Organizations around the world are at risk of sharing highly sensitive information through visual hacking in business office environments. This risk was revealed in the 2016 Global Visual Hacking Experiment, an expansion of the 2015 Visual Hacking Experiment conducted in the United States by Ponemon Institute and sponsored by 3M Company. The global study included trials in China, France, Germany, India, Japan, South Korea and the United Kingdom. The combined results found that sensitive information was successfully captured in 91 percent of visual hacking attempts globally.
The global experiments involved 157 trials with 46 participating companies across the eight countries. They exposed low-tech hacking methods as a significant risk to corporations around the world. The findings revealed that organizations need to create awareness among employees on protecting data displayed on device screens, as 52 percent of the sensitive information captured during the experiments came from employee computer screens.
In the experiments, a white hat visual hacker assumed the role of temporary office worker and was assigned a valid security badge worn in visible sight. The white hat hacker attempted to visually hack sensitive or confidential information using three methods: walking through the office scouting for information in full view on desks; observing computer monitor screens and other indiscrete locations like printers and copy machines; taking a stack of business documents labeled as confidential off a desk and placing it into a briefcase; and using a smartphone to take a picture of confidential information displayed on a computer screen. All three of these tasks were completed in front of other office workers at each participating company.
Combined average highlights from the 2015 U.S. Visual Hacking study and thisstudy revealed the following:
- Visual hacking is a global problem. Visual hacking occurred in all countries where the experiment was conducted, with 91 percent of attempts being successful.
- Employee computer screens are most at risk for visual hacking. Globally, 52 percent of sensitive information was visually hacked from employee computer screens.
- A company’s most sensitive information is at risk. Of the visually hacked data, 27 percent was considered sensitive information, including login credentials, attorney-client privileged documents, confidential or classified documents, and financial information. The information was deemed to be sensitive because of the potential security risk to the organization in the aftermath of a data-breach incident.
- Visual hacking happens quickly. It took less than 15 minutes to complete the first visual hack in 49 percent of the hacking attempts.
- Office workers are timid about confronting a visual hacker. In 68 percent of the hacking attempts, office personnel did not question or report the visual hacker even after witnessing unusual or suspicious behavior.
- Office layout affects visual hacking. Traditional offices and cubicles make it easier to protect paper documents and more difficult to view a computer screen. In contrast, an open floor plan appears to exacerbate the risk of visual hacking.
- Companies can take action. The experiment revealed that companies with sound, privacy-control practices experienced 26 percent fewer visual privacy breaches on average.
“The results of these experiments uncover the significant visual privacy risks that all organizations face globally, regardless of their size, business type or location,” said Dr. Larry Ponemon, founder of Ponemon Institute and chairman of the 3M-sponsored Visual Privacy Advisory Council. “While visual hacking is often considered a low-tech threat, the repercussions can be just as detrimental as a high-tech cyberattack.”