ISACA Survey: Bring Your Own Device (BYOD) Trend Heightens

Online Holiday Shopping Risk

Online shoppers to spend 18 hours shopping on devices also used for work activities

Rolling Meadows, IL, USA (1 November 2011)— Shopping online for the holidays is up this year, with a 15 point increase in the percentage of Americans who say they will spend more time shopping online than they did the previous year. But according to ISACA’s fourth annual Shopping on the Job Survey, more than half the time spent shopping will be done from computing devices also used for work purposes, a practice that can pose significant risk to corporate networks and valuable information.

The “2011 ISACA Shopping on the Job Survey: Online Holiday Shopping and BYOD Security” found that online shoppers plan to spend 32 hours on average shopping online this holiday season, with 18 of those hours on a work-supplied device or a personally owned device also used for work activities—a trend called “BYOD” (bring your own device). People are also becoming increasingly tech-savvy: the use of mobile applications has nearly tripled since last year’s survey, 29 percent click on daily deal sites such as Groupon, and 7 percent scan quick response (QR) codes.

BYOD Is Here to Stay

ISACA, a nonprofit professional association of 95,000 IT audit, security and governance professionals, also conducted a separate survey of more than 4,700 of its members from 84 countries. The member survey results show that these IT professionals believe that their organizations are increasingly challenged to deal with BYOD. In every region except Europe, more respondents say that employees are allowed to use personal devices for work purposes, but members in five of the six regions say that the risk of using a personal mobile device for work purposes still outweighs the benefits.

Use of personally owned PCs or mobile devices–typically more difficult to secure than work-issued devices and used for a wide range of often high-risk online activities–means that sensitive corporate information may be compromised through device theft or loss, or malware attacks.

“The consumer survey shows that two-thirds of employees between the ages of 18 and 34 have a personal device they use for work purposes. BYOD is here to stay. However, the fact that the majority of ISACA members say the risk outweighs the benefits means that education and precautions are strongly needed,” said Robert Stroud, CGEIT, CRISC, past international vice president of ISACA and vice president and service management, cloud computing and governance evangelist at CA Technologies.

User Location Data Tracking a Turn-off

While close to four in 10 consumers surveyed use PayPal or a similar secured service to protect their online transactions, they are concerned about newer features, like their mobile device’s ability to track their location. Fully 74 percent say they would turn off user location tracking because of risks such as stalking or identity theft, and 9 percent would keep it on only because they don’t know how to turn it off. Coupled with this lack of knowledge and concern are risky online behaviors. A third of consumers (34 percent) have clicked on a link in a social media site (up from 19 percent in 2010) and more than 1 in 10 (13 percent) click on e-mail links from someone they do not know.

“For the fourth year in a row, ISACA’s online holiday shopping survey shows that employees are unwittingly risking the introduction of viruses, malware and phishing scams into the workplace. What is new this holiday season is the growing role of BYOD, which demands that organizations be more focused than ever on embracing emerging technology and the benefits it brings, and educating employees about safe practices,” said Ken Vander Wal, CISA, CPA, international president of ISACA.

The consumer survey shows that 16 percent of respondents say their organization does not have a policy prohibiting or limiting personal activities on work devices, and another 20 percent do not know if their enterprise has one.

“There is a distinct gap between what IT departments may do and what employees understand or know about,” said John Pironti, CISA, CISM, CGEIT, CRISC, CISSP, security advisor with ISACA and president of IP Architects.  “For example, many employees do not realize that, as part of the process of connecting their personal device to the organization’s corporate network, they may have agreed to allow their personal smartphone or tablet to be remotely or locally wiped clean if they lose it or the organization believes it has become compromised while storing confidential data. Setting a policy for the use of personal smart devices and effectively communicating it to employees are crucial.”

Managing Your “BYOD” Mobile Device: 5 Tips for Employees

ISACA offers these tips to help employees manage their personal smartphones, tablets or notebooks that they also use for work activities:

–          Make sure you understand the policies, standards, and guidelines that you agree to comply with when connecting a personal device to your corporate network.

–          Understand what happens if your organization believes your device is lost, stolen or represents a security risk.

–          Follow ISACA’s five-step “ROUTE” for informed use of geolocation.

–          Make sure you have enabled all of the security features on your device, including file and network encryption, passcodes, and device locator capabilities.

–          Ensure that your devices are current with the latest operating system and application updates on a regular basis.

The complete survey results are available at

About the 2011 ISACA Shopping on the Job Survey:  Online Holiday Shopping and BYOD Security

The ISACA Shopping on the Job Survey:  Online Holiday Shopping and BYOD Security, now in its fourth year, helps gauge current attitudes and organizational behaviors related to the risk and rewards associated with online shopping, and the blurring boundaries between personal and work devices. The study is based on October 2011 online polling of 4,740 ISACA members from 84 countries, including 1,678 members from the US. A separate online survey was fielded among 1,224 US consumers by M/A/R/C Research between 27 September and 30 September 2011. At a 95 percent confidence level, the margin of error for the total sample is +/- 2.8 percent. To see the full results, visit


With 95,000 constituents in 160 countries, ISACA® ( is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.

ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.

Follow ISACA on Twitter:

Join ISACA on LinkedIn: ISACA (Official),

Like ISACA on Facebook:

Collaborate with ISACA members:


Kristen Kessinger, +1.847.660.5512,

Marv Gellman, +1 646.935.3907,

Note: You are receiving this message because you signed up for ISACA’s news release distribution list. If you wish to be removed, please