As physical shopping is limited, Black Friday's usual hoards of people bum rushing the doors of Walmart or Best Buy is unlikely this year. Consumers will turn to e-commerce — and so will employees.
Since March, enterprise security started incorporating devices for personal use or personal devices. Just over half of employees engage in what they consider "low-risk" activities on their work devices, such as sending an email or reading the news, according to a Malwarebytes Labs survey. Thirty-eight percent of respondents admitted to using their device for shopping.
"Whether from a work device or personal device, once the threat is inside the business network, a lot of the damage is already done," said Jeff Bradbury, senior director at Hughes Network Systems. "Once a threat enters the network, every device on the network is vulnerable."
An employee may consider using their device for some personal activity harmless but once an infection occurs, it renders the whole enterprise network vulnerable. This year security organizations had just over eight months to adapt to security challenges of remote work.
"It's blurred the lines of work and play," said Ron Culler, senior director of Technology & Solutions at ADT Cybersecurity.
More than three-quarters of Malwarebytes Labs' 900 respondents are working from home and 53% were assigned a work device. Unless there are written policies explicitly denouncing online shopping using a work device, "it can be assumed that employees will use business devices to engage in online holiday shopping to some extent," said Culler.
Online shopping on company-owned devices is not unique to 2020 and pandemic-related restrictions. However, during the first half of the year companies saw a 22% increase in reported vulnerabilities, compared to H1 2019. Cyberattacks are breaking records, and short of policies "when you add any unapproved or unmonitored use, like online shopping, the risks grow exponentially," said Culler.
Nine in 10 consumers plan to shop online this year, compared to 34% planning to shop in-store, according to Numerator. With economic uncertainty and expectation of conservative spending, retailers opened up some Black Friday-like deals as early as October.
Due to the anticipated online activity the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to consumers, "Hackers, scammers and thieves will take advantage of these changes and the generosity of the public during the holidays to target online shoppers and those giving to charities," said Acting CISA Director Brandon Wales, in the announcement.
The cybersecurity agency encouraged shoppers to only engage with trusted retailers. If an employee on a work device goes to an illegitimate site, security organizations need URL-blocking solutions in conjunction with content filtering "to make sure credit card information or other protected data is not being transmitted outside of identified and protected paths," said Bradbury. "Enforce use of HTTPS protocols."
With the expectation that employees will engage with risky cyber behavior, companies will likely rely on traditional solutions: endpoint protection, VPNs, two-factor authentication, content filtering, unified threat management firewalls, zero trust architectures, microsegmenation or detection.
The most successful security programs have a culture of security woven throughout the entire enterprise — technologies can fall short. Some companies struggled with routinely performing security exercises during the stress of the pandemic and recession. Employees adjusting to remote work, inundated with self-inflicted phishing schemes, was deemed an unsavory practice the first several months of remote work.
"As for what to do, one of the most important security practices is timely and direct communications," said Bradbury. IT and security "should reinforce security policies and practices regularly, and especially ahead of busy times like the holiday season."