As organizations double down on cybersecurity measures, low-tech attack methods such as visual hacking—i.e., physically spying what’s on others’ computer screens and desks—are becoming more common.
3M’s 2016 Global Visual Hacking Experiment has found that the overwhelming majority of companies across the globe are not prepared to detect visual hacking in business office environments, or to protect their most valuable information.
To test the efficacy of visual hacking techniques, 3M had a white hat assume the role of temporary office worker. The person was assigned a valid security badge worn in plain sight, and sent into 46 participating companies to perform three overt tasks: Walk through the office scouting for information in full-view on desks, monitor screens and other indiscrete locations like printers and copy machines; take a stack of business documents labeled as confidential off a desk and place it into a briefcase; and use a smartphone to take a picture of confidential information displayed on a computer screen.
All three of these tasks were completed in full-view of other office workers at each company. And in 91% of instances, these attempted visual hacks were successful. The hacker successfully captured 613 pieces of content, including login credentials, financial information, and privileged and confidential documents. In all, 27% of the data hacked was considered sensitive information.
Visual hacking happens quickly, too: It took less than 15 minutes to complete the first visual hack in 49% of trials.
All too often, company employees seemed oblivious. In 68% of trials, the white-hat hacker was not stopped by employees. In only three cases did a worker contact the office supervisor about a possible insider threat.
The study also found that certain situations are riskier: 52% of sensitive information was visually hacked from employee computer screens. But office layout affects visual hacking; traditional offices and cubicles make it easier to protect paper documents and more difficult to view a computer screen. In contrast, the open floor plan appears to exacerbate the risk of visual hacking.
“Creating visual privacy policies and protocols is an important step in building awareness of the issue among employees,” the report concluded. “Companies should educate and train employees to properly handle company data. Issuing a clean desk policy, using privacy filters to help protect sensitive information displayed on screens, having a document shredding process, and setting up procedures that allow employees to report suspicious visual hacking behavior are other practices to lessen the chances for visual hacking. Organizations should perform regular, company-wide visual privacy audits to help identify and address vulnerabilities.”
In the study, companies with sound control practices experienced on average 26% fewer visual privacy breaches.