Security Threats Plague Cyber Monday

More than half of America’s office workers will be using their company’s resources to shop online this holiday season, and the madness begins today—the day the retail industry has dubbed Cyber Monday.

Just as Black Friday marks the first crush of holiday shoppers within brick-and-mortar stores, Cyber Monday is the unofficial start to the online shopping season. The term was coined by the NRF (National Retail Federation) in 2005, when it claimed that a large number of workers returning from the long Thanksgiving weekend were taking advantage of their work’s high-speed Internet access to jumpstart their holiday shopping online.

Cyber Monday sales rose 25 percent last year according to ComScore Networks and prognosticators expect a similar jump this year. This year, Cyber Monday sales are expected to jump greater than 20 percent to more than $700 million. Part of this has to do with the fact that more retail outfits have begun to use the NRF Cyber Monday awareness campaign as an excuse to hold online sales and promotions on the day. This year 72.2 percent of online retailers are planning a special promotion on Cyber Monday, compared to just 42.7 percent in 2005.

Industry experts predict that employees will spend at least 12 minutes shopping from their office computer day. While the retail industry will reap more than $700 million in sales, employers can expect a significant decrease in worker productivity that, by some estimates, will equate to nearly $500 million.

Regardless of whether Cyber Monday is the busiest in shopping volume or whether that title falls on some other day of the season, one thing is clear. When shoppers break out their credit cards to complete their transactions, more of them will be doing it at the office than ever before. Results from a survey conducted by BIGresearch on the behalf of and NRF found that 54.5 percent of office workers with Internet access will shop for holiday gifts from work.

So what does this mean to the typical IT department in corporate America? Well, according to some security experts, all of this consumerism at work will likely expose organizations to a higher volume of threats on Cyber Monday and throughout the rest of the holiday season.

According to Symantec, corporate networks are traditionally flooded during the season with increased numbers of spam messages as spammers focus on holiday shoppers. Adware purveyors are also known to up their game during the Christmas rush. But the most concerning of all are the number of scammers who will be seeking to take advantage of rabid shoppers’ enthusiasm. Security experts worry that workers on the prowl for holiday deals from their office desks are more likely to click into malicious links and give up information that could compromise not only their own personal security but also that of their employer.

“Cyber criminals are always looking for any sort of material to jump on and of course any thing that is a global event such as Christmas and the holiday season is just juicy material for them to bite their teeth into,” said Derek Manky, senior research engineer for Fortinet, explaining that employees hunting for shopping deals are a prime target for criminals seeking victims to fall for various scams and attacks. “They like to jump on opportunities like this; we saw it on Halloween with the Storm worm’s dancing skeleton attack and we’ll certainly see it throughout the Christmas season as well.”

According to Manky, last year the Stration worm peaked right around Cyber Monday. He suspects that another worm spread through social engineering could flare up again this holiday season if consumers aren’t forewarned.

“During the holiday season they may see shopping links that come up pointing to what seems like a great deal, so they’ll click on the link and follow that,” he said. “As soon as they go there, there are many attack vectors they are susceptible to. Even something as simple as visiting a Web site can lead to compromise of corporate data. They could visit a Web site that is malicious in nature and will have infectious code on it and could basically be the launch pad for an attack.”

Manky believes that it is the responsibility of employers to raise user awareness during the online shopping high season to avoid unpleasant holiday surprises.

“Corporations should be responsible and make a big push to raise awareness of these situations, whether it be through workshops or even weekly reminders, just to keep people in that mentality and that mind frame,” he said, explaining that even a simple reminder can help prevent social engineering attacks from uncovering an organization’s weakest security link—its own clueless employees.