‘Tis the season (almost) to be jolly, and to shop. But companies may be significantly exposed to costly data breaches and lost productivity if they don’t take steps to control employees’ online shopping from their work computers.

Young employees pose the greatest risk. Four out of 10 Americans ages 18-24 will spend up to five hours shopping online from their work computers this holiday season, according to a new report by ISACA, which surveyed 973 consumers and 3,191 of its members, who are IT professionals.

That same age group is the least worried about the vulnerability of their work computers, heightening the risk of spam, viruses, and phishing attacks resulting from their activities. The survey examined how much time employees will spend in November and December shopping online from work, how aware they are of online security, and whether they comply with employer policies for online shopping.

Almost half of IT professionals who responded to the survey, 46 percent, said they believe lost productivity from online shopping at work is hurting their companies, with the average hit pegged at $3,000 per employee. Overall, 63 percent of people of all ages surveyed plan to use their work computers to shop. But the so-called “Millennials” pose a greater risk not only because more of them will do so, but also because they are typically thought to be more tech-savvy, more concerned about work/life balance, and less loyal to their employers than other age groups.

Data breaches, however, are a far greater potential danger than productivity costs. Providing a workplace e-mail address to an online retailer can leave a computer network open to a variety of threats, such as introducing trojans, malware, or spyware. Twenty-two percent of consumers responding to the survey have clicked on an email link to go to a retailer’s website from their workplace computer, and 26 percent either do not check or are unsure how to check the security of a website before making a purchase.

When the computer of an employee in possession of sensitive customer data is breached and the data is stolen, remedial costs can pile up fast. John Pironti, chief information risk strategist for systems integrator CompuCom, cited a figure of about $170 per record.

“For attackers, it’s easy to get away with things under the radar screen now because know there are a lot of people doing things they shouldn’t be doing, and that some of the anti-fraud activities are relaxed because of the sheer volume of transactions that occur,” Pironti told CFO.com.

More than half (55 percent) of IT professionals surveyed said their companies permit workers to shop online but have no strategy for educating them about the risks. Education is a key, according to IASCA, which offered tips for safer holiday shopping.

Recommendations for IT departments:
• Train employees on safe computing just prior to the holiday shopping season and follow up with periodic reminders.
• Tailor education programs to match the various demographics, attitudes, and technology know-how of groups within the workplace.
• Conduct formal risk and threat assessments and update your Acceptable Use Policy and security measures appropriately.
• Make sure patches are deployed, security functions are enabled, and firewall rules, intrusion detection system (IDS) signatures, and spam filters are updated regularly.
• Monitor networks for high-volume or suspicious traffic and respond immediately to threats. Remind employees to sound the alarm if suspicious events occur.

And for online shoppers:
• Make sure websites you connect to are using SSL encryption while you are entering personal information.
• Do not allow sites to save your username or password.
• Avoid providing your work email address as your contact information.
• Delete cookies from your computer after you are finished shopping.
• If it looks too good to be true, it probably is. Do not download free games, ringtones, wallpapers or animations onto your work computer.