In nearly nine out of ten instances, security experts were able to visually hack corporate information, according to research published by Ponemon Institute. Titled the 3M Visual Hacking Experiment, the study was conducted on behalf of the Visual Privacy Advisory Council and 3M Company.
Visual hacking is a low-tech, visual method used to capture confidential information for unauthorized use. It includes capturing documents on desks or screens via vision or unapproved smart devices.
Based on a voluntary sample of eight participating companies and 43 unique office locations throughout the United States, the study revealed that while organizations are investing in information security at record levels, many remain vulnerable to low-tech threats such as visual hacking.
“Visual hacking can target any industry but may be especially dangerous in healthcare and financial industries, given the sensitive information involved in nearly every customer interaction and the desire for malicious parties to obtain it,” said John Brenberg, Information Security & Compliance Manager, 3M and member of the Visual Privacy Advisory Council.
Key Findings
Visual hacking is easy:
In 88% of the trials, sensitive information was obtained by visual hackers. Sensitive information types include access and login credentials (47%), confidential or classified documents (35%), financial, accounting and budgeting information (12%), and attorney-client privileged documents (6%).
Unprotected devices are the key offenders:
53% of sensitive information, including access and log-in credentials, confidential documents, and financial information, was captured from an unprotected device.
A company’s most valuable information is at risk:
20% of the data hacked was considered a very valuable information asset.
Visual hacking happens quickly:
It took less than 15 minutes to complete a visual hack in 45% of the hacking attempts.
Multiple pieces of information are hacked:
An average of 5 pieces of sensitive information was obtained per trial. This shows that companies are not only likely to be hit, but to be hit from multiple directions at once.
Visual hacking often goes unnoticed or unchallenged:
Only 30% of visual hacking attempts were stopped. On average, 2.8 pieces of sensitive information were already obtained per interrupted incident. The remaining 70% of visual hacking attempts went unnoticed, or unobstructed by employees.
Common Points of Visual Hacking
Key risk areas of visual hacking include high-traffic areas such as reception, open office floor plans, open cubicles and cubicles with low walls, shared work-spaces, and mobile workers in public places. The diagram below illustrates the approximate location where a hack occurred during the experiment.
6 Reasons why Visual Hacking is Becoming a Bigger Risk in the Office
- To increase productivity, many organizations are creating open workspaces without walls and cubicles. As a result, it is more likely that sensitive and confidential documents will be visible to prying eyes.
- In general, organizations are better able to enforce access policies for electronic documents in a consistent fashion across all users than for paper documents.
- Employees or contractors often are not aware of what types of information are sensitive or confidential and should be protected from individuals with malicious intent.
- Many organizations do not have a strict policy for securing paper documents both within the office and at offsite locations.
- Employees often neglect to shred or dispose of sensitive paper documents in a secure manner. Confidential paper documents thrown in a trash bin, left in a communal printing tray and at an office desk are particularly vulnerable to visual hacking.
- Sensitive and confidential documents are frequently accessed in public locations because of the increasingly mobile workforce.
7 Tips to Safeguard Sensitive Information from Prying Eyes
The 3M Visual Hacking Experiment reveals just how easy it is for a company to be hacked without even knowing it. However, visual hacking controls do help, including:
- Educate employees to be aware of their surroundings.
- Lock computers before leaving it unattended.
- Take action when a visitor is behaving suspiciously.
- Use desk partitions for sensitive departments. Traditional offices and cubicles make it easier to protect paper documents and more difficult to view a computer screen.
- When working at public spaces, sit in a position with the back facing the wall.
- Use private Wi-Fi or a virtual private network to access or transmit sensitive data.
- Use privacy filters for device screens. 50% of trials saw three or less information types visually hacked while 43% of companies that did not use a privacy filter saw four or more information types visually hacked.
About 3M
At 3M, we apply science in collaborative ways to improve lives daily. With $32 billion in sales, our 90,000 employees connect with customers all around the world. Learn more about 3M’s creative solutions to the world’s problems at www.3M.com or on Twitter @3M or @3MNewsroom. 3M Singapore is a wholly owned subsidiary of 3M Company. The company serves a wide range of consumer and industrial markets, which include electronics, health care, transport engineering, chemicals, building and construction, and consumer retail. 3M’s presence in Singapore includes two manufacturing plants at Woodlands and Tuas, an R&D Center at Woodlands, and a Customer Technical Center, laboratory and other supply chain and business operations based at Yishun. For more information on 3M, please visit www.3M.com.sg.
About the Visual Privacy Advisory Council
The Visual Privacy Advisory Council is made up of a panel of privacy and security experts representing major business and government entities. The organization is dedicated to bringing more awareness and attention to the issue of visual hacking, recommending policies, tools, and best practices to protect organizations from the loss of sensitive, private, and confidential information as a result of visual hacking. For more information, please visit www.stopvisualhacking.org/about.html.
