November 2010

An ISACA White Paper

E-commerce and Consumer Retailing: Risks and Benefits

Abstract ISACA recently unveiled the results of its 2010 survey Shopping on the Job: Online Holiday Shopping and Workplace Internet Safety. The results demonstrate trends in employees utilizing enterprise resources to complete e-commerce transactions during business hours, resulting in lost productivity and increased risk to enterprise information assets. This white paper discusses many of the risks associated with such actions and provides recommendations for enterprises dealing with such challenges.

E-commErcE and consumEr rEtailing: risks and BEnEfits

ISACA With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems ControlTM (CRISCTM) designations. ISACA continually updates COBIT, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business. Disclaimer ISACA has designed and created E-commerce and Consumer Retailing: Risks and Benefits (the Work) primarily as an educational resource for security, governance and assurance professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, security, governance and assurance professionals should apply their own professional judgment to the specific control circumstances presented by the particular systems or information technology environment. Reservation of Rights 2010 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic, internal and noncommercial use and for consulting/advisory engagements, and must include full attribution of the materials source. No other right or permission is granted with respect to this work. ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545; Fax: +1.847.253.1443 E-mail: info@isaca.org Web site: www.isaca.org

E-commerce and Consumer Retailing: Risks and Benefits CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout the world.
2
2010 ISACA. A
l l r I g h t S r e S e r v e d

E-commErcE and consumEr rEtailing: risks and BEnEfits

ISACA wishes to recognize:
ISACA Board of Directors Emil DAngelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., USA, International President Christos K. Dimitriadis, Ph.D., CISA, CISM, INTRALOT S.A., Greece, Vice President Ria Lucas, CISA, CGEIT, Telstra Corp. Ltd., Australia, Vice President Hitoshi Ota, CISA, CISM, CGEIT, CIA, Mizuho Corporate Bank Ltd., Japan, Vice President Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico, Vice President Robert E. Stroud, CGEIT, CA Technologies, USA, Vice President Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice President Rolf M. von Roessing, CISA, CISM, CGEIT, Forfa AG, Germany, Vice President Lynn C. Lawton, CISA, FBCS CITP, FCA, FIIA, KPMG Ltd., Russian Federation, Past International President Everett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International President Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Director Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Director Howard Nicholson, CISA, CGEIT, CRISC, City of Salisbury, Australia, Director Jeff Spivey, CPP, PSP, Security Risk Management, USA, ITGI Trustee Guidance and Practices Committee Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Chair Kamal N. Dave, CISA, CISM, CGEIT, Hewlett-Packard, USA Urs Fischer, CISA, CRISC, CIA, CPA (Swiss), Switzerland Ramses Gallego, CISM, CGEIT, CISSP, Entel IT Consulting, Spain Phillip J. Lageschulte, CGEIT, CPA, KPMG LLP, USA Ravi Muthukrishnan, CISA, CISM, FCA, ISCA, Capco IT Service India Pvt. Ltd., India Anthony P. Noble, CISA, CCP, Viacom Inc., USA Salomon Rico, CISA, CISM, CGEIT, Deloitte, Mexico Frank Van Der Zwaag, CISA, Westpac New Zealand, New Zealand ISACA and IT Governance Institute (ITGI) Affiliates and Sponsors American Institute of Certified Public Accountants ASIS International The Center for Internet Security Commonwealth Association for Corporate Governance Inc. FIDA Inform Information Security Forum Information Systems Security Association Institut de la Gouvernance des Systmes dInformation Institute of Management Accountants Inc. ISACA chapters ITGI Japan Norwich University Solvay Brussels School of Economics and Management University of Antwerp Management School ASI System Integration Hewlett-Packard IBM SOAProjects Inc. Symantec Corp. TruArx Inc.

