Nearly half of executives surveyed don't believe their employees would be able to spot a bad actor posing as an online retailer, Zix-AppRiver found.
The majority (82%) of small- to medium-sized business (SMB) executives believe "many" of their company employees will use work devices to shop online this holiday season, a Zix-AppRiver report found.
With business data stored and transmitted on work devices, using the same devices to shop online can leave this valuable information vulnerable to attack, according to the report.
Zix-AppRiver's Cyberthreat Index for Business was developed with the University of West Florida Center for Cybersecurity. The report surveyed 1,049 C-level executives and IT decision makers at SMBs around the US. The SMBs covered a variety of industries including technology and telecom, retail, education, business services and consulting, and financial services and insurance.
SEE: 27 ways to reduce insider security threats (free PDF) (TechRepublic)
More than half (61%) of respondents know that online shopping by employees is risky for their business information and customers, but believe it is "a fact of life; and there is not much I could do about it," according to the report.
Nearly half (49%) of all SMBs surveyed aren't confident that most employees could tell the difference between an illegitimate link from a cybercriminal posing as a fake online retailer and a legitimate one, the report found.
Employees can be just as dangerous to business security as hackers and cybercriminals. Cybersecurity breaches caused by employee error are very common, to the point that employee mistakes are an even larger threat to data security than hackers, leaving the majority of IT and security professionals most afraid of insider threats,
These threats become even more prominent during the holidays, when cybercriminals have heightened activity, preying upon unaware shoppers by posing as popular online brands, said Jeff Pollard, vice president and principal analyst at Forrester.
"When you think about what goes into shopping—especially holiday shopping—it isn't as easy as going to one trusted website, finding everything you want and need in stock, and ready to ship right away. You have to search for the right gift, find it in stock on the right e-commerce site, with shipping available in the right time frame, and often then hunt for discounts and coupons," Pollard said.
"All of those activities expose the organization to risk when it's performed on a business system. Using work systems could expose users to malicious links on shady websites and infect systems. Now, holiday shopping at work went from a quick purchase to an infected system."
The tendency for executives to expect their employees to holiday shop on business devices increases with larger-sized SMBs. The majority (88%) of executives at medium-sized SMBs and 90% of executives at the largest-sized SMBs believe their employees will be doing so this holiday season, the report found.
Following in the same vein, 64% of medium-sized SMB executives and 68% of large-sized SMB executives said there is nothing they can do to stop these practices, despite knowing they occur.
"Another secondary issue comes from reusing passwords. When a user is on a work computer and find themselves needing to register on an e-commerce site they haven't used before, they might reuse a work email and work password during the registration process," Pollard said. "Being at work, in the building, after recently logging in to work systems could make them think of those usernames and passwords first. While not an issue right away, if that e-commerce site is compromised, or gets compromised later, that could also place the business at risk."
Whether these practices are inevitable, as the report found, or not, companies can still take steps to mitigate the effects of them.
Experts say companies must evolve their data loss protection strategies to go beyond prevention, and when prevention methods fail, security teams must be quick to respond to any possible threat. Investing in a next-generation data loss protection solution is the strongest way to monitor and protect against insider threats overall, reported Lance Whitney in TechRepublic's How to protect your organization against insider threats.
For more, check out Ransomware: The nightmare before Cyber Monday on ZDNet.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
- Windows 10 security: A guide for business leaders (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)