By Peter Barker, 3M
We all know that security is a concern and a big focus for the financial services industry worldwide. Most of us are also pretty familiar with the typical types of security problems or breaches, but are perhaps less aware of what is known as visual hacking. However, the results of a global experiment carried out by the Ponemon Institute and sponsored by 3M, the science-based technology company, has demonstrated that this form of security risk is worryingly easy and fast to execute. Worldwide, 91 per cent of visual hacking attempts were successful.
Before we look at the results in more detail, let’s remind ourselves exactly what is visual hacking. Put simply, it is the ability to obtain sensitive information by viewing someone else’s screen, whether in the office, on the move or working remotely. Think about it: how many visual displays do most of us have? Many workers will have a desktop monitor, a laptop, a mobile phone and some kind of tablet device, perhaps more. That’s four areas of potential vulnerability.
A global experiment
The Global Visual Hacking Experiment conducted by the Ponemon Institute highlighted the potential risks of not securing information from prying eyes. The 2016 experiment covered eight countries in total: Germany, South Korea, Japan, India, France, China and the UK , and followed on from an initial project in the US in 2014. A total of 157 ‘trials’ were carried out, across a broad array of organisations including the financial services sector, with company sizes ranging from less than 25 to more than 100 employees.
In the experiment, a ‘white hat’ visual hacker (a computer security expert, specialising in testing the security of organisations’ information systems) assumed the role of temporary office worker and was assigned a valid security badge worn in visible sight. Total estimated time for the study was two hours. Participating companies were provided advance notice approximately two days before each trial.
The white hat hacker attempted to visually hack sensitive or confidential information using three methods: walking through the office scouting for information in full-view on desks, monitor screens and other indiscrete locations like printers and copy machines; taking a stack of business documents labelled as confidential off a desk and placing it into a briefcase; and using a smartphone to take a picture of confidential information displayed on a computer screen. All three of these tasks were completed in full-view of other office workers at each participating company. The white hat hacker was only confronted in a global average of just 32 per cent of attempts.
Out of all the information obtained that was deemed sensitive, 52 per cent was obtained by viewing people’s screens. The best performing country – Germany – was 33 per cent, with South Korea the worst at 70 per cent. Around half of all successful hacks took 15 minutes or less to achieve.
Not all departments were equally vulnerable. The office functions easiest to hack were sales, customer services and communications, followed by accounting and finance, and human resources. The most secure were legal, closely followed by Quality Assurance and R&D.
Information obtained was wide-ranging and included: personal ID, customer data, employee details, general business correspondence, access and log-in credentials, confidential or classified documents, attorney-client privileged documents, financial, accounting and budgeting information.
Light on the horizon
Where visual security practices were in place there was a global average reduction in successful hacks by 26 per cent. Measures to mitigate visual hacking are often very simple, such as clean desk policies, document shredding, or simply just educating employees around the need to be protect visually accessible information more efficiently. Also be aware of visitors and contractors who might present a security risk.
Other measures might include use of screen-savers and automatic log-in after a few minutes of inactivity. Plus, just ensuring that screens are not positioned at an easily viewable angle is a step in the right direction.
Another, more robust approach is to use privacy filters. Already adopted by a variety of financial institutions, these are film-based devices that can be slipped on and off a variety of screens, from desktop monitors to smartphones. Once in place, the on-screen data is only visible either at very close range and ‘straight on’, so it is effectively invisible to someone looking over a shoulder or taking a sideways glance.
Above all, visual privacy needs to be a management-level topic and an integral part of overall security strategies, rather than just an afterthought. Putting in place visual hacking controls is only one part of a much bigger security challenge, but it is one that is relatively simple and cost-effective for the financial services industry to address.
3M is a trademark of 3M Company.