Visual hacking is a risk of which most security professionals are no doubt aware, but it’s hard to put any metrics around the exact scale of the risk. However, a recent experimental study carried out by the Ponemon Institute has lifted the lid on this often overlooked area of security and found that 88 percent of ‘white hat hacker’ attempts at visual hacking were successful.
The study involved a penetration tester entering the offices of eight US firms, pretending to be a temporary or part-time employee. He then proceeded to attempt to visual hack sensitive or confidential information in three ways: by walking through the office looking for information in full view on desks, screens and other locations; picking up stacks of business documents labelled confidential: and snapping images of information using the camera in his smartphone.
All three of these activities took place in full view of other office workers, yet he was only stopped in 30 percent of attempts (and even then, on average the hacker had obtained 2.8 pieces of company information). That is alarming enough in itself, but here are some other results of the study:
Speed – 45 percent of the successful hacks took place in less than 15 minutes, with 63 percent taking less than 30 minutes.
Volume – an average of five pieces of information were visually hacked per trial, including employee contact lists (63 percent), customer information (42 percent) and corporate financials (37 percent), employee access & login information/credentials (37 percent) and information about employees (37 percent) during any given hack.
Screen risk – 53 percent of sensitive information obtained was screen-based, compared to vacant desks (29 percent), or bins, copiers and fax machines (18 percent collectively).
The study shows how easy it is to perpetrate security breaches, as part of the overall ‘insider threat’. And while mobile workers are arguably the most vulnerable, the study shows that there is no room for complacency in open plan offices, particularly where contractors and visitors may be present. The study also found that customer service roles were the easiest to hack, compared to the more risk-averse legal and financial departments.
The good news is that visual security is relatively easy to address. In the study, there were fewer successful hacks in companies with mandatory training and awareness, clean desk policies, processes around document shredding and suspicious reporting, plus privacy filters, which can be easily slipped onto screens of all types.
“A hacker often only needs one piece of valuable information to unlock a large-scale data breach. This study exposes both how simple it is for a hacker to obtain sensitive data using only visual means.”
For more information on how 3M Privacy Filters combat the threat of visual hacking while working in high traffic areas, or to request a sample please visit our website.