Employee Shopping Online & Exposing Company To Cyber Threats

Post hero image

Table of contents

Now that the holidays are just around the corner, it becomes more and more likely that your employees will do some of the holiday shopping online during working hours on the work device or through the workplace network.

According to the research from OpenX and Harris Poll, 69% of people admitted that they are shopping online during work. The number rises to 81% when you look at specific demographics: millennials.

In another survey from staffing firm Robert Half Technology (RHT), 35% said that they are shopping online at least once a week from work, and 36% claimed that they are buying more than once online during working hours.

You may think that the biggest problem with online shopping at work is lost productivity. But, you should rather worry about the cyber threats your company is under when your employees are making their online purchases from work.  Online shopping from work devices or through the network is a bigger problem than most organizations recognize.   Is there anything you could do about it? Or could you at least try to mitigate the risks?  

Why shopping online at work is a problem?

Most incidents start with a human error. This is perhaps the most quoted fact about cybersecurity (and you come across this one frequently).

Online shopping at the workplace is way more common than employers initially thought. This presents a lot bigger problem than just the lost productivity. Most organizations permit online shopping at work – or at least they don’t have clear policies against it.

Whenever your employees are using the internet, your organization is at risk. The risk multiplies when your staff is shopping online at work. As you can imagine, around holiday times, online shopping spikes at the workplace. The more people shop at work, the chances of making a mistake become significantly higher than usual. Whether the employees are shopping online using their work computer or they bring their own device, they are exposing your organization to a possible data breach.

Shopping from a work computer or using the office Wi-Fi makes you vulnerable to cyberattacks. Business-critical data is stored and transmitted on the computers, networks, and in the cloud. When people shop from work, and they make a mistake, they are making attackers work a lot easier, granting them easy access to your information. Suddenly, your company could become the target of a cyberattack.

People may use insecure websites, or they use their personal email addresses. These actions significantly increase the chances of employees becoming victims of phishing attacks. By clicking on the wrong links or attachments, malware could easily harm your systems.

Often, people use the same password in online shops and their work accounts. When a thief gets hold of their password, they can quickly get into the work accounts of your employees.    It could also be a problem that sometimes friends and families are using the work computers of your employees. In that case, even if you trained your employees to behave the right way, there’s not much you can do to mitigate the potential risks.  

How can you mitigate the risks of online shopping?

You must realize that most employees cannot recognize potential threats. Without adequate cybersecurity awareness training, they don’t have the knowledge nor the skills to understand what a potential threat could look like. You will have a crucial role in educating them to be better at identifying possible risks. Ideally, as a result of the training, they will change their behavior and the chances they would make an error could significantly decrease.

The best way to prevent accidents as a result of online shopping is that you create and promote a cybersecurity awareness program in your organization.

If you already have the program, make sure you define and follow security best practices about online shopping behavior. If you find it necessary, you can create a policy that establishes clear rules and guidelines, as well as the consequences for non-compliance. Make sure that your awareness program includes training materials on online shopping so that your employees are well equipped against risks they could encounter when they purchase something on the web.

Even if you don’t have a cybersecurity awareness program in place, you can try to prevent incidents by educating your employees on the dangers of online shopping. Start with creating a communication plan and include the following:  

  • What message do you want to communicate?  
  • What are the channels you’ll use?  
  • When would the training happen?  
  • Who takes charge of the process?

What to teach your employees about the dangers of online shopping?

It is essential to educate your employees on what the consequences of online shopping could be if something bad happened. If they are aware of how badly it could affect your business, perhaps, they would act more carefully. Also, you should emphasize how incidents could harm them on the personal level – such as stolen identities or emptied debit cards.   When you train people on the dangers of shopping online at work, focus on the following topics:  

  1. How to recognize secure and insecure websites.  
  2. How to recognize phishing emails and dangerous email attachments.  
  3. Most typical signs that something is shady on the internet.  
  4. What information they should never share when they are shopping online (such as their social security numbers).  
  5. How to use secure passwords.

2020: Make it the year of cybersecurity awareness in your organization

The global spending on security awareness training for employees is predicted to reach $10 billion by 2027. Forbes 500 and Global 2000 companies are investing more in their defenses, and one of their core focus areas is tackling the hazards of the human factor. As usually, smaller companies will follow their examples. So, we can expect that most CISOs will spend significantly more on cybersecurity awareness training for their employees.

While most companies invest in the latest cyber defense technologies, investing in employee training is equally important. Currently, security awareness training is still the most underspent sector of the cybersecurity industry. At the same time, phishing and other types of attacks are becoming more common. Equipping your employees with the right skill set to recognize and protect your organization against these threats should be on the top of your mind. For the best possible outcome, make sure that the training is more comprehensive than a one-time classroom training once a year.

If you have a security awareness program in place already, that’s great, you are already on the right path to incorporate your employees in your cybersecurity strategy better. If online shopping is not something you’ve included in your education, maybe you want to consider it. Provide your employees with clear guidelines on this topic so that they can improve their behavior. Small measures such as a campaign about the dangers of online shopping at work around the holiday season can have a severe impact on your organization’s security.  If you don’t yet have a cybersecurity awareness plan in place, we have just published a guide to how to create one. Use this roadmap as a guide to create a tailored program for your company and remember to include clear rules and training materials on the online shopping topic.

It will take enormous time and effort to create a strong cybersecurity culture, so you should start investing time and resources. Still, continuous enhancement can have a massive impact on your bottom line: a more educated workforce and healthier cybersecurity practices.  

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this