Skip to main content

How CEOs Can Manage Employee Holiday Shopping

Your employees are shopping during work hours whether you like it or not. You might as well make it official.  Use this as a guide on how to control it now before it controls your company.

Your employees are shopping during work

According to a national study by Finder.com, 234 million hours of workplace productivity are lost to online holiday shopping. That’s not a rounding error. That’s billions of dollars in lost productivity across American businesses. 

Here’s the reality CEOs need to face: 64% of employees plan to do “workshopping” – shopping while at work – this holiday season, according to Robert Half Technology. When asked how often, 36% said a few times a week, and 8% said almost every day until they finish their shopping lists. 

The Reality CEOs Need to Face

Copy of Week 3 of Nov - Non Profits are Targets (2)

According to FindLaw research, 50% of all Americans use work Internet for personal use, with online shopping ranking among the top five personal activities. Most companies have policies limiting this behavior, but those policies aren’t having much impact. 

Here’s why: clinical psychologist Chloe Carmichael, who specializes in stress management, explains that people shop on the clock because accomplishing personal tasks at work reduces stress by making us feel more productive. Shopping is a clear and simple task, whereas work projects can feel amorphous and harder to solve. 

More troubling: online shopping can be addictive. When we acquire things, we get a hit of dopamine, which provides a sense of fulfillment. With online shopping via credit card on company computers, the transaction feels nebulous compared to handing cash to a cashier. 

The Cybersecurity Risk Nobody's Calculating

While your employees browse Cyber Monday deals, they’re opening your network to threats. According to SlashNext’s 2023 Mobile BYOD Security Report, 71% of employees have sensitive work information on their personal devices, and 43% were the target of work-related phishing attacks on their personal devices. 

Even more concerning: 90% of security leaders say protecting employees’ personal devices is a top priority, but only 63% say they definitely have the tools to do it adequately. 

The problem: employees don’t distinguish between “work tasks” and “personal tasks” when they’re already logged into work systems. Personal shopping on work devices or work-connected personal devices means: 

  • Clicking links from promotional emails (prime phishing territory) 
  • Entering credit card information on potentially unsecured sites 
  • Downloading receipts and invoices that could contain malware 
  • Using saved company credentials while browsing third-party sites 

FindLaw notes that up to 40% of workplace internet usage involved non-work-related websites even before the remote work era. Beyond lost work hours, there’s stolen bandwidth, cybersecurity risks from viruses, and potential liability if employees engage in illegal activities online using company resources.

Strategic Options for Different Business Types

These options outline practical ways to balance productivity, morale, and cybersecurity during high-traffic shopping periods like Cyber Monday. Each approach fits a different business model—from service firms and manufacturers to startups and large enterprises—so you can choose the strategy that best matches your team structure, risk level, and operational needs.

Option 1: Give Them Cyber Monday Off

 Best for: Service businesses, professional services, agencies

Officially close the office on Cyber Monday. Not a half day. A full day off. 

Why this works: 

  • You recapture productivity the other 364 days when employees stop stealing minutes 
  • You eliminate cybersecurity risks when they shop from home on personal devices 
  • You boost morale without breaking the bank 
  • You can actually plan around the downtime instead of random productivity loss 

Implementation: Announce three weeks ahead, clear all deadlines by Friday before, set out-of-office messages, return Tuesday with full focus. 

Option 2: Designated Shopping Hours

Best for: Retail, manufacturing, businesses with shift work

Create official “shopping windows” – perhaps 12-1pm and 4-5pm daily from November 15-30. 

Why this works: 

  • Employees know when shopping is acceptable, reducing guilt and sneaking 
  • You can schedule critical work around these windows 
  • IT can increase email filtering sensitivity during these hours 
  • Provides structure without appearing draconian 

Implementation: Communicate clear windows, require use of personal devices during these times, block shopping sites outside designated hours, monitor bandwidth usage. 

