Visual Data Protection – an Often Overlooked Security Risk

By Jack Halewood, 3M

Let’s start with a question: as you’re reading this, can anyone else possibly see your screen?  Even if not right now, how often in the office or a public place do you look at information on a screen, whether a tablet, smartphone or laptop?

The reality is that while most financial services companies have implemented very strict information security policies, protecting a screen from prying eyes is often forgotten.  Yet there is an 80 per cent chance that UK workers have already been victims of others reading over their shoulders – known as ‘shoulder surfing’ – according to research commissioned by 3M.

While it may be hard to pin down the contribution that ‘visual hacking’ makes to information leaks, the risk is clear: data breaches can cost a financial services organisation more than just loss of reputation. According to the Pomenon Institute’s 2014 Cost of Data Breach Study: Global Analysis, the average cost to a company was $3.5 million US dollars and 15 per cent more compared to 2013.  The UK’s Department of Business Innovation & Skills (BSI) 2014 Information Security Breaches Survey 2014 found that the average cost of a large organisation’s worst breach is 600,000 -1.5 million GPB.

Staying with the UK for a moment, the Information Commissioner’s Office (ICO), which has the power to levy fines up to £500,000 for data breaches, issued 20 monetary penalties in 2012-2013 – including some in the financial industry – totalling £2.6 million.

Although the Financial Services Authority (FSA) has been replaced by the Financial Conduct Authority (FCA), its guidelines are still relevant to the financial services sector and its previous documentation has covered visual security, including phone cameras and mobile workers. The UK Financial Services and Markets Act 2000 – which forms the legal basis for determining fines – states that a company must show it ‘took all reasonable precautions and exercised all due diligence’. This includes physical security measures.

Europe-wide, the proposed General Data Protection Regulation (GDPR) could see fines of up to five per cent of annual turnover levied if its supporters get their way.  Worldwide, there is increasing focus on data breach clamp-downs, for example most American states have implemented relevant legislation.

Mobile working makes it worse

With more people working remotely on mobile devices and the size of their screens increasing (with the advent of tablets and ‘phablets’), the visual security risk could grow.  Recent research from Canalys shows a third of the 279.4 million smartphones that shipped globally in the first quarter of 2014 had screens larger than five inches.

The risk is exacerbated with the availability of high resolution cameras built into most smartphones, making it all too easy to snap a picture of a screen. Anecdotally, I’ve heard of information posted on social media as a result of someone’s screen being viewed on a train, plus another example where another passenger suggested a spelling correction to a senior executive reviewing a document.  I suspect that these examples are just the tip of the iceberg.

Apply best practice

So what can financial services organisations do to protect themselves better from visual privacy security risks?

1. Build visual privacy into information security strategies – ‘Visual hacking’ or ‘shoulder surfing’ risks need to be viewed as an integral part of security processes and rules.  An increasing number of organisations are including visual privacy as part of their ISO/IEC 27001 compliance. This is an internationally recognised best practice framework for an information security management system. It is designed to help organisations identify the risks to their important information and put in place the appropriate controls to help reduce those risks.
2. Educate employees – awareness of the risk is part of the battle.  Make sure that staff know that they have a role to play in preventing other people viewing their screens. This is particularly important in offices that may have visitors, but even internally, be aware that some employees are privy to confidential data that others may not be.  This extends to mobile usage: despite 24 per cent of people using smartphones or tablets as their primary work device, 77 per cent of them have not been educated by their employees on how to use mobile technology on the move, according to the BSI report.
3. Blank screens are best – ensure that screens are either switched off or turn quickly to a screensaver if an employee gets up from his or her desk.  Also ensure passwords and log-in processes are activated if the computer has not been used for a few minutes.
4. Mobile working – wherever possible, position the screen so that it is not easily viewable (for instance, by someone walking behind a chair). According to a survey from Samsung in the UK published in May 2014,  69 per cent of people now work remotely from a coffee shop at least twice a week, so preventing casual on-lookers is increasingly important to consider.
5. Use privacy filters – these can be easily slipped on to desktop monitors, laptops, tablets and smartphones so that only the direct viewer at close range can see the on-screen information (to anyone else, the screen will look blank).  These filters can also help to prevent scratches, general wear-and-tear and screen glare.

Given how much we all interact with electronic screens, whether in the office or on the move, together with the very real risks around data breaches, visual privacy needs to be an integral part of any security strategy.  Fortunately, there are processes and tools in place that can at least help to mitigate the associated risks and prevent vulnerable data from prying eyes.