As corporate South Africa gets to grips with the implications of the Protection of Personal Information Act (PoPIA), 3M has embarked on a campaign to raise awareness about the threat posed by visual hacking. It will be launching Visual Hacking Awareness Week from 21 May – 29 May to highlight this little-known but escalating threat.
“PoPIA, like the European Union’s General Data Protection Regulation (GDPR), makes it obligatory for those holding personal information to protect it adequately, and provides for punitive fines to be imposed on those who do not do so. However, because data breaches and hacking make the headlines, many companies tend to assume that the threat is confined to the digital world,” says Peter Barker, Market Manager, IT Market at 3M Display Materials & Systems Division, 3M. “The truth is that sensitive information can be illegally obtained in other ways too, and one of the most common is visual hacking.”
Visual hacking, also known as shoulder surfing, occurs when an individual obtains information from the screen of a device being used by somebody else. It may occur in public spaces and equally in offices. Visual hacking could also include accessing information stored on paper, perhaps by using a smartphone to photograph it.
The Ponemon Institute undertook a Global Visual Hacking Experiment in 2015-6 (sponsored by 3M) to highlight the risk of visual hacking in office environments. The results were alarming, showing that 91 percent of global visual hacking attempts were successful, with 27 percent of the hacked data categorised as sensitive, including login credentials, confidential or classified documents, and financial information. Fifty-two percent of sensitive information was visually hacked from employee computer screens.
“Visual hacking can happen very quickly and can provide criminals with information that will allow them to enter the corporate systems at a later date. In addition, seemingly innocuous information can be used to craft successful phishing or extortion strategies. In other words, the company is at risk from low-tech as well as high-tech predators,” Name says.
Changing work patterns are increasing the chances of falling victim to visual hacking. Open-plan offices make it easy for co-workers or visitors to obtain information from employees’ screens. In addition, more and more employees are undertaking work in non-office environments such as coffee shops, hotel lobbies, aeroplanes and so on. In all these cases, they are vulnerable to visual hacking.
A further factor is the growing attention being paid to securing corporate systems in response to a flood of high-profile hacks and ransomware attacks. This has had the unintended consequence of making low-tech attack methods, like visual hacking, more attractive to cybercriminal syndicates.
The key to reducing the risk of visual hacking, Barker says, is the development of a comprehensive company policy and set of protocols relating to the issue, backed up by education. The policies should cover not only the office but also the use of company data in all locations. The Ponemon Institute research found that companies with strong visual-hacking policies experienced 26 percent fewer privacy breaches.
A clean-desk policy, document-shredding processes and an easy way to report suspicious behaviour will also help.
“Given that screens account for just over half of all visual hacking, investment in privacy filters on all devices with screens is a worthwhile investment. Most work gets done on screens now, and so protecting them makes sound business sense in a world in which data regulations are becoming more stringent,” he concludes. “This is one threat that can be countered by a judicious combination of technologically advanced screen privacy filters and good policies.”