to say the least. The so-called “consumerization of IT” is the term we use to describe employees bringing their own highly powerful Internet connected devices (such as tablets and smartphones) into the workplace – and this trend is only increasing right now. The risks to company information security are, logically, also increasing.


It is the season to be jolly. But it is also the season to be careful when it comes to business IT security.

Download ISACA’s full report here.