ISACA on Holiday Shopping ThreatsSurvey Shows Mobile, Online Shopping Open Fraud Doors
ISACA, an independent international association, has found that risky online shopping behavior puts companies and consumers at risk. The emergence of mobile browsing and shopping is only expected to compound the issue. "Unfortunately, technology advancements come first, while security comes second," Lobel says.
But that tradeoff is not one the industry has time to debate, he says, as advances in technology are increasing at a pace with which most institutions cannot keep up. "The world always continues to become a more complicated and risky place, and that's OK," Lobel says. "I wouldn't go back to a world where we didn't have these technologies. It makes life better; it makes it easier; but it makes it riskier, as well."
How can financial institutions manage that risk? By leveraging frameworks and security standards and providing continuous and enhanced customer education.
In this interview, Lobel discusses:
- The top three riskiest online shopping and work behaviors;
- Steps companies and financial institutions should take to monitor and control online behavior;
- The role education and compliance with Payment Card Industry security standards play in the fight against phishing and malware attacks.
Lobel, CISA, CISM, CISSP, is a member of ISACA's External Relations Committee and most recently served as a member of the Security Management Committee. He is a principal with the Advisory Services at PricewaterhouseCoopers and has more than 27 years of business experience. Lobel is an internationally recognized security and controls professional, with experience in designing, benchmarking and assessing organizational security strategies and technologies. Lobel's work has primarily focused on information communications, entertainment and media, and financial services.
For the last 10 years, Lobel has been the lead agent for the North American Chapter of the Information Security Forum and has served as a member of the NY Chapter of the Information Systems Security Association. He holds a bachelor's degree in broadcast communication from Oswego State University and a master's in business from Boston University.
Employee Online Shopping and Fraud RisksTRACY KITTEN: What steps should financial institutions be taking to ensure their customers and members are shopping safely, whether online or in the store? Mark, ISACA recently conducted a survey about online shopping, could you give a little background about this survey, explaining how it is conducted, how often it is conducted and what types of individuals are included in the results?
MARK LOBEL: There were two surveys that we included in this; the first one is the third annual Shopping on the Job survey, ISACA's Online Holiday Shopping and Workplace Internet Safety Survey. It is done through online polling from Sept. 27 through Oct. 10, and there were 2,853 U.S. consumers who responded. The separate, but related, survey that also is bundled in here was conducted by ISACA between Sept. 27 and Oct. 4 and includes responses from 3,307 ISACA members from North, South and Central America, Europe, Asia and Oceania. The U.S. findings, which we are looking at here, were really based on 837 ISACA member responses; so we have a really powerful base of data to do the analysis.
KITTEN: Now, could you provide our audience with some key findings from the survey?
LOBEL: Sure. Three of them jump to the top of my head first. Thirty-tow percent of the ISACA IT professionals on the Holiday Online Shopping survey said that it will cost about $15,000 dollars per employee in productivity costs. So, that really translates to an impact on business and something for companies to consider and be cognizant of. The second major point is that employees are going to spend, we estimate, about six hours shopping from a work computer or device, as compared to 14 hours in 2009l so that number is going to be down a little bit. And, then, the third major point that we saw was that 20 percent of employees will spend nine hours or more shopping from a work computer or a mobile device this holiday season. So, I think some of the things to identify there are: (a.) People are going to shop from their work computers, or (b.) people are going to do shopping from their mobile device. There are kind of two sides to this.
Riskiest Online Behaviors and PhishingKITTEN: It is all about the risks associated with those behaviors, as the survey results rightly point out. Can you tell us what you deem to be some of the so-called riskiest online shopping behaviors -- behaviors that open companies and consumers to phishing threats?
LOBEL: There were three risky online work behaviors that we saw. The first one was clicking on an e-mail loop to access a shopping site, and 52 percent of the respondents say they have done that. The second and third are together - like two sides of a coin. One, they said they used a personal computer or smart phone for business use - that 52 percent of the respondents; and, two, they accessed a social networking site for personal use. So, it is kind of the flip of using personal stuff for business and then using business stuff for personal -- clicking on links, using business for personal, using personal for business, are some of the things that came out of the survey.
