The new iPhone 6s touts a 12 megapixel camera and the Samsung Galaxy S6 a 16 megapixel camera. You can get a lot of detail with such a camera. It may be time for corporations to re-think their employee policies and restrict photography to help employees, managers, and executives understand the potential for information leakage and theft from photos taken around the office. A selfie taken at an office or cubicle could unwittingly expose confidential information from computer screens, calendars, or posted notes (how many cubicles still have passwords posted?)
A recent article by Dan Burks at AmericanBanker.com looks into this problem. While he is mainly referring to banks, the problems and solutions apply to all industries.
…A visual hack could involve someone inside a bank branch or back office, such as a customer or delivery person, taking a picture of an employee’s computer screen. It could also involve capturing information from documents left in open view on a desk or printer tray. It could even involve someone outside a bank using a high-powered camera to record drive-up teller and ATM transactions…
Rethinking the Scope of Security Priorities
Visual hacking can be a powerful technique. An experiment recently conducted by the Ponemon Institute found that a white-hat visual hacker was able to obtain sensitive information 88% of the time. The experiment involved an actor playing the role of a temporary office worker or contract worker with a temporary security badge. They went into 43 different office facilities to see what kind of information they could obtain through visual hacking.
The hackers were able to collect confidential information in less than 15 minutes in half of the attempts, and an average of five pieces of private information were hacked per trial…
A good first step in addressing administrative security is to identify your bank’s risks. Consider every opportunity unauthorized individuals have to view sensitive information, whether it’s at an employee workstation, at a teller’s desk, through an office window or on a device that mobile employees or executives might use in public places.
If possible, information security officers should also consider doing “walkabouts” at different branches and back-office locations. This initial assessment can help officers to identify existing risks and make continuous improvements as part of an ongoing security program. Think through possible scenarios in which mobile employees might work out of coffee shops, commuter trains or planes.
Implementing Changes
Industry guidance and standards largely focus on physical and digital security, but they do include some guidance in the administrative realm. For example, the Federal Communications Commission’s “Cyber Security Planning Guide” advises that computer monitors with sensitive information should not be oriented toward publicly accessible spaces and recommends minimizing and safeguarding printed materials that contain sensitive information.
Consider a visual privacy policy that outlines the specific actions, procedures and best practices your organization requires from employees to help prevent the display of important data and information in plain sight. Instituting such a policy is one effective step you can take to help prevent a visual hacking attack. The Visual Privacy Advisory Council offers a free downloadable checklist for you to start today.
[Results from Ponemon Institute hacking experiment]
[Visual Privacy Advisory Council home page]