How real is the risk of visual hacking?
Most organisations are realising that information security strategies have to be multi-faceted in order to be effective. There is no single silver bullet – instead, a layered approach, preventing and monitoring security issues on a variety of fronts, is fast become the norm. Additionally, a growing number of both public and private sector enterprises are becoming aware that visual security is a very real risk.
What we’re talking about here is ‘visual hacking’ or ‘shoulder surfing’ – the ability for someone to view confidential information on somebody else’s screen – whether this is a desktop monitor, laptop, tablet or smartphone – and then using that information for malicious or illegal intent.
Such is the level of concern around this area of security risk that a diverse range of organisations are now incorporating visual privacy into their security strategies.
In the public sector, this includes the Cabinet Office, the Department of Work and Pensions and the Foreign and Commonwealth Office. In the commercial sector, banks are increasingly mandating visual privacy guidelines organisation-wide.
So how real is this risk? In common with most other types of security incident, the exact scale or known number of visual hacks is impossible to determine, but a recent Ponemon Institute study, commissioned by 3M, discovered how easy these acts are to execute.
In the study, a ‘white hat hacker’ (AKA a penetration testing specialist) entered the offices of eight US-based companies in the guise of a temporary or part-time worker.
He then attempted to visually hack sensitive or confidential information in three ways: by walking through the office looking for information in full view on people’s desks and screens; picking up business documents labelled ‘confidential’; and taking photos of on-screen information using the camera built into his smartphone.
Alarmingly, he was stopped in less than one third of visual-hack attempts. He was able to get his hands on an average of five pieces of sensitive or confidential information in each attempt, including contact lists, customer information, financial data, employee information, employee access and log-in information.
The most difficult departments to ‘hack’ were legal and finance – perhaps because people who work in these departments are more aware of the sensitive data they handle on a daily basis. The most vulnerable departments were customer service, communications and sales.
Given the prevalence of open-plan working, with visitors or part-time contractors coming and going, organisations clearly need to pay more attention to this possible risk element.
That said, mobile working clearly has the greatest potential for risk – particularly with so many workers now accessing their laptops and other devices whilst working in cafes, hotel lobbies and other public areas.
Anecdotal evidence from a recent survey in which 3M was involved includes respondents citing these examples of content they have deliberately or accidentally witnessed on someone else’s screen – banking details and passwords, the accounts for a merger or acquisition, salary information, and other HR issues.
So, mobile working could, potentially, be a very real problem. What can be done to protect sensitive company data?
Protection from prying eyes
The good news is that visual security is relatively simple, fast and inexpensive to address compared with many other areas of information security.
Just educating staff about visual hacking and the need for them to take greater responsibility for protecting their own screens will go a long way towards improving this aspect of security risk.
In the same way that they make sure that no-one can see their PINs when they are using bank ATMs, the same care should apply to protecting data on their personal or work screens.
It is also important to encourage people to angle screens away from open view, for them to make use of screensavers, and to set up an automatic re log-in if a device is not used for more than a minute or two.
Also consider using privacy filters, which mean that screens can only be viewed at close range and at a direct angle. Someone trying to get a sideways glance will just see a dark, blank screen.
These filters can be easily slipped onto – and removed from – laptop, desktop monitor and tablet screens. Growing in popularity, they have been specifically cited by both the Department of Work and Pensions and the Foreign and Commonwealth Office as part of their security and privacy procedures.
Of course, visual privacy is just one element in a complex and ever-evolving security environment., There are new challenges all the time and innovative hackers constantly find new ways to obtain information.
However, given that visual security is an area that is relatively easy to address, prevention of visual hacking should certainly be on the agenda of any security-conscious organisation today.
We have 15 guests and no members online