By Dave Williams, 3M
Often, the General Data Protection Regulation (GDPR) is talked about in the context of digital communications and ensuring that data is within compliance requirements. However, GPDR is a principle-based regulation, which means rather than being given a list of prescriptive guidelines, it is up to financial services organisations to identify and then assess risks.
In practice, that means that GDPR compliance has been broken if privacy has been breached via any method, such as taking a photograph of or even viewing confidential information on a smartphone or laptop screen, or removing a document from an unattended briefcase in a café.
Location is immaterial: employees are obliged to protect company data whether they are working from an office, in a public place, or even from home (while no-one is suggesting flatmates or family would do anything with confidential or sensitive data, in their own interests they should be protected from that exposure).
In the run-up to GDPR’s introduction in May 2018, 3M sat down with Forrester Research analyst Enza Iannopollo who said: “All it takes is some sensitive customer or employee data being exposed to the wrong set of eyes to result in a potentially highly detrimental—and highly publicised—data breach.”
While GDPR has increased the spotlight on visual privacy, it was already a topic that more organisations were beginning to take more seriously, including the banking sector, where use of on-screen filters and other privacy measures were already being widely adopted. Visual privacy has been either implicit or explicit in other industries for several years, and is sometimes included as part of ISO27001 certification too.
In its Data Security section, the UK’s Financial Conduct Authority (FCA) says: “Data security is not purely an IT problem”, and “Firms of all sizes should think carefully about how they secure their data. Having good data security policies and appropriate systems and controls in place will go a long way to ensuring customer data is kept safe. However, you need to make sure your employees understand the policies and procedures and your firm keeps up-to-date when people move on,” and also: “Look at the physical safety of your business premises.” The FCA’s predecessor, the Financial Services Authority (FSA), covered visual security (including phone cameras and mobile workers).
Forrester Research’s Enza Iannopollo also made the excellent point that, “ Visual privacy is not just about meeting compliance requirements, it’s about protecting a firm’s most valuable assets.” Fortunately, more organisations are beginning to regard ‘shoulder-surfing’ and ‘visual hacking’ as integral to both compliance and information-security strategies. Visual hacks are relatively fast and easy to achieve, as well as requiring zero specialist skill. Breached information could be used for malicious purposes, such as fraud, stolen credentials, or sold to a third party.
The scale of the risk
The exact scale of the risk is hard to put numbers around, but studies and anecdotal evidence indicate that it is very real, and potentially big. For example, back in 2016, global security specialist organisation The Ponemon Institute conducted the Global Visual Hacking Experiment on behalf of 3M, covering eight countries and 157 trials carried out by a ‘white hat hacker’, posing as a temporary officer worker (with the permission of the participating companies). All trials took place in full view of other workers, and included various methods of collecting data, including taking documents from desks, and using a phone’s camera to photograph people’s screens. Not only were the hacks successful in an average of 91 per cent of attempts, the hacker was only challenged in 30 per cent of attempts.
The Open Spaces Study (also carried out by The Ponemon Institute for 3M), found that nine out of 10 people said they had caught someone looking at data on their laptops when in public. This is no surprise, given that many of us will have seen something on someone else’s screen, and sometimes that could be information that is confidential or sensitive.
How to reduce the risk of visual hacking
While visual privacy may be easy to carry out, arguably it is also easier and faster to guard against compared to other aspects of information security. A first step is to make sure that everyone within the company is aware of visual privacy’s importance, its role in GDPR compliance, plus their responsibilities to take appropriate measures. All this needs to be mandated from management downwards and across the board, including: IT, facilities management, human resources, finance, legal, risk, compliance, sales, marketing and customer-facing teams.
Staff should feel that they can politely challenge anyone within their office buildings not wearing appropriate ID, whom they do not recognise, or are in part of the site with restricted access. Simple steps to reduce the potential of sensitive or confidential information include: clean-desk policies; putting confidential documents back in locked cabinets when not in use; and not leaving documents uncollected in copier or printer trays. Consider using the ‘pull printing’ function found on many office multi-function-printing (MFP) devices to only release a document to an authorised recipient.
When working in public, reinforce to employees that they should not leave their electronic devices, documents or briefcases unattended, even if just for a couple of minutes. Encourage staff to sit with their backs against a barrier such as a wall, instead of in the middle of a room where their screens may be visible to anyone passing behind them. If not already in place, mandate the use of automatic log-ins and screensavers, and also consider applying privacy filters, which make it extremely hard to view on-screen information unless at close-range and from straight-on (viewers otherwise just see a blank view).
As many financial organisations are adjusting to new ways of working right now — trying to find ways to work smart anywhere — keeping data safe and achieving GDPR compliance may pose additional challenges for many organisations. While visual privacy is just one of aspect of that task, it is both important and addressable.