RiskUKOctober2017

More documents

Recommendations

Info

Visual Hacking: Combating Mobile and Bring Your Own Device Security Risks appropriate security technologies suitable for the particular device or application’. Within the UK Government, the Security Policy Framework states that Government departments and agencies must adopt clear computer screen policies in those areas where sensitive assets are handled. The Department of Work and Pensions and the Foreign and Commonwealth Office have both specifically referenced the need for protecting screens and mention privacy filters in this context. Securing mobile communications is one of the biggest challenges organisations are facing today, with the inevitable complications of employees often using the same device for both work and home life, plus the sheer volume and diversity of mobile endpoints involved: different smart phones, tablets, laptops and operating systems, as well as a multitude of Apps that can be downloaded in seconds. As Peter Barker explains, there’s another factor that has potentially huge risk implications: visual hacking Visual hacking is the term given to the ability to view potentially sensitive or confidential content on someone’s screen – on a desktop monitor, laptop, tablet or smart phone – and then use that information for illegal or malicious purposes, such as financial gain, identity theft or sharing company information with a third party. Many of us will have inadvertently seen something on someone else’s screen that we know wasn’t for public consumption, so it’s not difficult to imagine how easily a ‘visual hack’ might take place. Unlike more sophisticated forms of security breaches, visual hacking doesn’t require any computer expertise. With mobile devices now incorporating increasingly clever cameras, it’s also becoming simpler to ‘snap’ sensitive details instead of having to rely on memory. This is why a growing number of organisations are adding visual hacking prevention to their overall security strategies and investments. Some private and public sector organisations are mandating visual hacking as part of their ISO 27001 processes. In the financial services market, for example, visual privacy is implicit within industry guidelines issued by the Financial Conduct Authority several years ago. In the legal profession, the Bar Council has issued Best Practice guidelines, stating that: ‘Where possible, computers should not be placed so that their screens can be overlooked, especially in public places’ and ‘You should use Higher on the agenda At this point, you may well be wondering why visual hacking hasn’t been higher on the business security agenda before now. There are a couple of likely reasons for this. First, while there has been considerable talk about mobile security for several years now, in the case of many organisations, they’ve only recently focused the spotlight on this area, while research highlights the fact that plenty of companies are still lagging behind. Second, the lack of ‘hard numbers’ around the scale and type of security breaches is notoriously difficult. This includes visual hacking, which is also extremely hard to trace (there are no viruses, Trojan horses or other software-based threats to uncover). However, a couple of recent studies have demonstrated the speed and ease of a visual hack. The Public Spaces Survey, conducted earlier this year, also unearthed the fact that concern about visual hacking isn’t being matched by efforts to ensure its prevention. The study, which was conducted by The Ponemon Institute on behalf of 3M, involved interviewing business people working in open spaces such as cafes and hotel lobbies. Nine out of ten of those people questioned said they had caught someone looking at data on their laptops in public. 77% of them expressed the view that they were somewhat or very concerned about visual hacking, with 43% worried it could lose them their jobs, 23% concerned about identity theft and 63% having a gut feeling that visual hacking is a bigger issue than most of us realise. Despite this level of concern, more than 50% of respondents also said that they hadn’t taken any steps to protect sensitive company information while working in public spaces. 68 www.risk-uk.com
Cyber Security: Visual Hacking Risk Management Of course, laptops and other mobile devices are not just used in public spaces – many of us access them at the office as well. Indeed, with the advent of ‘mobile first’ this development is only going to increase, because that’s the concept of having one handset that transfers seamlessly from internal voice and data networks to cellular networks. Global Visual Hacking The potential risk of visual hacking in open plan offices was highlighted by the Global Visual Hacking Experiment conducted by The Ponemon Institute and sponsored by 3M. Covering eight countries, among them the UK, the Global Visual Hacking Experiment involved a total of 157 ‘trials’ encompasing the offices of a variety of organisations harbouring from 25 to 100 employees. In all cases, designated people at the participating companies were given two days’ notice before each trial, which involved a White Hat hacker (complete with a valid and visible security badge) impersonating a temporary office worker. The total estimated time for each trial was two hours. The trials involved trying to obtain sensitive or confidential information in several ways: walking through the office looking for information left in full view on desks, monitoring screens and other locations such as printers and copiers, taking a stack of business