2010 ISACA. A

l l

r I g h t S

r e S e r v e d

E-commErcE and consumEr rEtailing: risks and BEnEfits Introduction

Electronic commerce (e-commerce) is the practice of purchasing and selling products and services over the Internet or other electronic systems. As the Internet and its supporting technologies have expanded, so, too, has the opportunity for rapid and convenient transactions. E-commerce covers a range of different types of business-to-consumer (B2C) businesses and activities, such as consumer-based retail sites and auction or music sites, and business-to-business (B2B) platforms in which businesses exchange goods and services. E-commerce is an important service that is facilitated by the Internet. For many enterprises, e-commerce has expanded and globalized markets, catapulting sales and increasing revenue. For individuals, e-commerce has provided the ability for people to acquire goods and services without leaving their homes or offices. While e-commerce created many opportunities for individuals and businesses of all sizes, the emergence of e-commerce left many enterprises unprepared to deal with many of the resulting consequences. As enterprises have provided employees with additional enterprise-owned resources by which to access the Internet, it has become increasingly common to find employees utilizing enterprise information resources for personal use, such as shopping, web surfing and visiting social media sites. This personal use of enterprise computing resources can result in increased threats to information assets and decreased employee productivity. ISACAs 2010 survey Shopping on the Job: Online Holiday Shopping and Workplace Internet Safety1 highlights many interesting points that are important for businesses to consider, not only during the holiday season but also throughout the year. ISACAs survey results corroborate perceptions that employees do spend time allocated for business to conduct personal activities. While productivity is an important concern, the 2010 survey results show that employees will spend less time shopping at work, but they are more apt to participate in risky behaviors, such as clicking on unsolicited links and using corporate mobile devices for personal activities. The results indicate that security is not a top priority for employees. Many employees do not worry about the potential of malware introduction into the enterprise network because they believe that IT has patch management under control.

Risks Associated With Employee Use of E-commerce

As with any use of enterprise IT systems, employee e-commerce transactions can result in issues that negatively affect the business. ISACAs survey revealed that there are two main categories of risk to enterprises when employees engage in online shopping: employee productivity and information risk. Productivity is clearly an important matter for enterprises. Typically, enterprises suffer productivity losses during key events throughout the year. For example, holidays seem to elicit a large decrease in productivity. In the US, such events extend from the holiday season into upcoming months with anticipated events, such as the Super Bowl and March Madness sporting events (National Football League [NFL] championship game and National Collegiate Athletic Association [NCAA] basketball series).2

My organization does the following when it comes to mobile devices (e.g., smart phones, laptops, tablets, netbooks) (please check all that apply):
A security policy is in place that covers mobile devices. ......69% Employees are allowed to use work mobile devices for personal use, including for online shopping. ..................42% Employees are allowed to use personal mobile devices for work use. ...........................................................41% Employees are regularly educated about securing their work-related and/or personal mobile devices for enterprise use. .....................................................................50% Results from ISACAs 2010 Shopping on the Job Survey: Online Holiday Shopping and Workplace Internet Safety

1 2

http://www.isaca.org/online-shopping-risks http://www.cnbc.com/id/16870794/Superbowl_Fun_Productivity_Schmoductivity_and_More cites outplacement firm, Challenger, Gray & Christmas. 2010 ISACA. A
l l r I g h t S r e S e r v e d

E-commErcE and consumEr rEtailing: risks and BEnEfits

In addition to the potential loss of revenue that declines in employee productivity can create, inappropriate use of enterprise resources also can strain enterprise infrastructure and result in performance and availability issues, causing users who are participating in work-related activities to experience a slowdown. Information risk is another area that is impacted by employee use of enterprise resources for personal reasons. Protecting information assets from destruction, loss and corruption is an important initiative. As employees use the Internet for activities such as shopping, social networking and web surfing, the threat to enterprise information assets increases. Many malicious threats exist that have potential to exploit vulnerabilities. Phishing is a common threat facing enterprises today. The 2010 ISACA Shopping on the Job survey showed that 52 percent of those surveyed admit to clicking on links embedded in e-mail messages from retailers. As more employees make use of increased network ingress points in the form of enterprise-owned information resources, such as smart phones, laptops and tablet computers, the likelihood of successful phishing attempts can increase. If employees are using these devices to access personal e-mail accounts or shop online, or are using their work e-mail accounts in relation to shopping, phishing becomes more likely. Phishing can result in many damaging scenarios for enterprises such as loss of customer data, loss of enterprise intellectual property and damage to enterprise data. Downloading malware is also a concern as employees use the Internet for personal reasons. Many employees may not be concerned with security controls and may not know about the potential risk to information assets that can result from online shopping expeditions, such as viruses and spyware that can affect data integrity and network efficiency and availability. Figure 1 lists common threats, risks and potential impacts that can be associated with employees using enterprise resources to conduct personal business, such as shopping online.
Figure 1Risks Associated With Employee E-commerce and Consumer Retailing Threat Peak times that result in excessive personal Internet use Risk Reduction in productivity Impact Negative impact to the business through reputational damage (from poor customer service) and through delay in projects, work and deliverables Mitigation Strategy Create an acceptable use policy that is disseminated to all new employees and existing employees each year. Create motivational programs for employees during peak times, such as attendance and innovation awards that may keep employees interested in producing quality work during slow periods. During project planning, consider impacts of productivity throughout the year to plan accordingly.

