When it comes to data security, social-engineering — psychologically manipulating people into divulging confidential information — targets what may be a company’s most exploitable assets: its employees.
In “The Human Factor Report 2016,” security and compliance company Proofpoint reported social engineering as the No. 1 attack technique in 2015. Likewise, European security technology firm Balabit put social engineering at the top of its list of the 10 most popular hacking methods.
Phishing is the social-engineering tactic that gets the most attention. Rarely a day goes by when there isn’t news about a data breach where a remote hacker gains access to sensitive corporate information — or worse, private customer information.
A form of social engineering that gets less attention is “visual hacking.” It’s a low-tech attack technique in which bad actors — either employees or visitors to a corporate work site — access sensitive information for unauthorized use by, for example, physically viewing open computer or mobile-device screens or watching keystrokes to determine a user’s password. This can easily happen without a company even noticing.
The June 2015 data breach at the Office of Personnel Management (OPM), in which information about millions of federal employees was compromised, was hailed as the largest single security breach in government history. The hackers were able to gain access to the systems through a compromised credential. While it has not been revealed exactly how that occurred, the list of viable possibilities includes visual hacking. It wouldn’t have been either the first or last breach to happen through the theft of log-in credentials and passwords.
CFOs need to act swiftly to turn the tide and ensure their employees are educated about this problem and properly prepared to help prevent it.
Where to Begin?
One of the best ways to stop visual hacking is through training and awareness.
Security awareness training should start at the onboarding or new-hire orientation program. It’s at this time that most employees are really tuned in to learn what they will need to do to be successful.
A primary goal of security awareness training should be ensuring employees understand they are responsible for protecting sensitive corporate information. This includes educating them about how visual hackers may seek to exploit visual privacy gaps in their jobs and workspaces.
The 2016 Global Visual Hacking Experiment, an expansion of the 2015 Visual Hacking Experiment conducted in the United States by the Ponemon Institute and sponsored by 3M, found that visual hacking is a woefully under-addressed global threat.
The combined 2015 and 2016 studies included 157 trials in 46 participating companies across China, France, Germany, India, Japan, South Korea, the United Kingdom, and the United States. In each trial, a white-hat visual hacker assumed the role of a temporary office worker and was assigned a security badge worn in visible sight.
The white hat hacker then entered each facility and performed three overt tasks: view and log sensitive information visible on a computer screen, desk or printer; grab a stack of business documents labeled as “confidential” off a desk and put them in a briefcase; and take a picture of sensitive information displayed on a computer screen with their smartphone.
On average, the visual hacker was successful in accessing sensitive corporate information in 91% of the trials; 52% of the visual hacks occurred via an unprotected employee computer screen. Globally, 27% of the data breaches involved sensitive information, such as login credentials, attorney-client privileged documents, and financial information; they happened in less than 15 minutes in nearly half of all attempts.
The global study emphasizes the need for employees to pay attention to people, even within their trusted work environments, and act accordingly. The intent is not to make employees distrustful of their colleagues, but rather to ensure they know that visual hacking threats are often undetectable and can come in various forms.
Ultimately, employees must feel a sense of empowerment to be part of the solution rather than part of the problem. Awareness must be consistent and continuous in order to effectively drive cultural change and protect information.
It is also important to address the problem through enhanced policies and procedures. The Global Visual Hacking Experiment found that companies with sound control practices experienced, on average, 26% fewer visual privacy breaches. The specific measures put in place vary for each organization based on the unique risks they face, but some widely applicable policies and procedures include:
- Implementing clean-desk policies to help ensure employees are not leaving sensitive company or customer data on a desk when not in use
- Requiring printed material to be collected immediately from common printers, copiers, and fax machines
- Ensuring monitors and devices are not within viewing range of prying eyes, either by shifting the screen’s view or using privacy filters that blacken out the angled view of onlookers
- Empowering employees to ask wandering guests or visitors if they need help. Even in settings that can experience a high level of traffic due to contractors, cleaning crews, and numerous other people walking through the building, it’s better to be safe than sorry.
The OPM data breach illustrated that hacks can’t always be traced back to a specific root cause. The Global Visual Hacking Experiment showed that hacks can happen within the trusted walls of a company. CFOs need to address visual hacking, or they’ll put their organization at risk of becoming another tally on the list of hacked organizations.
John Brenberg is information security and compliance manager for 3M, a multinational conglomerate company.