Option 3: Personal Device Policy with Secure Guest Wi-Fi

Best for: Tech companies, startups, creative agencies

Create a separate guest Wi-Fi network for personal devices. Employees can shop on their phones/tablets but never on company computers. 

Why this works: 

  • Completely separates personal shopping from company network 
  • Employees maintain shopping flexibility 
  • Your IT infrastructure stays protected 
  • Easy to monitor and enforce 

Implementation: Set up segmented network now, communicate policy clearly, make guest Wi-Fi password only available to employees, disable shopping sites on company network entirely.

Option 4: Results-Only Work Environment

 Best for: Knowledge workers, remote teams, project-based businesses

Stop monitoring hours. Start measuring results. If employees hit their goals, their shopping habits are irrelevant. 

Why this works: 

  • Shifts focus from activity to outcomes 
  • Eliminates need for monitoring internet usage Attracts and retains top talent who value a
  • utonomy 
  • Naturally weeds out low performers 

Implementation: Define clear quarterly goals, weekly check-ins on progress, judge performance on results not hours logged, still maintain security protocols for company devices. 

Option 5: The Amazon Model

Best for: Large organizations, call centers, operations-heavy businesses

Follow Amazon’s approach: provide dedicated break rooms with company computers specifically for personal use, separated from work network. 

Why this works: 

  • Acknowledges reality of personal internet needs 
  • Provides controlled environment for personal browsing 
  • Keeps work devices clean and monitored 
  • Can limit timing through break schedules 

Implementation: Set up dedicated space before holiday season, install computers on separate network, limit session times, make it a privilege that can be revoked for abuse. 

Non-Negotiable Security Measures Regardless of Which Option You Choose

  1. Increase email filtering sensitivity in November-December – Promotional emails spike and many contain sophisticated phishing attempts disguised as deals. 
  2. Monitor for unusual data downloads – Employees might use customer lists for personal holiday cards. Set alerts for bulk downloads. 
  3. Restrict USB drive usage – People bring personal devices to work for holiday planning. Don’t let them connect to your network. 
  4. Double-down on Business Email Compromise awareness – Attackers know businesses move money faster during holiday promotions. Require dual verification for all payment changes. 
  5. Lock down credit card processing – If you run holiday promotions, ensure PCI compliance is airtight and only authorized personnel can access payment systems. 
  6. Require VPN for all remote workers – If employees work from home during holidays, mandate VPN usage for any work-related access. 

Legal Considerations

According to FindLaw’s employment law guidance, employers have the legal right to: 

  • Monitor all communications and computer activity on company-owned devices 
  • Read employee emails and retain copies as needed 
  • Restrict personal activities on company networks 
  • Block specific websites or categories of sites 

However, you must consider employee privacy and comply with state-specific laws. California’s CPRA, for example, extends restrictions on how employers collect, use, and share personal data from employees. This is not legal advice—always consult your own legal counsel to confirm compliance with privacy and state-specific laws.  

The Framework for Your Policy

Your internet use policy should: 

  • Clearly specify acceptable personal use parameters 
  • Explain cybersecurity risks in plain language 
  • Define consequences for policy violations 
  • Address social media, online shopping, and personal email separately 
  • Require strong passwords and prohibit unauthorized downloads 
  • Be reviewed by employment law attorney for state compliance 

You have three choices: 

  1. Fight human nature and lose productivity plus security 
  2. Ignore it and hope for the best (worst option) 
  3. Work with human nature strategically 

The worst thing you can do is have an unenforced policy that everyone ignores. That breeds contempt for all company policies and creates legal liability when you do need to enforce something. 

Pick a strategy that fits your business model. Communicate it clearly. Enforce it consistently. And make sure your cybersecurity measures are rock-solid regardless of which approach you choose. 

Your employees will shop during the holidays. The only question is whether they do it in a way that protects your business or exposes it to risk. 

Table of Contents

Don't miss out on our weekly newsletter

For additional help for Black Friday & Cyber Monday

Call us today