The Christmas shopping season is upon us, and despite the poor economy, people will still be shopping. And a lot of them will be doing so online. Even as retailers are crashing and burning around us, online shopping is still increasing. IT managers, CIOs and security officers must realize too, that much of this shopping is going to take place in the office, whether they like it or not. The urge to shop will invariably transcend company policy, and too often, common sense as well.

There are risks. According to a survey from ISACA, a non-profit association of IT professionals, employers are at risk because too many employees do not understand the risks involved–and the workplace is more vulnerable to spam and viruses as a result.

According to a recent ISACA survey, forty percent of Americans between the ages of 18 and 24 will spend up to five hours shopping online using a work computer this holiday season. Unfortunately, this same age group is the least worried about vulnerability to the work computer. Overall, 63 percent of people of all ages plan to shop online from work this holiday season. The younger audience tend to pay more attention to the security of their home computers, and are less concerned with workplace security. Clearly, it’s time to take some of these youngsters to school on the matter of security.

Using a work email address for shopping can open the network up to threats and increased spam. However, the survey showed that 22 percent of respondents click on an email link to go directly to a retailer’s website from the work computer, and use a company email address as the contact for the purchase. About a fourth of respondents do not check, or are not sure how to check on the security of a website before making the purchase. On the employer side, over half of the employers surveyed said they will allow online shopping, but have no strategy for educating employees about risks and safe shopping behavior. ISACA issued several recommendations for both employees and employers. For the employees engaged in online shopping, they recommend:

1. Make sure the web sites are using SSL if you are going to enter any personal information.
2. Don’t allow sites to save your username and password, and do not use your work email address as the contact.
3. Delete cookies after you finish shopping.
4. Use separate browser sessions for shopping and work-related Web activity.
5. Don’t download free stuff.

For the IT manager, ISACA recommends:

1. Train employees on safe computing prior to the holiday shopping season.
2. Tailor your education programs to match different groups in the workplace.
3. Conduct a risk and threat assessment, and update your acceptable use policy and security technology as needed.
4. Make sure all patches are deployed, and updates and firewall rules are updated regularly.
5. Monitor networks for suspicious traffic, and remind employees to report any suspicious events.