New Study Identifies Snooping as Threat for Corporate Data Breaches
A study by People Security and commissioned by 3M, reveals two-thirds of employees expose sensitive data outside the workplace – some even exposing highly regulated and confidential information such as customer credit card and social security numbers.
TheVisual Data Breach Risk Assessment Study also found the majority of companies do not have policies or measures in place to protect sensitive information from computer screen snooping when employees are working in public places.
“With the rise in mobile workers carrying confidential data with them outside the office, snooping is no longer a harmless hobby and may represent a weak link in corporate data security practices,” says Dr. Hugh Thompson, Chief Security Strategist of People Security. “Today’s latest smart phones now make it possible for a data thief to take a high-resolution picture of confidential information on a computer screen and retrieve readable data without any hacking necessary. Information revealed on mobile devices outside the workplace now creates a window into a corporation’s most confidential data – whether it is regulated or simply company secrets – and significantly raises the threat level of visual data breaches.”
The study included a survey of 800 working professionals1 and an experiment at a large IT conference where attendee computer usage habits and data security choices were observed2.
According to the Privacy Rights Clearinghouse’s Chronology of Data Breaches, more than a half billion sensitive records have been breached since 2005, leaving Americans vulnerable to identity theft. While this number does not include visual privacy breaches, 71 percent of working professionals surveyed admitted to glancing at another person’s computer screen where they saw such things as corporate emails (26%), presentations (20%), documents (18%), spreadsheets (29%) or other corporate sensitive information (11%). While most surveyed said the reason for glancing at another person’s screen was unintentional, 15 percent were interested in what was on the screen and 2 percent even admitted they were trying to obtain information.
The study also examined how privacy concerns affect employee productivity while working outside the office. Fifty-seven percent of working professionals surveyed said they have stopped working on their laptops because of privacy concerns in a public place and 80 percent thought that “prying eyes” posed at least some risk to their organization.
Key study findings include:
- Employees are exposing regulated customer information, as well as confidential corporate information outside the office. Two-thirds (67%) of working professionals surveyed had worked with some type of sensitive data outside the trusted confines of the office within the past year, including highly sensitive information such as customer credit card numbers (26%), customer social security numbers (24%), patient medical information (15%) and internal corporate financial information (42%).
- Convenience is more important than privacy for employees working outside the office. One in four (26%) conference internet kiosk users accessed corporate email on an unprotected network in a high-traffic public area, though many had the opportunity to use a more secure corporate laptop or smart phone. Furthermore, attendees who used the internet kiosks had the choice of using a computer either equipped or not equipped with a privacy filter so neighbors and passersby couldn’t see the information they were accessing; the majority (65%) of kiosk users chose one without a privacy filter. These findings illustrate that some employees are careless with corporate data by choosing convenience over security.
- Significant gap exists between risk and corporate policy/tools to prevent visual data breaches. There is a basic expectation that companies will keep sensitive information secure at all times. However, 70 percent of working professionals surveyed said their company had no explicit policy on working in public places and 79 percent reported no company policy on the use of privacy filters to prevent visual data breaches.
- Protection against visual data breaches last to be addressed by corporations. Data security practices such as VPN access (46%), disk encryption software (38%) two-factor authentication (19%) were all more commonly used to protect against breaches compared to the use of privacy filters (13%).
- The threat of a visual data breach is growing. Fifty-five percent of working professionals surveyed worked on their laptop in a high-traffic public area at least 1 hour per week. IT analyst firm IDC estimates that more than 72 percent of the US workforce has some level of mobility3, and by 2013 this number will increase to more than 75 percent. Many of these workers will access corporate email/data in public areas through laptops and smart phones, putting that data at risk for exposure. According to a recent survey, more than 60 percent of US households now have at least one camera phone4. This means that most users have the ability to capture images, including screens shots, further increasing the risk of visual data breaches.
- Opportunity to increase productivity when privacy-concerned employees work outside the office with stronger privacy protection measures in place. Fifty-seven percent of working professionals surveyed said they have stopped working on their laptops because of privacy concerns in a public place and 70 percent said they would be more productive in public places if they thought no one else could see their screen. This concept that security-conscious employees would be more productive working outside the office when using privacy-enhancing tools such as privacy filters was further indicated through observation during the experiment.