The visual hacking threat should not be ignored. Visual hacking is easy to pull off and in the majority of cases attempts to steal data are successful, according to a new study released by the Ponemon Institute. Furthermore, low-tech threats such as visual hacking are under-addressed in many organizations.
What is Visual Hacking?
Visual hacking is the term used for capturing and stealing sensitive data by visual means. The attacks are conducted by sneaking a look at a computer screen, fax, documents left on photocopiers or vacant desks. Very little information is required to conduct a large scale attack. If a visual hacker is able to obtain a login name and a password, those credentials could be used for a large-scale attack.
How Serious is the Visual Hacking Threat?
The 2016 Global Visual Hacking Experiment published on Wednesday, is a follow up to a 3M-sponsored study conducted last year by the Ponemon Institute. 46 companies from 8 countries participated in the experiment, which involved 157 trials in which a white hat hacker attempted to steal company data using visual hacking.
According to the report, 91% of visual hacking attempts were successful. In the United States, 88% of visual hacking attempts resulted in sensitive information being stolen.
For the study, a white-hat hacker gained access to offices posing as a contractor. That individual was able to walk around offices and view data on screens, desks, faxes, and photocopiers. The hackers were able to obtain login names, passwords, classified documents, accounting information, financial data, attorney-client privilege documents, and other confidential information.
Most Successful Visual Hacks Involved Computer Screens
The visual hacking threat was greatest with unprotected computer screens – those that lacked a privacy screen. 53% of successful visual hacking attempts involved computer screens, 29% involved data being taken from desks, 9% from printer bins, 6% from photocopiers, and 5% from fax machines. 45% of successful visual hacking attempts occurred within 15 minutes and 63% were possible within 30 minutes. Only 30% of attempts resulted in employee intervention, although even when the individual was stopped it was possible for data to be obtained.
In the majority of cases, the hacking was possible due to carelessness by employees. Employees left sensitive documents on printers or on desks, or entered sensitive data on computers when other individuals were able to view their keyboards and screens.
The visual hacking threat was greatest in open plan offices where individuals are able to move around more easily. Traditional office layouts made it harder for visual hacking to take place.
Preventing Visual Hacking
The visual hacking threat cannot be reduced to zero, but it is possible to reduce risk. Employees must be trained to take more care and the risk of confidential information being stolen should be explained. Employees should also be instructed to report any suspicious activity. Privacy filters can also be used on computer screens to make it harder for information to be viewed by anyone other than the operator.