RiskUKOctober2017
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Cyber Security: Visual Hacking Risk Management<br />
Of course, laptops and other mobile devices<br />
are not just used in public spaces – many of us<br />
access them at the office as well. Indeed, with<br />
the advent of ‘mobile first’ this development is<br />
only going to increase, because that’s the<br />
concept of having one handset that transfers<br />
seamlessly from internal voice and data<br />
networks to cellular networks.<br />
Global Visual Hacking<br />
The potential risk of visual hacking in open plan<br />
offices was highlighted by the Global Visual<br />
Hacking Experiment conducted by The<br />
Ponemon Institute and sponsored by 3M.<br />
Covering eight countries, among them the<br />
UK, the Global Visual Hacking Experiment<br />
involved a total of 157 ‘trials’ encompasing the<br />
offices of a variety of organisations harbouring<br />
from 25 to 100 employees. In all cases,<br />
designated people at the participating<br />
companies were given two days’ notice before<br />
each trial, which involved a White Hat hacker<br />
(complete with a valid and visible security<br />
badge) impersonating a temporary office<br />
worker. The total estimated time for each trial<br />
was two hours.<br />
The trials involved trying to obtain sensitive<br />
or confidential information in several ways:<br />
walking through the office looking for<br />
information left in full view on desks,<br />
monitoring screens and other locations such as<br />
printers and copiers, taking a stack of business<br />
documents labelled ‘Confidential’ from a desk<br />
and putting them in a briefcase and using a<br />
smart phone to take images of confidential<br />
information displayed on computer screens. All<br />
tasks were carried out in full view of other<br />
office workers.<br />
Information obtained was varied and<br />
included personal identification information,<br />
customer and employee details, general<br />
business correspondence, access and log-in<br />
credentials, confidential or classified<br />
documents and attorney-client privileged<br />
documents in addition to financial, accounting<br />
and budgeting information.<br />
While the UK’s results were often better<br />
when compared to other countries, the<br />
numbers are still alarmingly high, with 87% of<br />
visual hacks successful, over half taking place<br />
in 15 minutes or less and 44% of sensitive<br />
information gained by viewing people’s<br />
screens. An average of 3.1 pieces of confidential<br />
or sensitive data were obtained per experiment,<br />
while the visual hacker was only confronted in<br />
39% of attempts.<br />
Globally, where visual security practices were<br />
in place – such as clean desk policies,<br />
workplace monitoring and surveillance,<br />
“Unlike more sophisticated forms of security breaches,<br />
visual hacking doesn’t require any computer expertise.<br />
With mobile devices now incorporating increasingly clever<br />
cameras, it’s becoming simpler to ‘snap’ sensitive details”<br />
bespoke training and awareness programmes<br />
and standardised document shredding<br />
processes – there was an average 26%<br />
reduction in successful visual hacks.<br />
Compared to some types of security<br />
management, visual hacking is relatively easy,<br />
cost-effective and quick to mitigate if the right<br />
processes are implemented, not just on<br />
screens, but also for paper-based information.<br />
To reduce the paper risk, encourage staff to<br />
clear their desks at the end of the day and lock<br />
away any document deemed sensitive or<br />
confidential. Check the Post Room and printer<br />
trays to make absolutely sure documents are<br />
not being left in full view. If not already in<br />
place, instigate the routine shredding of key<br />
documents and discourage any unnecessary<br />
printing and copying of them.<br />
Adopt the mantra of ‘Close It Down’.<br />
Screensavers and log-in prompts after a few<br />
minutes’ inactivity are effective and simple<br />
ways in which to reduce the time a screen is<br />
exposed to prying eyes.<br />
Cultural attitude is important, too. Visual<br />
privacy policies are more likely to be followed if<br />
they’re mandated at the management level and<br />
staff are educated about their personal<br />
responsibility to improve visual privacy.<br />
Employing privacy filters<br />
Make screens hard to view. A very simple step<br />
is to ensure that a given screen’s angled such<br />
that it cannot be viewed, for instance facing a<br />
café wall, rather than in full view of the coffee<br />
counter queue.<br />
Last, but not least, use privacy filters. These<br />
can be easily slipped on and off screens of all<br />
kinds and prevent on-screen data from being<br />
viewable except straight on and at close range.<br />
Someone taking a sideways glance or who may<br />
be several feet behind the screen will witness<br />
only a blank image.<br />
Given that these are all very achievable<br />
preventative steps to take, and that visual<br />
hacking is potentially a very real risk for UK<br />
organisations in this day and age, it makes<br />
perfect sense for companies to include them<br />
within overall security practices.<br />
While visual hacking might only be one of<br />
many tools in the hackers’ current armoury, it’s<br />
also one that can be practically locked down<br />
more easily than others. Worth bearing in mind.<br />
Peter Barker: EMEA Market<br />
Development Manager<br />
(Display Materials and<br />
Systems Division) at 3M<br />
69<br />
www.risk-uk.com