Visual hacking and some of the best ways to help prevent it

Visual hacking isn’t just a curious peek over someone’s shoulder. This malicious act of viewing or capturing sensitive information for unauthorized use is a growing form of social engineering, and it can lead to massive data breaches and stolen information.
The troubling ease with which visual hacking can be done was highlighted in the recent 2016 Global Visual Hacking Experiment, an expansion of the 2015 Visual Hacking Experiment conducted in the U.S. by Ponemon Institute and sponsored by 3M.
The combined experiments involved 157 trials in which a white-hat hacker assumed the role of a temporary office worker and attempted to obtain sensitive information in 46 participating companies across eight different countries through visual hacking. The hackers, wearing a standard-issue security ID badge worn in visible sight, entered each facility and attempted three overt tasks:

  • View and log sensitive information visible on a computer screen, desk or printer.
  • Grab a stack of business documents labeled as “confidential” off a desk and put them in a briefcase.
  • Take a picture of sensitive information displayed on a computer screen with their smartphone.

global-vhe_global-91-perfect-stat-graphic
The results were eye-opening. On average, the visual hacker was successful in accessing sensitive corporate information in 91 percent of global trials, with 52 percent of the visual hacks occurring via an unprotected employee computer screen[1]. Globally, 27 percent of data breaches involved sensitive information, such as login credentials, attorney-client privileged documents and financial information, and happened in less than 15 minutes in nearly half of all attempts.
So now that we know visual hacking is a threat, what can we do to help prevent it?
Identify and Control
Every setting has unique, high-risk areas to address. They could include waiting areas in hospitals, or teller counters, service desks and ATMs in banks. In offices, they could include shared workspaces, open cubicles and lobbies. Each of these areas need to be examined and addressed based on the threat they represent.
A combination of company policies and visual-privacy controls is the best approach to help prevent visual hacking. Policies should include instructing workers to lock and password-protect their computers and mobile devices when not in use. It should also include implementing a clean-desk policy that ensures documents with sensitive information are removed from plain view when not in use, as well as shredding documents with sensitive information when they are no longer needed.
Employees are the first line of defense against visual hacking, but changing human behavior can be difficult. Policies should be reinforced with internal communications efforts, training and auditing to build a culture of privacy. This can help empower workers to take privacy into their own hands and protect proprietary company information.
Controls also play an important role. All computer monitors and mobile-device screens should be fitted with physical privacy filters, which blacken out screens when they are viewed from a side angle.
A Preventable Threat?

Visual hacking is too easy to carry out in most office buildings today, as evidenced by the Global Visual Hacking Experiment, and its prevalence may only grow as hackers seek new ways to access information. A simple combination of people, processes and technologies is the best way to address this threat and help protect company information from all angles.

Dr. Larry Ponemon is the chairman and founder of Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices, and chairman of the 3M-sponsored Visual Privacy Advisory Council. He receives compensation from 3M in connection with his participation on the Visual Privacy Advisory Council.
[1] Average based on global trials conducted by Ponemon Institute during the “Visual Hacking Experiment,” 2015, and the “Global Visual Hacking Experiment,” 2016, both sponsored by 3M.