Imagine this scenario playing out in your company: An employee sees sensitive data displayed on an unprotected computer screen in your office, discretely snaps a few pictures of it with a smartphone and then walks off with nobody the wiser.
For IT managers, it’s a chilling thought that employees could be scheming to steal your company’s data. But an insider attack can happen to any organization. And the risk is potentially higher than ever as more companies fortify their cyber defenses and force bad actors to look down new avenues for accessing sensitive data.
In fact, according to the 2018 Data Breach Investigations Report, internal actors now cause more data breaches than external actors in the healthcare industry. Additionally, the report also found that they are responsible for 28 percent of data breaches across all industries.
IT managers and security teams are becoming more aware of insider threats. But awareness is not a defense. Today, only about one-third of IT and security professionals are very confident that they can identify threats from employees who have privileged access, according to results of the recently published 2018 Privileged Access Threat Report.
An Unchecked Threat
The scenario of an employee taking pictures of sensitive data displayed on a computer screen is an attack method known as visual hacking. It’s defined as obtaining or capturing sensitive information for unauthorized use.
The Global Visual Hacking Experiment, conducted by Ponemon Institute, shows just how successful such attacks can be in the workplace. In this study, white hat visual hackers assumed the role of temporary office workers and were sent into 157 offices of participating companies across eight countries. In 91 percent of attempts, they were able to visually hack information, such as employee login credentials, accounting information and customer information in full-view on desks, monitor screens and other locations like printers and copy machines. They were not stopped in 68 percent of these incidents.
Three Things IT Managers Can Do Today
The exact approach you take to help defend against insider attacks like visual hacking will be unique to your organization. But there are some easy steps that IT managers can take today to help reduce the risk of visual hacking in your company. Let’s look at three of them.
1. Conduct an audit: A visual privacy audit can help you assess your key-risk areas and evaluate existing security measures you have in place. It can also help determine if you need new safeguards or perhaps additional training to encourage employee use of existing data privacy safeguards.
Not sure what this audit should involve? Start with the most basic question: Does your organization have a visual privacy policy? Next, do a walkthrough of your different workplaces. Look for things like sensitive information left on white boards, computer screens that are facing public spaces, and workstations where passwords or other sensitive information is exposed.
Also, confirm that your organization requires sensitive data be encrypted or provides a mechanism for employees to report suspicious activities.
2. Implement common-sense safeguards: Looking beyond software, there are some best practices that nearly every organization can apply to help protect data privacy.
Privacy filters should be fitted on all computer and device screens. The filters blacken out the angled view of onlookers while providing an undisturbed viewing experience for the user. They can help protect sensitive data not only in the office but when workers are accessing internal networks and confidential documents while working remotely.
You should also have document shredders near copiers, printers and desks – or anywhere that sensitive information is regularly handled. Also, any cabinets or storage rooms that store sensitive documents should be locked.
3. Align IT with corporate strategy: IT managers are critical to helping the company accomplish its data privacy and compliance initiatives. Through collaboration with dedicated information security staff and the C-suite, IT managers can suggest efficient ways to communicate with employees on the software, hardware and accessories they need to protect data. This may include identifying unique requirements for employees who frequently travel, have access to highly sensitive intellectual property, manage customer data or confidential sales information, or work in open office areas.
A Team Effort
As you review your company’s data privacy safeguards, strengthen your approach to protect against insider threats like visual hacking. Remember that data privacy goes beyond you and your IT team, it’s a job for everyone in your organization. Educated and empowered workers can help make sure safeguards are being used. And they can serve as your last line of defense against any potential rogue elements who are seeking your most sensitive company data.
About the Author:
Jessica Walton is Global Business Manager for the Display Materials & Systems Division at 3M. She has more than 20 years of experience in the electronics and data storage industry working with iconic industry brands including 3M, Memorex, Imation and TDK.