Fully 82 percent of SMB executives expect "many" of their employees to shop online this holiday season using a work device, according to a recent AppRiver/Zix survey [PDF] of 1,049 C-level executives and IT decision makers at SMBs with 1-250 employees.
Among those executives, 61 percent say they know this poses cyber security risks to their business and customers by potentially exposing business data stored on that same device – but they believe there isn't anything they can do about it.
And the numbers increase based on business size – 88 percent of executives at medium-sized SMBs with 50-149 employees, and 90 percent of executives at larger SMBs with 150-250, believe many of their employees will be shopping online using work computers or devices this holiday season.
Similarly, 64 percent of medium-sized SMB executives and 68 percent of larger SMB executives believe there's nothing they can do to stop the practice.
SMB executives in the media sector are the most likely to expect their employees to shop online (95 percent), followed by non-profits (93 percent), financial services and insurance (92 percent), education (88 percent), technology (88 percent), and manufacturing (87 percent).
Perhaps due to regulatory and compliance concerns, just 78 percent of SMB executives in the healthcare and pharmaceutical industries expect their employees to shop online this holiday season using work devices.
"Compounding the risks of shopping online using a business device, nearly half (49 percent) of all surveyed estimate most of their employees would not be able to spot an illegitimate link posing as an online retailer in potential phishing attempts," the report states.
Those concerns are particularly significant in highly regulated industries like healthcare and pharmaceuticals (63 percent) and financial services and insurance (52 percent).
Separately, a recent Akamai report [PDF] on phishing found that the top targeted brands are Microsoft, PayPal, DHL and Dropbox. High tech is the top industry targeted by phishing, followed by finance, online retail, and media – with 60 percent of phishing kits active for just 20 days or less.
"In fact, over a 60-day period, Akamai observed more than 2,064,053,300 unique domains commonly associated with malicious activity," the report states. "Of those, 89 percent had a lifespan of less than 24 hours, and 94 percent had a lifespan of less than three days."
The 2019 Verizon DBIR found that 32 percent of all breaches and 78 percent of all cyber espionage incidents involved phishing.
And while click-through rates for phishing simulations fell from 24 percent to 3 percent over the past seven years, 18 percent of people who clicked on test phishing links did so on mobile devices.
"Research shows mobile users are more susceptible to phishing, probably because of their user interfaces and other factors," the DBIR warns.