The security market is of course well-versed in all the main elements of information security, but one area that has until recently received relatively little attention is the topic of visual hacking. That is fast changing, with users, resellers and advisers realising that not only are visual privacy breaches a very real risk, mitigation is comparatively easy, at least when compared to more complex and costly info-security measures, writes Peter Barker, of 3M.
The potential scale of the visual hacking opportunity was highlighted very recently by the results of a global experiment conducted by the Ponemon Institute, on behalf of 3M, the science-based technology company. The study found that visual hacking is both easy and fast to achieve. 91 per cent of visual hacking attempts worldwide were successful, only around a third were challenged, and around half were achieved in 15 minutes or less.
When considering what visual hacking actually is, perhaps this is not surprising. Put simply, it is the ability to obtain sensitive data, by viewing someone else’s information. As well as documents, this increasingly includes information viewed on people’s screens, which these days, most people have several: a smartphone, a laptop, a desktop computer, perhaps a tablet too. In the Global Visual Hacking Experiment, globally on average 52 per cent of the sensitive information gained was from electronic screens of one form of another. The UK figure was an average of 44 per cent. The best performer was Germany, with just 33 per cent obtained during this month, with [South] Korea being the worst at 70 per cent. However, none of these results can be deemed ‘good’.
Let’s examine the experiment in more detail. It was conducted across eight countries (Germany, [South] Korea, Japan, India, France, China and the UK in 2016, and in the US in 2014) and involved a total of 157 ‘trials’ with the offices of a variety of organisations, ranging from 25 to 100 employees. In all cases, designated people at the participating companies were given two days’ notice before each trial, which involved a white hat hacker impersonating a temporary office worker, complete with a valid and visible security badge. Total estimated time for each trial was two hours.
The trials involved trying to obtain sensitive or confidential information in three ways: walking through the office looking for information in full view on desks, monitor screens and other locations such as printers and copiers; taking a stack of business documents labelled confidential from a desk and putting them in a briefcase; and using a smartphone to take images of confidential information displayed on computer screens. All three types of task were carried out in full view of other office workers.
Information obtained was varied, including: personal identification information, customer and employee details, general business correspondence, access and log-in credentials, confidential or classified documents, attorney-client privileged documents, plus financial, accounting and budgeting information.
Some departments seemed to be better at managing visual privacy than others: sales, customer services and communications were the most vulnerable, with the most secure being legal, followed by Quality Assurance and R&D. Accounting and finance fell in the middle. However, across all functions, where visual security measures were in place, the number of successful visual hacks dropped by 26 per cent, proving that it is worthwhile making the effort to implement such practices.
Clean desk policies, routine shredding of documents, re-instigating automated log-ins and screen savers after short periods of inactivity are all simple, relatively inexpensive and effective. Education is key, from management downwards: if people are aware that they have responsibility to prevent information from prying eyes, they are in theory more likely to be take extra care in the future.
Whether in the office or working remotely, a very simple step is to make sure that a screen is angled so that it cannot be viewed. Sit in a corner rather than by the queue for coffee. Alternatively, consider adoption of privacy filters, which can be easy slipped on and off screens of all kinds and prevent on-screen data from being viewable except straight on and at close range. So, someone taking a sideways glance or several feet behind the screen will see just a blank image.
As the global visual hacking experiment shows, visual privacy breaches are alarmingly easy to achieve, but the good news is that they are preventable, by taking some simple and cost-effective steps. While visual hacking is just one element of a much wider set of security risks, it is certainly one of the fastest, easiest and most cost-effective to lock down.
About the author
Peter Barker is Market Development Manager, EMEA, Display Material and Systems Division at 3M. 3M is a trademark of 3M Company. For more about visual privacy and details of privacy filters available from 3M visit: www.3M.co.uk/privacyfilters.
