Editor’s note: Has visual hacking made the leap to become one of today’s top security risks? Ponemon Institute recently conducted the Visual Hacking Experiment, jointly sponsored by 3M Company and the Visual Privacy Advisory Council. Subsequently, to help explain the potential threat that visual hacking poses and what organizations can do to help safeguard information, a group of security executives shared their insights in a roundtable Q&A session. The roundtable participants included:
- Dr. Larry Ponemon, chairman and founder of Ponemon Institute, a research center dedicated to privacy, data protection and information-security policy
- Mari Frank, Esq., a qualified privacy expert in state and federal courts
- Dan Burks, chief privacy officer for U.S. Bank
- Kate Borten, president of The Marblehead Group, an expert in health information security and privacy
Basic human curiosity drives most of us to some form of casual eavesdropping in crowded public places. It could be listening in on part of a conversation from nearby diners in a restaurant or briefly glancing at the screen of someone seated next to us on an airplane.
Unfortunately, not every such intrusion is innocent, especially as more workers use smartphones, tablets and laptops to access sensitive business or financial information. Today, what might appear to be a fellow coffee-shop customer catching a quick glance at a stranger’s laptop screen out of curiosity could actually be someone attempting to view or record sensitive information.
Such a threat falls under the category of visual hacking – a form of attack that more businesses, governments and organizations, such as the Visual Privacy Advisory Council, are taking very seriously.
What is visual hacking?
Larry Ponemon: Put simply, visual hacking involves viewing or capturing sensitive, confidential or private information for unauthorized use on a screen device, workstation or copier.
It’s becoming a growing concern as our workforce becomes more mobile, with the ability to access via a smartphone information that once could only be viewed in an office or on a networked computer. In fact, two-thirds of working professionals today say they view sensitive data, including regulated and confidential information, outside of the workplace.
As this information is becoming more accessible, the means of capturing it is easier than ever. Nearly everyone has a smartphone equipped with a camera. Increasingly, sophisticated wearable technology is also becoming more prevalent and less conspicuous, and even drones that can be fitted with cameras are easily accessible.
Are there specific industries that should be concerned about visual hacking?
Dan Burks: Major data breaches continue to make headlines, and customers are warier than ever about the privacy of data. In the financial industry, the interactions we have with our customers and the efforts we take to protect their information helps shape their trust in us. While electronic data breaches differ from visual hacking threats, both must be taken seriously. We have a responsibility to take the necessary measures to protect their visual privacy and help earn that trust.
Mari Frank: Visual hacking is also a major threat to law firms, which regularly collect personal information such as bank account numbers, Social Security numbers, driver’s license information and more. Professional and ethical obligations should compel all law firms to protect their clients’ private and confidential information against unauthorized access, whether that information is displayed on a screen or printed on documents that are in an open environment.
Larry Ponemon: The healthcare and financial industries could be considered at higher risk given the highly sensitive personal and financial information they deal with on a daily basis. But really, visual hacking can target any industry. In fact, the International Management Facility Association reports that 70 percent of American employees now work in open-office environments. The goal of opening up floor plans may be to spark greater collaboration, but it also leaves work areas more exposed and provides easier access for vendors, third parties or even malicious workers to view sensitive information.
What kind of risks does visual hacking pose?
Larry Ponemon: It depends on the target and the information obtained. A visual hacker that gains access to an office environment could snap a photo of or even quickly write down log-in information that is displayed on a screen or written on a note taped to a monitor. That hacker now has the means to penetrate the organization’s networks to view trade secrets, steal credit card numbers or launch an attack.
Kate Borten: In the healthcare field, identity theft is certainly a risk if a visual hacker can obtain a patient’s billing and contact information. The healthcare organization also could be fined if it were found to be in violation of HIPAA’s security rule or the HITECH Act. And there are other potential scenarios. Imagine if sensitive or potentially embarrassing personal medical information is obtained. The visual hacker could use that information to blackmail the patient. The financial toll would be painful enough, but the emotional suffering on top of it could be devastating.
Dan Burks: Financial services organizations face comparable risks. And they risk losing perhaps their greatest currency – the trust of their customers. A visual hacker could snap a photo of a screen that contains a customer’s account information or obtain employee log-in information that gives the hacker access to the broader company network. Similar to the healthcare industry, financial organizations in these situations risk running afoul of laws such as the Gramm-Leach-Bliley Act (GLBA), which has specific guidelines for protecting personal financial and other identifying information from threats by ensuring safeguards including visual privacy.
