It’s not the hacking you’ve heard of, but it has the potential to be create even more identity theft. And it's so simple.
If the new temp worker at your office casually strolled by and started grabbing documents off people’s desks, would you wonder what he was doing? What if he pulled out his phone and started snapping pics of their computer monitors?
No, you wouldn’t, according to an information security group called the Ponemon Institute. They actually helped companies in eight different industries conduct a visual hacking experiment, and the results were disappointing.
Here’s how it worked: Under the guise of a temporary or new part-time worker, a computer security expert was let into the office, vaguely introduced to coworkers, and then given some time to “visually hack” sensitive information.
At each company, the researcher had three specific tasks…
- Walking through the office to scout for information on computer screens, desks, and other “indiscreet locations”
- Grabbing a stack of business documents labeled as “confidential” from a desk or table and shoving the papers into a briefcase, in “full view of office workers”
- Using a smart phone to to take pictures of “business confidential information” on the computer screen
The scary results? Almost nine times out of 10, these so-called “white hat hackers” were successfully able to access employee login credentials and other information that could be used to access a much larger pool of data stored by the companies.
This held true across all eight types of industries: global financial services, IT services, automobile manufacturer, national banking, P&C insurance, life sciences, research and education, and defense and aerospace.
IBM senior researcher John Kuhn told us earlier this year that companies are most at risk from their own employees, who represent a “little chink in the armor.”
What makes visual hacking so risky? Here’s what the study concluded…
Visual hacking happens quickly.
The average total time to complete all three of the tasks was 127 minutes. That may sound like a lot, but think of it this way: It only takes two hours to put your company out of potentially millions of dollars.
It puts the company’s most valuable assets at risk.
Sensitive information is much easier to access in person than by hacking through digital security because people don’t think of it as something to guard against. An average of five pieces of information were hacked during each stage of the trial, including:
- Employee contact lists (63 percent of the time)
- Customer information (42 percent)
- Corporate financials (37 percent)
- Employee access and login credentials (37 percent)
- Information about employees (37 percent)
It’s unlikely that people will take action against a visual hacker.
The experiment found that people were extremely hesitant to confront a potential hacker. In 70 percent of the trials, the researcher was not confronted by office workers. In 30 percent of the trials, the researcher “experienced some queries or push back” from other office workers.
In the 43 total trials, only once did an office worker contact his or her supervisor about a possible insider threat. Because nobody wants to be that guy.
Visual hacking can be prevented.
Surprisingly, your office’s floor plan can make visual hacking more difficult. The experiment found that open floor plans — while they help promote egalitarian and collaborative office space — pose a greater threat to visual privacy than a traditional cubicle structure. Cubicles offer more privacy, and create an expectation of it.
Here are some of the other tips Ponemon Institute offers…
- Require privacy filters on all devices. These are sort of like sunglasses for your monitor, and prevent people from looking at your computer from an angle.
- If you don’t want to invest in one of these, you can dim the brightness of your screen for a similar effect.
- Keeping your desk clear by taking five minutes at the end of the day can help cut down clutter and data risk. Shred sensitive documents when they’re no longer needed.
- Ponemon also recommends mandatory training for employees about how to spot and stop a visual hacker.