Feb 18, 2015
ST. PAUL, Minn. – While most security professionals focus on thwarting data breaches from high-tech cyber attacks, a new study exposes visual hacking, a low-tech method used to capture sensitive, confidential and private information for unauthorized use, as an under-addressed corporate risk. The 3M Visual Hacking Experiment, conducted by Ponemon Institute on behalf of the Visual Privacy Advisory Council and 3M Company, a leading manufacturer of privacy filters, found that in nearly nine out of ten attempts (88 percent), a white hat hacker was able to visually hack sensitive company information, such as employee access and login credentials, that could potentially put a company at risk for a much larger data breach.
“In today’s world of spear phishing, it is important for data security professionals not to ignore low-tech threats, such as visual hacking,” says Larry Ponemon, chairman and founder of Ponemon Institute. “A hacker often only needs one piece of valuable information to unlock a large-scale data breach. This study exposes both how simple it is for a hacker to obtain sensitive data using only visual means, as well as employee carelessness with company information and lack of awareness to data security threats.”
During the study, a computer security expert specializing in penetration testing, also known as a white hat hacker, entered the offices of eight U.S.-based companies under the guise of a temporary or part-time worker. The white hat hacker attempted to visually hack sensitive or confidential information using three methods: walking through the office scouting for information in full-view on desks, screens and other indiscrete locations, taking a stack of business documents labeled as confidential and finally, using his smartphone to take a picture of confidential information displayed on a computer screen. All three of these tasks were completed in full-view of other office workers.
The study revealed the following:
- Visual hacking happens quickly: Companies can be visually hacked in a matter of minutes, with 45 percent occurring in less than 15 minutes and 63 percent of visual hacks occurring in less than a half hour.
- Visual hacking generally goes unnoticed: In 70 percent of incidences, a visual hacker was not stopped by employees – even when using a cell phone to take a picture of data displayed on a screen. In situations when a visual hacker was stopped by an employee, the hacker was still able to obtain an average of 2.8 pieces of company information (compared to 4.3 when not stopped).
- Multiple pieces of information were able to be visually hacked. During the study, an average of five pieces of information were visually hacked per trial, including employee contact lists (63 percent), customer information (42 percent) and corporate financials (37 percent), employee access & login information/credentials (37 percent) and information about employees (37 percent) during any given hack.
- Unprotected devices pose the greatest opportunity for sensitive information to be visually hacked. 53 percent of information deemed sensitive (access or login credentials, confidential or classified documents, financial, accounting or budget information or attorney-client privileged documents) was gleaned by the visual hacker from the computer screen, greater than vacant desks (29 percent), printer bins (9 percent), copiers (6 percent) and fax machines (3 percent) combined.
- Open floor plans pose a greater threat to visual privacy. In experimental trials completed in companies with an open-office layout, an average of 4.4 information types were visually hacked, while those conducted in a traditional office layout saw 3.0 information types visually hacked.
- Unregulated functional areas were the most likely to experience a visual hack. On average, customer service roles consistently saw the highest number of visual hacks at 6.0, with communications at 5.6 and sales force management 5.2. Regulated functional areas like accounting & finance saw lower averages at 1.9 and legal at 1.0 experienced the least.
- Visual hacking controls work. Companies that had relatively low visual hacking rates had more controls in place, such as mandatory training and awareness, clean desk policies document shredding process, suspicious reporting process, and employed the use of privacy filters, to protect against the threat than those without. For instance, in those companies that employed the use of privacy filters, 50 percent of trials saw three or less information types visually hacked while 43 percent of companies that did not use privacy filters saw four or more information types visually hacked.
For more information on the study, go to 3Mscreens.com/visualhacking
3M Specialty Display Systems is committed to bringing top of the line, innovative privacy and protection solutions to market, including privacy filters and screen protectors which help secure personal and confidential data by blacking out content from unauthorized side views, allowing businesses to remain compliant with industry privacy regulations, and screen protectors that help keep mobile devices looking new longer with durable, scratch-resistant protection and an ultra-clear view. For more information, visit www.3Mscreens.com.
3M is a science-based company with a culture of creative collaboration that inspires powerful technologies, making life better. With $32 billion in sales, 3M employs 90,000 people worldwide and has operations in more than 70 countries. For more information, visit www.3M.com or follow @3MNewsroom on Twitter.
3M is a trademark of 3M Company.
– 30 –