2010 ISACA. A

l l

r I g h t S

r e S e r v e d

E-commErcE and consumEr rEtailing: risks and BEnEfits

Figure 1Risks Associated With Employee E-commerce and Consumer Retailing (cont.) Threat Increased traffic to online shopping, social networking and other Internet sites Risk Slow or unavailable network resources due to increased bandwidth consumption Disruption in work Impact Depending on the nature of the business, unavailability can result in issues such as revenue loss, including direct revenue loss, billing loss and decreased future revenue. Mitigation Strategy The policy should have information regarding the impact of sites that require high bandwidth utilization. Provide awareness to employees regarding network resource utilization. Schedule batch traffic for off-peak hours. Determine whether enterprise capacity requirements allow for traffic spikes. Phishing attack Information breaches resulting in lost enterprise information, such as enterprise intellectual property (IP) and customer data Financial loss due to notification and compensation for affected customers to lost future revenue and brand damage due to a loss in customer trust Provide ongoing awareness training for employees. Build security into the overall culture of the enterprise to encourage employees to consider potential threats and risks before clicking links in e-mail messages or going out to the web. Ensure that all patches are up to date. Deploy enterprisewide software to block access to known phishing and malware web sites. Introduction of malware to the enterprise network Spyware, viruses, Trojans and other malware disabling the enterprise network and siphoning sensitive enterprise data Information breaches resulting in exposed IP or customer data Network outages to financial loss Employee awareness training associated with security breaches is critical to managing malware threats. Additionally, ensure that all patches are up to date. Heavy fines and loss of customer trust Employee awareness is crucial. Integrating security into the overall enterprise culture to encourage secure behaviors may help reduce the likelihood of successful attacks.

Social engineering attack

Because most enterprises have connectivity to the Internet, many of these risks exist whether or not employees shop online. However, the likelihood of risk realization increases when employees engage in activities such as shopping online without verifying that proper controls are in place. Proper controls include such things as ensuring that security patches are up-to-date, web sites are legitimate, mobile devices have adequate levels of security applied to use browsers, and that applications permit convenient Internet usage.

2010 ISACA. A

l l

r I g h t S

r e S e r v e d

E-commErcE and consumEr rEtailing: risks and BEnEfits

What security measures, if any, has your organization put in place to limit or prevent employees from shopping online using a work computer? (please check all that apply)
A security policy is in place that addresses online shopping. ..................................................................46% Training is provided on the security policy. ..........................51% Employees are educated on the risks of online shopping (but no security policy is in place). .......................23% Technology is in place to protect against web-based attacks. .............................................................68% Retail web sites are blocked. ...............................................27% Employee usage of the web is monitored. ...........................51% The security policy is communicated. ..................................55% A guest or segregated network and computing resources for employees to use for shopping and personal online activities is provided. .................................... 9% Results from ISACAs 2010 Shopping on the Job Survey: Online Holiday Shopping and Workplace Internet Safety

