Rarely a day goes by when there isn’t news about a data breach or hacker gaining access to sensitive corporate information or, even worse, private customer information.
The push for economic globalization through the digital infrastructure has created new challenges for companies. At the same time, employees are demanding greater access to information from both corporate-owned and personal devices in order to increase productivity and efficiency, and remain competitive. With so much happening to secure these ever-expanding digital activities, some very low-tech hacking is taking place that companies may not be aware of.
Many methods of hacking exist, but one of the most prevalent ways to gain access to unauthorized data is through social engineering. Defined as a non-technical method of hacking that relies on human interaction and manipulation (http://searchsecurity.techtarget.com/definition/social-engineering), social engineering comes in many flavors—from phishing schemes to impersonation.
One form of social engineering that gets little attention, however, is viewing or capturing sensitive information for unauthorized use. Also known as visual hacking, this low-tech threat often is overlooked within companies’ security policies and procedures—meaning that sensitive and valuable company data could be exposed without a company even noticing.
The Office of Personnel Management (OPM) data breach of millions of federal employees’ data was hailed as the largest single security breach in government history. The hackers were able to gain access to the systems through a compromised credential (http://phys.org/news/2015-06-opm-chief-contractor-credential-breach.html). While we don’t know how the compromise occurred, visual hacking is a very real possibility. It would not have been the first compromise to happen through stealing log-ins and passwords, and it certainly won’t be the last.
Companies need to act swiftly to turn the tides and ensure their employees are educated about this problem and properly prepared to help prevent it.
Where to Begin?
One of the best ways to help stop visual hacking is through training and awareness.
Security-awareness training should start with the onboarding or new hire orientation program. It’s at this time that most employees are tuned in to learn what they will need to do to be successful. An organization’s IT department or chief information security officer (CISO) is typically responsible for providing security-awareness training, but the HR department may be more effective in influencing the necessary behavior changes to help stop visual hacking because it is in constant contact with employees during their tenure at a company.
A primary goal of your security awareness training should be ensuring employees understand they are responsible for protecting sensitive corporate information. This includes educating them about how visual hackers may seek to exploit visual privacy gaps in their jobs and workspaces.
The Visual Hacking Experiment conducted by Ponemon Institute on behalf of the Visual Privacy Advisory Council and 3M Company offers some eye-opening statistics about the ease with which visual hacking can occur today. In the study, white hat hackers were asked to perform three tasks in different office settings:
- View sensitive information on a monitor
- View sensitive information on a desktop or printer
- Take a picture of the information with their smartphone
The hackers were successful in accessing sensitive corporate information 88 percent of the time, and they were not challenged 70 percent of the time. This emphasizes the need for employees to pay attention to people, even within their trusted work environments, and act accordingly. The intent is not to make employees distrustful of their colleagues but rather ensure they know visual-hacking threats often are undetectable and can come in any form.
Ultimately, employees must feel a sense of empowerment to be part of the solution versus part of the problem. Awareness must be consistent and continuous in order to effectively drive cultural change and protect information.
It is also important to address the problem through enhanced policies and procedures. The specific measures put in place will vary for each organization based on the unique risks they face, but some widely applicable policies and procedures include:
- Implementing clean-desk policies to help ensure employees are never leaving sensitive company or customer data on a desk when not in use. Even if a worker only steps away for a few minutes, he or she is creating an opportunity for someone to obtain the data and misuse it.
- Requiring printed material to be collected immediately from common printers, copiers, and fax machines. This is another opportunity for data to be stolen and misused.
- Ensuring monitors and devices are not within viewing range of prying eyes either by shifting the screen’s view or using privacy filters that blacken out the angled view of onlookers.
- Empowering employees to ask wandering guests or visitors if they need help. Even in settings that can experience a high level of traffic due to contractors, cleaning crews, and numerous other people walking through the building, it’s better to be safe than sorry.
The OPM data breach illustrates that hacks can’t always be traced back to a specific root cause, and the Ponemon Study shows that hacks can happen within the trusted walls of a company. Companies need to address visual hacking or risk becoming another statistic in the Data Breach Hall of Fame.
Patricia Titus is the chief information security officer at Markel Corporation located in Richmond, VA. She serves on the Board of Advisors for Guardant Global, a worldwide services company. She is a Distinguished Fellow at the Ponemon Institute and serves on the Visual Privacy Advisory Council focusing on Visual Hacking issues. Titus receives compensation from 3M in connection with her participation on the council.
