Let’s start with a couple of questions: are you reading this in a public place or open plan office and if so, is there any chance that someone could see your screen? Have you ever seen something on someone else’s screen that was clearly not for sharing? Both anecdotal evidence and several studies suggest that the majority of people would answer ‘yes’ to one or both of these questions and this indicates that ‘visual hacking’ is a very real security risk.
Sometimes also referred to as ‘shoulder-surfing’, visual hacking is the ability to view and even photograph information on someone else’s screen. That information can then be exploited for malicious or illegal purposes, such as sold to a third-party, used for identity theft or to perpetrate a cyber-attack.
Until recently, visual hacking often took a back seat to other forms of infosecurity, but that is changing fast, partly driven by the fact that visual privacy is implicit within the General Data Protection Act. As a principle-based regulation, organisations are not given a set of specific actions, but rather, are required to think about what General Data Protection Regulation (GPDR) compliance requires. In practice, this means that it is immaterial whether a breach is caused by digital or physical means.
Ensuring visual privacy is also explicit or implicit within a variety of industry guidelines and standards in the UK, across financial services, the legal profession and public sector, including government departments and education. Visual privacy is often included within ISO27001 compliance strategies too.
An aspect of visual hacking of particular concern is that it is fast and easy to achieve, without requiring any specialist skills. Back in 2016, 3M, the science-based technology company, commissioned the Global Hacking Experiment, carried out by the independent and global security specialist, The Ponemon Institute. Covering eight countries, including the UK, France and Germany, a ‘white hat’ hacker posed as a temporary contractor, complete with ID (with the permission of the participating companies). In total, there were 157 trials, which involved trying to obtain sensitive or confidential information in one of three ways: walking through an office looking for information in full view on desks, monitor screens, printers and so on; taking a stack of business documents labelled confidential from a desk and putting them in a briefcase; and using a smartphone to take images of confidential information displayed on computer screens. All tasks took place in full view of other office workers.
The results underlined the theoretical threat of visual hacking. On average, hacks were successful in 91% of attempts and around half of those taking less than 15 minutes. Information obtained included personal identification information, access and log-in details, financial data and a wide variety of other confidential material. Plus, the white hat hacker was only challenged in an average of 30% of the time.
The potential risk landscape increases the more that people work in public spaces. Another Ponemon study for 3M, the Open Spaces survey, found that nine out of ten people questioned said they had caught someone looking at data on their laptops in public. That risk is set to rise unless steps are taken: in analyst firm, Quocirca’s recent Print2025 survey of more than 1500 organisations across the globe, two-thirds believe their workforces will be mobile in five years’ time.
Prevention in practice
There are a variety of measures that can be put in place to improve visual privacy and some of them are particularly easy, fast and cost-effective to implement, especially when compared to many other security investments. The starting point has to be better awareness, with staff aware not just of the risks, but their individual roles in preventing visual hacks. That needs to be a top-down mandate, supported by senior management, including making it clear to employees that they are encouraged – indeed, required – to confront or report someone they do not recognise, or not wearing clear ID, or in an unauthorised part of a building.
Many firms already have policies around clear desks, but the need to avoid documents and other material containing sensitive material being visible in offices needs to reinforced.
Confidential documents should be kept in locked cabinets when not in use, plus staff should not leave documents in mailroom, copier, fax and printer trays. Many modern multi-function printers support ‘pull printing’, whereby a document is only released to an authorised user at point of collection. It goes without saying that shredding and an overall reduction of unnecessary paper usage should already be in place.
The Ponemon Global Hacking Study found that approximately half of all sensitive data obtained was via viewing people’s screens, so clearly, protecting these from onlookers needs to be a priority. Screen-savers and automatic log-ins are ‘old school’ but highly effective at reducing the amount of time a screen may be visible. Screens should also be angled away from passers-by: for instance, in a public place, employees are advised to sit with their backs to a wall.
Of course, that is not always viable, for example when in the audience at a conference, on a plane or train. This is where privacy filters make a difference, because screens are only viewable at very close range to the user. The latest generation of privacy filters are designed to be easily flipped up or down, depending on when someone wants to share their screen. Filters can be applied to monitors, laptops, tablets and even smartphones.
While digital security threats continue to become more complicated and often harder to address, locking down visual hacking is at least one way in which those responsible for risk, compliance and security can better protect organisations, their employees and customers’ data.
By Peter Barker, EMEA Market Development Manager, Display Materials and Systems Division at 3M