Most workers are probably very aware that it is possible for their on-screen information – whether on a desktop, laptop or other device – to be viewed and that there’s a potential security issue to consider. How seriously that risk has been taken is questionable, but it’s probably true to say that most organisations have not given visual privacy the same level of attention as other elements within the security strategy.
However, we’re beginning to see more organisations mandate visual privacy measures and for good reason, if the results a recent experiment conducted by the Ponemon Institute in the USA are taken to heart.
The Ponemon study involved a ‘white hat hacker’ – in other words, a penetration testing specialist – entering the offices of eight US-based companies in the guise a temporary or part-time worker. He then attempted to visually hack sensitive or confidential information in three ways: walking through the office looking for information in full-view on desks, screens and other locations; taking a stack of business documents labelled as confidential; and finally, using his smartphone to take pictures of confidential information displayed on screens.
Eighty-eight per cent of attempts carried out by the ‘white hat hacker’ were successful and despite all three of these methods taking place in full view of co-workers, he was not stopped in more than two-thirds of incidents. Furthermore, he was able to obtain an average of five pieces of sensitive or confidential information per attempt, including contact lists, customer information, financial data, employee information and employee log-in information.
The easiest departments to hack were customer service, communications and sales, while the hardest were legal and finance, perhaps because they are more closely involved in dealing with confidential information on a daily basis. Something else that the Ponemon experiment highlights is that while mobile working in public places carries the highest visual security risk, the office is not necessarily safe either. After all, an increasing number of offices are open-plan, often with visitors and contractors passing through.
Plus, there’s the fact that not all employees should be privy to all information: imagine a disgruntled employee witnessing some confidential on-screen data, taking a quick snapshot with his or her smartphone and then selling that information. Sounds like scaremongering? A recent PWC research study into global cyber security, which reported on the increasing incident of IP theft – including data – pointed out that most security incidents are caused by company insiders.
Protection From Prying Eyes
In the UK, more organisations are beginning to include visual privacy as an integral part of their security strategies, incorporating it as part of their ISO27001 compliance procedures, or in the financial sector, as part of their commitment to FCA guidelines.
While other aspects of security can be complex to address – such as ensuring that content is encrypted or implementing password protection systems – visual privacy is comparatively simple and cost-effective. On a very basic level, just making sure that staff are more aware of the need to protect their screens from prying eyes will make a difference (in exactly the same way that most of us know not to let anyone else in the ATM queue see us keying in our four-digit pin numbers).
You could, for example, encourage people to position their screens so that they are less easy to view. However, this does not solve the problem, particularly in open-plan or public areas. This is why a growing number of organisations are adopting privacy filters, which provide far more robust visual protection. These can be easily slipped on to desktop monitors, laptops, tablets and smartphones, so that only the direct viewer at close range can see the on-screen information (to anyone else, the screen will look blank). The filters can be easily removed when necessary.
We all know that hackers are smart people, always on the look-out for new ways to infiltrate a company. Any organisation that wants to ensure that all areas of vulnerability are protected as much as possible will want to be sure that the security risks around ‘shoulder surfers’ or ‘visual hackers’ are given proper attention.