documents labelled ‘Confidential’ from a desk and putting them in a briefcase and using a smart phone to take images of confidential information displayed on computer screens. All tasks were carried out in full view of other office workers. Information obtained was varied and included personal identification information, customer and employee details, general business correspondence, access and log-in credentials, confidential or classified documents and attorney-client privileged documents in addition to financial, accounting and budgeting information. While the UK’s results were often better when compared to other countries, the numbers are still alarmingly high, with 87% of visual hacks successful, over half taking place in 15 minutes or less and 44% of sensitive information gained by viewing people’s screens. An average of 3.1 pieces of confidential or sensitive data were obtained per experiment, while the visual hacker was only confronted in 39% of attempts. Globally, where visual security practices were in place – such as clean desk policies, workplace monitoring and surveillance, “Unlike more sophisticated forms of security breaches, visual hacking doesn’t require any computer expertise. With mobile devices now incorporating increasingly clever cameras, it’s becoming simpler to ‘snap’ sensitive details” bespoke training and awareness programmes and standardised document shredding processes – there was an average 26% reduction in successful visual hacks. Compared to some types of security management, visual hacking is relatively easy, cost-effective and quick to mitigate if the right processes are implemented, not just on screens, but also for paper-based information. To reduce the paper risk, encourage staff to clear their desks at the end of the day and lock away any document deemed sensitive or confidential. Check the Post Room and printer trays to make absolutely sure documents are not being left in full view. If not already in place, instigate the routine shredding of key documents and discourage any unnecessary printing and copying of them. Adopt the mantra of ‘Close It Down’. Screensavers and log-in prompts after a few minutes’ inactivity are effective and simple ways in which to reduce the time a screen is exposed to prying eyes. Cultural attitude is important, too. Visual privacy policies are more likely to be followed if they’re mandated at the management level and staff are educated about their personal responsibility to improve visual privacy. Employing privacy filters Make screens hard to view. A very simple step is to ensure that a given screen’s angled such that it cannot be viewed, for instance facing a café wall, rather than in full view of the coffee counter queue. Last, but not least, use privacy filters. These can be easily slipped on and off screens of all kinds and prevent on-screen data from being viewable except straight on and at close range. Someone taking a sideways glance or who may be several feet behind the screen will witness only a blank image. Given that these are all very achievable preventative steps to take, and that visual hacking is potentially a very real risk for UK organisations in this day and age, it makes perfect sense for companies to include them within overall security practices. While visual hacking might only be one of many tools in the hackers’ current armoury, it’s also one that can be practically locked down more easily than others. Worth bearing in mind. Peter Barker: EMEA Market Development Manager (Display Materials and Systems Division) at 3M 69 www.risk-uk.com
Page 1 and 2:
October 2017 www.risk-uk.com Securi
Page 3 and 4:
October 2017 Contents 33 In Search
Page 5 and 6:
Texecom Connect App New smartphone
Page 7 and 8:
News Update Biometrics Commissioner
Page 9 and 10:
News Analysis: UK-European Union Se
Page 11 and 12:
News Special: Cortech Open Innovati
Page 13 and 14:
News Special: NAHS Annual Conferenc
Page 15 and 16:
Opinion: Crowded Places Security an
Page 17 and 18: Opinion: Mind Your Own Business Acc
Page 19 and 20: BSIA Briefing Preventing injury in
Page 21 and 22: They see a well secured airport. Yo
Page 23 and 24: Security in the Built Environment a
Page 25: Mobile Technology: Risk Management
Page 28 and 29: Data Centres: Security and Fire Saf
Page 30 and 31: Advertisement Feature “We take po
Page 33 and 34: Access Control: Developments in Bio
Page 35 and 36: The New Camera Line Mx6 Creates Mor
Page 37 and 38: Manufacturing X-ray Machines in the
Page 40 and 41: Counter-Terrorism: Security Screeni
Page 42 and 43: A Touch of Retail Security Therapy
Page 44 and 45: Healthcare Sector Security: Body-Wo
Page 46: Healthcare Sector Security: Access
Page 49 and 50: Advertisement Feature Inner Range
Page 51 and 52: Advertisement Feature expander, ELM
Page 53 and 54: Mail Room Security Management: Syst
Page 56 and 57: Meet The Security Company This is t
Page 58 and 59: www.coie.uk.com Cortech Open Innova
Page 60 and 61: The Security Institute’s View a c
Page 62 and 63: A 21st Century Crisis: What Does It
Page 64 and 65: Qualifications: The Future of Fire
Page 66 and 67: An Exercise in Logistics Company wa
Page 70 and 71: Raising Standards: A Commitment to
Page 72 and 73: Risk in Action Business process enh
Page 74 and 75: Technology in Focus Gallagher Secur
Page 76 and 77: National Association for Healthcare
Page 78 and 79: Appointments Tom Brookes Tom Brooke
Page 80 and 81: Best Value Security Products from I
Page 82 and 83: THE UK’S MOST SUCCESSFUL DISTRIBU
show all

RiskUKOctober2017

Create successful ePaper yourself

Delete template?

Save as template?