The integrity of Hong Kong companies' IT investments is at risk as employees spend an increasing amount of time on Christmas and new year shopping online, said ISACA Friday.

ISACA is a non-profit international organization that advocates IT governance, control, security and assurance.

According to result of a recent ISACA survey entitled "Shopping on the Job: Online Holiday Shopping and Workplace Internet Safety", 42 percent of Hong Kong employees are likely to spend two or more hours shopping online using a work computer between November and December.

But more than half (54 percent) of the respondents' companies don't educate their employees about the risks that online shopping can pose to their companies' IT security, the ISACA said.

While about 60 percent of the firms said they have no security measures in place to prevent employees from shopping online at work, more than 55 percent of these companies think their employees don't fully understand the risks to which they are exposing their companies with shopping online from their workplace computer.

"From our perspective, both IT security structures and users' awareness or consciousness of the risks they are facing are equally importantly against IT security threats," said Frank Yam, international vice president of ISACA. "Sensible IT investment, governance and protection are instrumental to business success. Companies are now more cost conscious given the current global business environment, and because of this they need to be even more prudent about protecting of their IT investments."

The ISACA Hong Kong survey was conducted concurrently with similar surveys with consumers and ISACA members in the US, and the results from the Hong Kong survey largely reflect a similar pattern among US businesses regarding their lack of awareness or attention toward the risks of online shopping at work, ISACA said.

ISACA recommends that employees and IT departments take the following steps to reduce the risk of spam, viruses and inadvertent downloading of backdoor "agents" that can highjack corporate data.

For online shoppers:

1) Make sure web sites you connect to are using SSL encryption while you are entering personal information.

2) Do not allow sites to save your username or password. Avoid providing your work email address as your contact information.

3) Delete cookies from your computer after you are finished shopping.

4) Use separate browser sessions for your holiday shopping versus your work-related browsing.

5) If it looks too good to be true, it probably is. Do not download free games, ringtones, wallpapers or animations on to your work computer.

For the IT department:

1) Train employees on safe computing just prior to the holiday shopping season and follow up with periodic reminders.

2) Tailor education programs to match the various demographics, attitudes and technology know-how of groups within the workplace.

3) Conduct formal risk and threat assessments and update your Acceptable Use Policy and security measures appropriately.

4) Make sure that patches are deployed, security functions are enabled, and firewall rules, IDS signatures, and spam filters are updated regularly.

5) Monitor networks for high-volume or suspicious traffic and respond immediately to threats. Remind employees to sound the alarm if suspicious events occur.