Online Shopping: A Classic Case of Convenience vs Security
It is certainly a new day and age for many aspects of today’s society. One prominent sector that continues to lead by example in this area is the Internet, more specifically the online shopping environment. Note that online shopping is not a simple matter of go to a website, click “buy,” and checkout. That would be too simple. Ironically the purchase aspect itself tends to be the simplest matter here. The crux of the experience begins with the search and research phase. What exactly does one need/want? Is there a particular brand in mind? Is there a popular alternative? The convenience of asking and gathering answers to these questions and many more begin the journey, and thanks to the power and slew of resources the Internet provides, shoppers are able to search common products, brands, uses, verify details such as durability, ease of use and more based on the numerous rating systems, applications, web 2.0 solutions, social networking, and the ongoing phenomena that continue to evolve. So what does this mean? What does this have to do with security? Quite simply, all of this equates to more TIME on the Internet. Furthermore, the continued rise in scam and theft activities during the holidays is an additional means for concern. As mentioned in a recent Cyber Risk Report Law enforcement and government agencies continue to search and seize counterfeit and fraudulent websites. This includes counterfeit merchandise in addition to fraudulent website domains. More time spent on the Internet means there is more potential for exposure to threats and vulnerabilities. Simple math right? That said, let’s look at some numbers to provide valued context…….
Thirty-two percent of the employees surveyed recently by global IT organization ISACA say they will spend more time shopping online this year —using both their employer-provided equipment as well as their own devices accessing corporate networks—during working hours. As a security practitioner this last aspect raises the proverbial red flag and is a baited hook for a BYOD (Bring your own Device) security initiative. Check out MDM Not the Only Avenue for BYOD Security for more regarding BYOD security. Moreover, these shopping employees are vaguely aware of an IT policy at their workplace, yet believe strongly in an IT department that can protect all those who traverse the network in search of seasonal bargains. Ironic? You bet!
Revenue lost through loss of employee productivity is one thing, but a single click on a maliciously-coded coupon on a social networking site has the potential to allow holiday hackers to create data leakage, steal sensitive information, or cause a catastrophic loss of service that may result in untold damage to corporate brand and reputation.
ISACA reports these results from their survey of employees:
- One-third of consumers (34%) have clicked on a link in a social media site (up from 19% in 2010)
- More than one in 10 (13%) click on e-mail links from someone they do not know
Statistics and numbers abound, yes, but take a minute to think about how much time you spend online shopping and browsing throughout the holiday? How about throughout the year? Remember, while there is certainly a rise in vulnerability exposure this time of year, the methods discussed here (in particular the solutions and analysis) apply year round.
Now imagine one-third of the workforce clicking on Groupon-type coupons with no worries over compromising the corporate network. These employees report they will spend an average of 32 hours browsing for daily deals and scanning quick response (QR) codes in the three weeks that follow the American Thanksgiving holiday. What steps should IT departments take to protect the network from employees in search of online treasures? While we will provide ideas and solutions below, it is clearly the ultimate responsibility of the employee (shopper) to integrate and exercise caution and scrutiny in their shopping endeavors. Again remember, these ideas/solutions are applicable all through the year.
IT Department Solutions
1) Host an annual holiday training to educate your user/employee community on the threats and vulnerabilities at play, in addition to reiterating the organization’s applicable policies.
2) Communication is the mother of understanding, thus constant communication regarding scams, vulnerabilities, things for concern, etc… throughout the organization is key.
3) Remember those logs you capture day in and day out? Now is as good a time as any to leverage them!
4) Validate and update web and email security filters. Every year there are new trends, make sure you are updating your policies PRIOR to the holiday season being in full swing!
5) Review and update filtering practices and access control. Most often the end of the year organizations encounter a “freeze period” or a period of time where no changes (other than critical changes) are permitted through the change management/review board. That does not mean ideas and solutions cannot be proposed or tested (in test/development environments).
Employee (shopper) Solutions
1) Make sure your anti-virus software is up to date. You may want to schedule scans to run more often.
2) Look for the s: not just for sales but in https:// Try to shop on secure websites.
3) If a website looks even the least bit suspicious, or has multiple pop-up windows, or in any way sets off a feeling that you might get more than you bargained for in terms of identity theft, point your browser elsewhere.
4) PayPal, eBay, and other often-spoofed websites will never ask you to click a link in an e-mail or reply with personal information. Delete those e-mails, even the ones that claim to be URGENT!
5) ‘Tis the season for amazing offers, often found in coupons on social media websites. Don’t be a coupon-clicker unless you are 100% sure it won’t deliver malware to your system.
In summary, there are many counterfeit websites (especially during the holidays): obviously, employees (consumers) need to know that if a deal seems too good to be true, it very likely is. Employees and users are, as always, cautioned to avoid clicking on amazing offers, ignore urgent e-mails from strangers, and engage in responsible surfing. Employers who are lacking security policies and measures will need to hope for holiday miracles as their employees begin clicking for gifts and holiday cheer!
ISACA survey Key Findings: http://www.isaca.org/SiteCollectionDocuments/2011-US-Online-Holiday-Shopping-Key-Findings.pdf