Employee Fraud EducationKITTEN: According to ISACA's survey, risky online behavior actually increased in 2010. How can businesses do a better job of educating their employees about the threats of shopping online?
LOBEL: There were at least two steps that we think companies should be doing. First, we think they need to have monitoring controls in place to protect their information -- monitoring controls that they should have in place anyway. Second, and more importantly, is education. If people know what the right things are to do, the majority of people are going to do those right things. But if they don't have that education, have that security awareness -- and the ISACA publications released recently talk about some of this education and security-awareness training -- that's where people will do things that they don't understand will create threats.
Customer Education: Tracking BehaviorKITTEN: We have been focusing a lot on businesses and employees working within businesses, but what steps can and should financial institutions take when it comes to educating consumers about shopping online, whether that be through a home PC or via a mobile device?
LOBEL: I think it builds off of what we said of the education, and there are some very specific steps, some regulatory steps, that financial institutions already have to take, but I think there is additional education that they should be doing, as it relates to consumer education, as well as setting metrics for what they expect and tracking those behaviors. What behaviors do they currently show, and how do you do a set of marketing pieces and communication pieces to guide consumers to less risky, more secure behaviors? It's about the metrics.
KITTEN: And what about educating merchant and commercial customers? How can financial institutions educate those customers about the threats of online shopping, or what can they do to make their online shopping environments, should they be merchants that provide online environments, more secure?
LOBEL: I think for merchants and online shopping, there are some industry standards, including the Payment Card Industry Data Security Standard, that most merchants have to comply or with. So, look at that standard, look at the Web application security standards and their top 10 risks. Looking at the standards, understanding what the risks are, and then seeing what controls they should put in place, again, by using metrics and monitoring. Look at the types of standards, implement those standards and track them and monitor them using metrics.
Mobile Fraud: Understanding the RisksKITTEN: Do you expect 2011 to impose new challenges and threats as the mobile channel emerges as one of the more-often used channels to access the Internet for browsing, shopping and online banking?
LOBEL: Definitely. We see increased risks as the mobile channel becomes a primary channel for many people to access online shopping and do online transactions, in general. As new technologies come out, the security tends to follow, sometimes very quickly, sometimes not as quickly as we would hope. And for some mobile technologies, there are really strong security controls and security infrastructures; for others, they are not quite so robust and are still developing. Third-party products are being created, so it is really looking forward and understanding those risks, and, as we said, defining what behaviors we want and looking at the technologies and how secure the technology is. 'What are my customers going to use and how do I make compensating controls for those less mature technologies?' 'What do I allow and what do I not allow?' As new technologies come out, we assess the security risks over time; and it is understanding those risks that really protect financial institutions.
Phishing and ZeusKITTEN: What final thoughts can you provide our audience about phishing trends and the growing threats posed by malware, such as Zeus?
LOBEL: The world always continues to become a more complicated and risky place, and that's OK. With risk comes benefit, right? It is the risk-reward tradeoff. As we take risk, there is reward. I wouldn't go back to a world where we didn't have these technologies. It makes life better; it makes it easier; but it makes it riskier, as well. So, how do we use these technologies? How do we leverage them and manage the risks of phishing? How do we manage the risks associated with identity theft? How do we manage the technology risk of some unbelievably sophisticated malware? I would even extend the definition of malware, as it leads to online theft and online crime. And then there is what we call advanced persistent threat, which even takes into account the realm of intellectual property theft and nation-state espionage attacks on individuals by the government.
So, it is a very different world out there; but, on the whole, having the technology and leveraging these things absolutely makes our life better, but we need to use them wisely. How do we protect ourselves? That is our constant, ongoing challenge. Again, it's about leveraging frameworks for companies; it's about leveraging standards; and it's about educating the consumers of the right ways to use these new technologies, manage the risk and get the benefits.