Three top tips to combat visual hacking
People in fintech and financial services in general are arguably more aware than most of the need to protect sensitive or confidential data and increasingly, this includes reducing the risk of what is frequently referred to as ‘visual hacking’, typically achieved by ‘shoulder surfing’.
This is the ability to view and even photograph content on someone’s screen and to then use that information for malicious and illegal purposes; the information could be sold, or used to perpetrate identify theft, or launch a cyber-attack.
Most of us can relate to how this might happen: we may have inadvertently seen something we should not have when passing behind a colleague’s desk, on a stranger’s laptop sitting behind them at a conference, or on the smartphone of the passenger on a crowded train. The ease with which visual hacks can be carried out, together with regulation, plus the fact that visual privacy is relatively easy to improve, are all reasons why the financial sector is putting the spotlight on this topic.
Here are three things to know about visual privacy and visual hacks:
- Visual privacy is part of financial and other regulation
Visual privacy is implicit within the General Data Protection Regulation (GDPR), which as it is a principle-based regulation, puts the onus on organisations to think about GDPR requirements, rather than regulators issuing a list of specific actions to follow. So, it does not matter whether an unauthorised data disclosure results from a hacker launching a sophisticated cyber-attack, or due to a stranger taking a picture of potentially sensitive data displayed on an employee’s laptop screen.
Also, visual security was specified within the Financial Services Authority guidelines (FSA, since replaced by the Financial Conduct authority (FCA)). The UK Financial Services and Markets Act 2000 states that a company must show it ‘took all reasonable precautions and exercised all due diligence’, encompassing physical security. Visual privacy is also implicit within ISO27002.
- Visual hacking is easy and fast to achieve
Unlike more sophisticated digital cyber-attacks or data breaches, visual hacking does not require any special skills. In the Global Visual Hacking Experiment conducted in 2016 by global security specialist The Ponemon Institute, and a white hat hacker posed as a temporary worker in offices in eight countries, including the UK (with the permission of the organisations involved).
The hacks were successful in more than 90% of attempts, with 49% taking 15 minute or less, and 66% taking less than 30 minutes. On average, 3.9 pieces of sensitive data was obtained per trial, with 52% of that data from viewing people’s screens. The hacker was only challenged in approximately a third of attempts. That particular study was within office walls: it is easy to imagine how the scale of the risk might increase in public spaces, important to consider as workforces become more mobile.
- Visual privacy is relatively easy to improve
In the Ponemon Global Visual Hacking Experiment, the number of visual hacks reduced by 26% when measures were put in place to improve visual privacy. These measures are also relatively simple, inexpensive and fast to implement, particularly when compared to other forms of information security management.
Awareness and culture is the starting point: staff need to know about the potential implications of breaches caused by visual hacks. Plus, getting management-level backing for better visual privacy helps. For instance, employees should feel encouraged to politely confront or report someone they do not recognise, is not displaying clear ID, or is in an unauthorised location.
Clean desk policies used to be talked about in the context of keeping a clearer, more focused mind: they are also a very simple but effective way to reduce the risk of viewing confidential documents. Printed material should not be left by copiers or printers: consider ‘pull printing’, whereby a document is only released into an authorised user’s hands. Shredding and reduction of paper usage should be routine by now.
Make it hard for screens to be viewed: screensavers and automatic logins are highly effective at limiting the amount of time the display on a monitor, laptop, tablet or smartphone can be viewed. When working in public places such as cafes, sit with backs against a wall, rather than by the counter queue where people can casually check out a laptop screen while waiting to place their orders.
Consider installing privacy filters, the latest generation of which can be easily flipped up or down, depending on if and when the user wants to share his or her screen with others. When down, on-screen data is only visible at close-range and at a direct angle: otherwise, viewers will only see a blank screen. Filters can be fitted on desktop monitors, laptops, tablets and smartphones.
While implementing better visual protection is only one of many strategies to adopt, it has an important role to play in better security management. Also, it is arguably one of the easier areas of security to address.
By Peter Barker, EMEA market development manager, display materials and systems division, at 3M