Cyber Deals Bring Data Steals

How Online Shopping Puts Your Business at Risk

Ecommerce sales increased by close to 20% this holiday season in comparison to last year. More than likely employees did some of this shopping from their work computers. All this cyber-shopping may be good for business, but it could be bad for your business if employee shopping habits result in data security risks.

A recent Proofpoint study found that 33 percent of technology users surveyed use their corporate computers for shopping, and 75 percent of U.S. users let others use their work computers while out of office. Which is no doubt against corporate policies, but as a pertinent DarkReading article explores, employees come up with all kinds of reasons for violating cybersecurity policies. Half of those surveyed weren’t even aware that their companies had a cybersecurity policy!

The DarkReading article also points out that 91 percent of cyberattacks start with phishing, and good phishing makes the cyber-shopping season one of the most wonderful times for hackers. After all, what harried professional is going to resist a pop-up ad offering half price on that coveted sweater or an Instant Pot or a Baby Yoda doll! Who’s going to notice a few grammar mistakes or hover over the link to check whether the real URL matches the link text? One wrong click and your networks are infected with spyware, ransomware, or the latest virus, potentially followed by a data breach that puts your customers, members, or employees at risk.

So, what can you do to protect your business, given that employees are going to shop from their work computers? First, be sure you have the technical basics in place: security software on every computer and network to detect anomalies that might spell trouble. You could also consider a browser isolation solution to sandbox browsing activity away from internal networks.

But ultimately this is a people problem, so the solution also needs to include people. If you don’t have policies in place about personal usage of PCs, write some. It may be acceptable for an employee, to browse on their work computer, but it is not acceptable for them to make that computer available to friends and relatives. And if you find that an employee has violated cybersecurity policies, make sure there are consequences. At a minimum, that employee should repeat security training. Another good proactive step is to provide a privacy and identity protection solution for your employees and members, to flag problems early and to protect them in the event of a data breach.

Finally, because the cyber-shopping season does tend to be frenzied, consider a seasonal awareness program to educate employees about the corporate and personal risks of online shopping, and how to spot holiday shopping scams.

Some common phishing tactics this time of year include:

• Fake receipts and invoices, with malware hiding in PDF attachments
• Fake shipping status alerts with links to malware downloads or cloned websites that steal personal information
• Fake flyers and deals with bad links or attachments
• Fake customer surveys designed to steal personal information
• Fake appeals to donate to people in need

If you need content to jumpstart your education program, the U.S. Department of Homeland Security has a selection of downloadable resources about holiday shopping scams, including guidance for safe shopping online.

Every full-time professional knows that work-life balance is a challenge. So, unless you’re running a military-style top-security operation, staff members are sometimes going to browse, read email, and shop online. And that’s OK, unless their purchases bring trouble you never bargained for.

The holidays may be almost over, but spring sales are just around the corner, and back-to-school deals will be here before you know it. So perhaps tackling cyber safety should be a New Year’s resolution for your privacy and security team.