By Peter Barker, 3M
Information security management should include all ways in which data is shared or viewable, and that includes visual privacy. With so much focus on cyber-threats, visual privacy has maybe not been given the attention it needs, but that is changing fast, with organisations of all kinds embracing this form of physical information security into their overall security strategies.
This has partly been driven by the fact that visual privacy is implicit within the General Data Protection Regulation (GDPR), which as it is a principle-based regulation, puts the onus on organisations to think about GDPR requirements, rather than regulators given them a list of specific actions to follow. So, it does not matter whether an unauthorised data disclosure results from a hacker launching a sophisticated cyber-attack, or due to a stranger taking a picture of potentially highly sensitive data displayed on an employee’s laptop screen. As well as the GDPR, ensuring visual privacy is implicit or explicit in a variety of industry-specific guidelines or standards, including financial services, legal, healthcare education and public sector.
Compliance is not, however, the only reason that organisations are taking visual privacy more seriously. There is a growing realisation of just how easy ‘visual hacking’ or ‘shoulder-surfing’ is to achieve. The most robust security software in the world is immediately undermined should someone view or even photograph confidential information on a document or screen. Company information can be sold, identities stolen and user credentials used to hack into a corporate network.
In the Global Visual Hacking Experiment conducted in 2016 by global security specialist The Ponemon Institute and sponsored by 3M, the science-based technology company, a white hat hacker posed as a temporary officer worker in offices in eight countries (with the participating organisations’ permission). The hacks were successful in more than 90 per cent of attempts, with 49 per cent taking 15 minute or less. The hacker was only challenged in approximately a third of attempts. This shows just how easy visual hacks are to achieve: no specialist skills are required. Alarmingly, anyone can be a visual hacker.
That study was conducted inside open plan offices, but the potential risk landscape expands with people increasingly working in public spaces. According to a 2019 Quocirca survey of more than 1500 organisations, 66 per cent believe their workforces will be mobile by 2025. In the Open Spaces surveyed conducted by the Ponemon Institute, nine out of ten people questioned had caught someone looking at data on their laptops in public.
Stop visual hacks in their tracks
Fortunately, improving visual privacy is achievable through a number of methods. Here are some of the steps that banks, fintech vendors and other firms involved in the financial sector are already implementing.
1. Awareness and management support – ensure that employees are not only aware of the visual hacking risk, but also their own responsibility to keep information secure from prying eyes. Plus, as is often the case in so many initiatives, visual privacy measures are more likely to be followed if they are backed at executive level.
2. Clear it away – paper can be a visual security risk too, so make sure that confidential papers are not left where they can be observed or photographed. Likewise, make sure that mailroom, copier, printer trays and fax machines do not contain documents yet to be collected. ‘Pull printing’ is a technique built into some modern machines that ensures documents can only be collected by an authorised person. Shredding and reduction of paper usage should be routine by now.
3. Speak up – employees should feel empowered to politely confront or report anyone they do not recognise, is not displaying clear ID, or is in an unauthorised location.
4. Make it hard – angle screens away from easy viewing. In public, sit with backs to a wall. Screensavers and automatic log-ins are nothing new, but are highly effective at reducing the amount of time displays can be seen.
5. Use privacy filters – the latest generation of these are designed to be easily flipped up or down, depending on when someone wants to share their screen. When down, on-screen data is only visible straight on and at close range, so someone taking a sideways glance or from a seat in the row behind will see just a blank image. Filters can be applied to monitors, laptops, tablets and even smartphones.
Security management is a multi-faceted challenge, but reducing the risk of visual hacking is one measure that is relatively simple, fast and cost-effective. For any organisation, whether in the financial sector or not, building better visual privacy into security policies is a smart decision.