Are there visual hacking “weak spots” that companies should address?
Larry Ponemon: Every setting has its own unique areas to address. That could be waiting areas and service counters in hospitals, or teller counters, service desks and ATMs in banks, only to name a few. In offices, it could be shared workspaces, open cubicles and high-traffic areas.
But as with any form of security, you’re only as strong as your weakest link, and industrious visual hackers look to take advantage of those weak links. That could be a drive-up teller station or an office near a window where information could be exposed to someone with a high-powered camera. It could be a printer tray in a low-traffic office area where an office supplier or cleaning person might go unnoticed. The growing use of mobile technology only opens the door for more opportunities for visual hackers.
Kate Borten: On that note, Dr. Ponemon’s research center released its “Fourth Annual Benchmark Study on Patient Privacy & Data Security” last year. The study found that 88 percent of healthcare organizations allow medical staff and employees to use their own mobile devices to connect to their organization’s networks or enterprise systems. Yet more than half of organizations say they are not confident that such devices are secure, and 75 percent say employee negligence is their biggest security risk.
What measures can companies take to defend against visual hacking?
Dan Burks: Examine your customer interactions for opportunities to improve visual privacy protections. Adopt a “not in plain view” approach. Workers should securely store documents containing sensitive information when not in use and, when printing documents on multi-user printers, used locked printing to secure access.
Computer monitors used to view or enter customer information should face toward walls and away from potential onlookers. If protective positioning is not possible, consider a screen filter. During the interactions themselves, be mindful of what information absolutely must be collected, displayed or retained. For instance, when making a transaction, scheduling an appointment or when asking customers to fill out a form, only ask for information that is necessary.
Larry Ponemon: A combination of company policies and visual-privacy products is the best approach. Policies should include instructing workers to shut down and password-protect their computers and mobile devices when not in use, as well as implementing a clean-desk policy that ensures documents with sensitive information are removed from plain view when not in use. Your employees are the first line of defense against visual hacking, but changing human behavior can be difficult. Reinforce policies with internal communications efforts, training and auditing.
Products also play an important role. All computer monitors and mobile-device screens should be fitted with physical privacy filters, which black out screens when they are viewed from an angle.
Mari Frank: Agencies and companies that deal with large amounts of sensitive client information such as law firms, accounting firms and government contractors, should have document shredders next to copiers, fax machines and scanners, and in the offices of the professionals who routinely handle such information. Also, place visual-privacy warning labels on or near printers, copiers, file cabinets, waste containers and video-conferencing equipment.
What else should we know about visual hacking?
Ponemon: More organizations need to take it seriously. We recently conducted a study that was jointly sponsored by 3M Company and the Visual Privacy Advisory Council, in which a white-hat hacker was sent into eight different participating company offices under the guise of being a temporary or part-time worker. The hacker was able to visually hack sensitive information from a screen or hard-copy documents in nearly 90 percent of attempts. In 70 percent of instances, employees didn’t attempt to stop the visual hacker, even when the hacker snapped photos of data displayed on a screen.
Hackers thrive on vulnerabilities. And as more organizations bolster their cyber defenses, hackers will look for new opportunities to exploit. Put the necessary policies and tools in place to help eliminate those opportunities and thwart visual hackers.
Dr. Larry Ponemon is chairman and founder of Ponemon Institute, a research center dedicated to privacy, data protection and information-security policy. He also serves as chairman of the Visual Privacy Advisory Council.
Mari Frank, Esq. is an attorney, mediator, certified information privacy professional (CIPP), author, professor and radio show host based in Laguna Niguel, Calif. She is a qualified privacy expert in state and federal courts and has authored several books on the subject of privacy.
Dan Burks is the chief privacy officer for U.S. Bank, which has ranked as the “most trusted bank” in consumer privacy protection for seven consecutive years. He has 30 years of experience in privacy, risk management, business technology design and financial systems integration.
Kate Borten is founder and president of The Marblehead Group, and a nationally recognized expert in health information security and privacy. She is a certified information security professional (CISSP, CISM, HCISPP), and led the first security programs at Massachusetts General Hospital and at Beth Israel Deaconess Medical Center/CareGroup in Boston.