New research published today by Zix-AppRiver has revealed that half of US executives feel powerless to stop employees holiday shopping on company devices, despite knowing that the practice poses a cybersecurity threat to the business.
Researchers asked 1,049 cybersecurity decision-makers within American SMBs across a diverse range of industry sectors about the holiday shopping habits of their employees.
According to the report, 82% of all SMB executives estimated that “many” of their company employees will shop online this holiday season using a computer at work or a device used for conducting business, on which business data is also stored and transmitted.
Among those, 61% admit they know this poses cybersecurity risks to their business and customers, but they believe it is "a fact of life; and there is not much I could do about it."
At larger-sized SMBs, executives were more likely to make the assumption that employees would use a company device for holiday shopping this year. At medium-sized SMBs with 50–149 employees and at larger-sized SMBs with 150–250 employees, 88% and 90% of executives respectively anticipated this behavior from many of their employees.
Nearly half of the executives surveyed estimate most of their employees would not be able to spot an illegitimate link posing as an online retailer in potential phishing attempts. Many were equally pessimistic about whether they could do likewise.
"Among IT decision-makers who lack confidence that most employees would be able to spot an illegitimate link posing as a fake retailer, many think they themselves could be vulnerable also. Four out of ten who lack confidence in their employees also lack confidence that they themselves could spot a fake link," Troy Gill, senior cybersecurity analyst at Zix-AppRiver, told Infosecurity Magazine.
Asked if any of the executives who thought their employees couldn't distinguish between a fake link and a genuine link had plans to implement any cybersecurity training, Gill said: "Yes, and that was one piece of really important good news from this survey. 57% of SMB IT decision-makers plan to invest more in 2020 dedicated toward security awareness training for employees. That figures jumps to 68% among larger SMBs with 150–250 employees."
Describing where cybersecurity vulnerabilities are present in a typical company hierarchy, Gill said: "Anyone with access to the network, from the board chair to the newest hire, can pose a threat. Training and awareness—not job title or department—are the best indicators and mitigators of individual risk."