Countries around the world recognize Data Privacy Day every Jan. 28 to promote privacy and the importance of protecting personal information. Even for IT and security professionals, this day can serve as an opportunity to take a step back to review data-privacy priorities and address overlooked threats.
On this 10th annual Data Privacy Day, consider focusing your attention on one threat that continues to be neglected in many organizations: visual hacking.
Visual hacking is the act of viewing or capturing private, sensitive or classified information for unauthorized use. It can be as simple as someone seeing and remembering your company network’s log-in details. Or it can involve using any number of modern technologies to record private organizational or customer information.
One of the challenges of visual hacking is that it can occur anywhere that sensitive information is displayed:
- In office environments, visual hackers can target information that is displayed on employee computer screens, printed on documents or even written on conference-room whiteboards.
- In financial and healthcare facilities, hackers can target personal, financial and medical information that is regularly accessed on employee computers, kiosks and tablets.
- Mobile workers can be unwittingly targeted while accessing sensitive information on their morning train commute, at a conference, in a coffee shop and other public spaces.
Why Make Visual Hacking a Priority?
A number of converging trends have made workplaces – and workforces – ripe for visual hacking.
First, data is more exposed than ever. Many companies are moving toward open-office floor plans, resulting in fewer natural guards or barriers to conceal information. Perhaps more critical, however, is the rise of the mobile workforce. Sensitive information that was once kept within workplace walls can now be accessed in public spaces – in full view of others.
How exposed are mobile workers to visual hackers? Consider this: Nearly nine in 10 mobile workers surveyed by Ponemon Institute said they’ve caught someone looking over their shoulder at their laptop in public spaces. Perhaps even more worrying is the fact that slightly more than half of those surveyed said they took no steps to protect information when working in a public space.
Second, the visual hacker’s toolkit continues to grow in both size and sophistication thanks to advances in consumer technologies. Smartphones are everywhere, with cameras that advance in power every year. Wearable devices – a growing number of which have cameras – are becoming the new normal. And drones, which can be equipped with powerful cameras and scale tall buildings, present a new frontier of privacy concerns.
Lastly, one of the groups most likely to use visual hacking as a tactic is also one of the biggest security concerns for organizations today: insider threats. These are not only employees or contractors who might seek to do you harm, but also those who are careless or negligent in protecting your information.
According to a 2015 SANS Institute survey of nearly 800 IT and security professionals, 34 percent said they have experienced an insider attack. And 74 percent said they are concerned with malicious or negligent employees.
Helping Prevent Visual Hacking: 5 Tips
A strong visual privacy program is meticulous and multi-faceted. It should include five key elements:
- Begin with an audit. A visual privacy audit will help you identify risk areas and evaluate existing safeguards in your organization.
Doing a walkthrough of your organization’s workspaces can help you uncover any issues, such as identifying monitors that are exposed to high-traffic areas or unlocked rooms where sensitive documents are printed. But the audit also should address risk areas outside your organization’s walls where sensitive information is accessed, such as by mobile workers and contractors.
- Apply physical safeguards. Some simple and easy-to-implement safeguards can go a long way in protecting visual privacy in your organization.
Computer, tablet and smartphone screens all should be fitted with privacy filters, which blacken out the angled view of onlookers. Again, it’s important that the filters be used not only on office-based devices but also on devices that mobile workers use. Document shredders and secure waste containers also should be located in areas where sensitive documents are handled.
- Develop guidance for employees. Your employees can be your most-powerful defense against visual hackers – but only if you have the right policies and procedures in place.
Clean-desk policies can help reduce the risk of information being exposed. These policies require that employees put away documents and clear their screens when sensitive information is not immediately needed or when they step away from their desks. Procedures also should be in place that direct employees to confront visitors who are acting suspicious or accessing restricted areas.
- Reinforce employee compliance. Human behavior is one of the hardest things to change in any organization. Reinforcing the behaviors that are defined in your policies and procedures will require a mix of tactics.
Training that defines appropriate behaviors, for example, should be followed up with communications to help emphasize these changes in employees’ minds and daily habits. Also, consider testing employees – such as with a mock visual hacker scenario – and providing incentives to employees who demonstrate compliance.
- Adapt and improve. Visual hackers are like any other hacker: They’ll continue to evolve and adapt to changing security and privacy practices. As a result, your visual privacy program should never become stale or complacent.
Conduct visual privacy audits or walkthroughs on an ongoing basis to keep an eye out for new risks or to identify employees who need additional training. Stay on top of technology trends for potential new visual privacy threats. And continually scrutinize your training and communication efforts for new or better opportunities to educate employees.
Visual hacking may be a low-tech threat, but its consequences can be just as serious and costly as any other hack or data breach. This Data Privacy Day, ask yourself: Are we doing everything we can to address this very real threat?
About the Author: Jessica Walton is the Global Business Development Manager in the Display Materials & Systems Division at 3M Company.