The risk of external threats can mask internal perils
Low tech methods of capturing sensitive and confidential information can put a company at risk of a much larger data breach. A 2015 study has shown that “visual hacking” is a significant threat.
The Ponemon Institute conducted a visual hacking experiment on behalf of 3M Company and the Visual Privacy Advisory Council (VPAC) using computer security experts specialising in penetration testing who posed as temporary or part-time workers. The experts attempted to visually hack sensitive or confidential information by walking through offices looking for information in full view on desks and monitors, rifling through unattended piles of documents and using smartphones to photograph information displayed on screens. Amazingly, all these tasks were completed in full view of other office workers.
“In today’s world of spear phishing, it is important not to ignore low-tech threats, such as visual hacking,” says Larry Ponemon, chairman and founder of Ponemon Institute. “A hacker often only needs one piece of valuable information to unlock a large-scale data breach. This study exposes both how simple it is for a hacker to obtain sensitive data using only visual means, as well as employee carelessness with company information and lack of awareness to data security threats.”
The study revealed some interesting facts. Different types of information were visually hacked, on average 5 pieces per trial. This included employee contact lists (63%), client information (42%), company financial information (37%), staff access and login information/credentials (37%) and information about employees (37%).
Unprotected or unsupervised devices posed the greatest opportunity for the visual hacker. 53 per cent of sensitive information hacked was gathered from screens. This included access or login credentials, confidential documents and financial and accounting information.
No matter what industry you work in or the size of your organisation, visual privacy threats should be addressed and the following reviewed:
- Are shredders located near copiers, printers and desks where confidential documents are regularly handled?
- Are computer screens angled away from high-traffic areas and windows, and fitted with privacy filters?
- Do employees keep log-in and password information posted at their workstations or elsewhere?
- Are employees leaving computer screens on or documents out in the open when not at their desks?
- Do employees know to be aware of who is on the premises and what they are accessing, photographing or viewing?
- Are there reporting mechanisms for suspicious activities?
- Is visual privacy and insider threat awareness part of induction and ongoing security training?
The study highlights that not all threats are external and that best practice is as important as technical solutions.