Governance and Change Considerations

Enterprises must decide whether they will permit employees to make use of enterprise resources for personal reasons. Many enterprises do allow employees to make use of resources to engage in personal activities. There are studies that indicate that finding a balance in protecting enterprise information yet allowing employees some freedom will actually increase productivity since morale is likely to be higher than if the enterprise takes a draconian approach and blocks access. Enterprises must weigh the potential risks of permitting such activity against the potential risks of not permitting the activity and make a decision based on the enterprise risk tolerance. The decision to allow enterprise resources to be used for personal e-commerce purposes requires a well-developed and clearly articulated acceptable use policy (AUP). The enterprise should work to ensure that the AUP is understood and accepted by all employees. Enterprises should also include the AUP core concepts within their awareness training program. Additionally, employees should be aware whether the enterprise actively monitors its network traffic and whether there should be no expectation of privacy.

In addition to an AUP, the enterprise should consider revisiting its mobile device management plan and policy. Often, mobile devices may not be subject to the same level of security controls that is applied to devices that do not leave the office. For many workers, the distinction between their personal and professional lives is diminishing because they have been given mobile devices by their employers and are available for business regardless of time or location. While these devices may affect productivity in a positive manner, employees use these devices for many things. For example, 47 percent of surveyed participants in ISACAs Shopping on the Job survey report that they will shop from enterprise-owned mobile devices. It is critical that enterprises take the time to properly control and manage these devices. In developing policies, the enterprise should consider and assess the impact on network utilization, network threats and productivity. The enterprise must define acceptable use. Holiday shopping can be treated differently than other activities such as social media use, Super Bowl gambling or participation in fantasy sport leagues.

2010 ISACA. A

l l

r I g h t S

r e S e r v e d

E-commErcE and consumEr rEtailing: risks and BEnEfits Assurance Considerations for E-commerce
Once the enterprise develops an appropriate strategy and controls to manage and monitor employee usage of the Internet, it is the role of the assurance professional within the enterprise to assess compliance with the associated policy and to ensure that the monitoring controls are effective and that compliance with the policy is established and measurable. The elements identified in ISACAs Business Model for Information Security (BMIS) present a good foundation for assurance professionals:

1. Strategy and Governance

Has personal e-commerce been addressed in the enterprise risk assessment? Is there an established policy (and supporting standards) that addresses personal e-commerce utilizing enterprise assets? Do the policies address personal e-commerce use in the workplace?

2. People

Has effective training been conducted for all users, and do users receive regular awareness communications regarding policies and risks? It is imperative that all users understand what is (and is not) appropriate and how to protect themselves and the enterprise while using enterprise resources for personal purposes.

3. Processes

Have business processes been assessed to determine whether the personal e-commerce policy requires modifications or additions to existing processes?

4. Technology

Does IT have a strategy and the supporting capabilities to manage technical risks presented by personal e-commerce? The technical risks related to personal e-commerce are also found in the use of malicious e-mail and standard web sites. IT should have controls in place, both network-based and host-based, to mitigate the risks presented by malware. Suitable controls can include download restrictions, browser settings, data leak prevention products, content monitoring and filtering, and antivirus and antimalware applications. Appropriate incident response plans should be in place. Lastly, some of the key assurance issues that will need to be addressed are: Privacy Compliance Confidentiality Appropriate use of enterprise resources Malware

Conclusions
Productivity and information risk are two key areas to be watched as more employees utilize enterprise resources for personal Internet use. While ISACAs Shopping on the Job survey indicates that fewer workers will be shopping online using work-issued devices, the results show that those employees who do so will engage in riskier behaviors this year than during previous years. While risks originating from personal Internet usage on enterprise-owned devices have not dramatically changed, the holiday season can be an optimal time to revisit acceptable use and mobile device policies to ensure that controls are in place to protect information assets.
8
2010 ISACA. A
l l r I g h t S r e S e r v e d

E-commErcE and consumEr rEtailing: risks and BEnEfits

Additional Resources and Feedback Visit www.isaca.org/e-commerce-and-consumer-retailing for additional resources and use the feedback function to provide your comments and suggestions on this document. Your feedback is a very important element in the development of ISACA guidance for its constituents and is greatly appreciated.

2010 ISACA. A

l l

r I g h t S

r e S e r v e d