Many employees will spend a portion of their day hunting for bargains on the Monday following Thanksgiving weekend, and companies should prepare for the increased security risks, experts say.
The potential damage on Cyber Monday, a marketing term coined in 2005 by Shop.org, is greatest for small and medium-sized businesses. That's because they are less likely to have the technology for catching malicious Web sites or keeping Web browsers up to date.
Browsers pose the greatest risk because they contain third-party plug-ins that add capabilities, such as playing video or accessing Web services. The software modules often have to be updated independently from the browser, so many go unpatched for long periods of time.
[See our checklist: 11 security tips for Cyber Monday]
Data collected from more than 1 million Internet-connected computers over the last 12 months showed more than half with critical vulnerabilities in browsers, security firm Qualys reported on Tuesday. A third of all installations of the most widely used plug-in, Java, contained security holes, closely followed by Adobe Flash with a quarter of all installations vulnerable.
Such flaws can be exploited by malware downloaded by an employee clicking on a malicious link on a website. Symantec says 61% of malicious sites are legitimate properties that have been compromised.
Once malware is installed in the computer, it can steal user names and passwords, as well as company data. Once in the corporate network, some malware can easily replicate itself in other systems.
"Frequently, security inside networks is a little more relaxed, because people need to share data," said Wolfgang Kandek, chief technology officer for Qualys.
Banning employees from shopping on the Web would be a difficult policy to enforce, so a better solution is for small- and medium-size businesses (SMBs) to prepare for the inevitable by updating all browsers to the latest version. In addition, only necessary plug-ins should be installed, and businesses should check to make sure the modules contain the latest patch.
Individual plug-ins can sometimes be configured to be more secure. For example, the ability to run JavaScript, which is often exploited to install malware, can be turned off in Adobe Reader, the software used to view PDF files.
Only a small percentage of companies need to run JavaScript in a PDF document. "I've had it off for two years and I've not noticed a difference," Kandek said.
Many companies are aware of what employees will be up to come Cyber Monday. More than 60% of businesses surveyed by Dell said they expected productivity that day to decrease more than last year. That expectation is in line with the increase in retail sales over the years.
U.S. sales on Cyber Monday have increased steadily since 2006, when people bought $610 million worth of goods online. Last year, the amount topped $1.2 billion. Nevertheless, Cyber Monday is not the biggest online shopping day of the holiday season. That day is typically closer to Christmas.
Because of the popularity of Cyber Monday shopping, 59% of businesses were more concerned about loss of productivity than potential security threats to networks, even though hackers are extra busy sending out spam messages promising great deals.
Unfortunately, many employees may not be prepared to avoid such scams. Almost 7 in 10 businesses surveyed by Dell said employees could not identify fraudulent attacks on the corporate network.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.