It’s Nothing Personal: Takeaways from Cyber Monday

Cyber Monday did not disappoint this year: Americans spent a record-breaking $6.59 billion online, up 16.8% from last year.

With the pressure on to snap up those deals before the end of the day, some are tempted to take a quick peek at their personal inbox or favorite shopping sites while at work. Seems harmless, but what we don’t always consider are the cybersecurity risks involved when employees use work computers for personal activities.

 

Cyber Monday, Cyber-Safe

Recent history offers a slight contradiction here: Cyber Monday came about because of online shopping at work. The first Monday after Thanksgiving, employees took advantage of the high-speed internet at their office to get a jump on their holiday shopping. Nowadays, however, most Americans have speedy home internet access. Maintaining the tradition of personal use on company computers isn’t just unnecessary, it can also be unsafe.

Most of us don’t install email filtering and spam protection on our personal email accounts like our company uses, so the chances that employees will receive and interact with a phishing email is higher. This is especially relevant through the holidays when we receive a flurry of promotional emails – it’s easy for a well-crafted phishing email to hide amongst all the legitimate deals.

Email aside, online shopping takes us all over the internet. Without guidelines, employees may unknowingly travel to malicious shopping sites, putting the device and company at risk of malware or a data breach.

 

Good Intentions, Bad Follow Through

While employees usually have nothing but good, and personal, intentions shopping online at work, the reality is the company takes on additional risk when things don’t stay business:

  • Personal social media use can open up opportunity for social media phishing

  • Installing non-business applications can put devices at risk for malicious apps masquerading as harmless

  • Online games can be attack vectors, even if reputable and popular

  • Video, download, gambling, and adult websites are notoriously loaded with malware and drive-by downloads

  • Lists of personal contacts and access to file-sharing sites can increase the chance of an insider threat incident, deliberate or not

In addition, there are business and efficiency considerations:

  • Strain on IT to manage updates, security, and support for personal programs

  • Increased opportunity for distraction during work hours

  • Use of device storage space or network bandwidth by non-business programs

 

Practice Best Practices

Keep these techniques in mind helping to encourage best practices:

  • Clearly state the decision in the Technology and Data Use Policy. It’s also recommended to add a “no expectation of privacy” clause stating that all information and history on company devices can be accessed by management.

  • Explain during employee onboarding the reason behind the policy and continue to discuss regularly.

  • Employ technology such as mobile device management (MDM) and application and media controls that allow restriction on programs and websites employees can access.

 

As with many cybersecurity points, simply understanding the risks helps us to make more informed policy decisions. In the end, it’s nothing personal – just good business.

Stay Safe,

Your Friends @ Defendify