Preventing data breaches are one of the main focus areas for information security in the public sector, whether we’re talking about local or central government, the education, police or health sector. Yet stories continue to hit the headlines on a regular basis, for example: a laptop left in a taxi or patient records suddenly being made public. While there is of course much focus on software-based security measures to mitigate the scale of these problems, the public sector is also increasingly turning its attention to a previously forgotten area of security: physical security and in particular, the ability for people to view each other’s screens, or use their cameras to take illicit images of on-screen data.
This would seem to be timely, because ‘shoulder surfing’ or ‘visual hacking’ is an area of information security that has up until now, largely been forgotten. While organisations in both the public and private sectors may spend millions on security software, they are in many cases failing to address this very real physical security risk.
A recent study carried out by the Ponemon Institute in the US involved a ‘white hat hacker’ attempting visual security data breaches and he was successful in 88 per cent of attempts. A professional ‘penetration tester’, the hacker entered the offices of eight companies in the guise of a temporary or part-time worker and attempted to visually hack sensitive or confidential information using three methods: walking through the offices scouting for information in full-view on desks, screens and other indiscrete locations; taking a stack of business documents labelled as confidential; and finally, using his smartphone to take a picture of confidential information displayed on a computer screen. All three tasks were completed in full-view of other office workers and in 70 per cent of incidents, a visual hack was not challenged. Moreover, visually hacking is fast, with the majority of successful attempts taking place in less than half an hour and 45 per cent in just 15 minutes. Plus, an average of five pieces of information – typically an employee contact list, customer information, corporate financials, employee access and log-in information – were visually hacked per trial.
These results underline the fact that while concerns about visual security may more obviously be around mobile working in public places, the open-plan office – found in so many public sector environments – is also very vulnerable. The good news is that specific government areas do seem to be waking up to this fact. For instance, the Security Policy Framework (SPF) from the Cabinet Office - which covers the standards and security controls that are required to protect UK Government workers, information, infrastructure and assets - has included reference to physical security, driven by the proliferation of laptop and mobile devices in use.
Similarly, the Department for Work and Pensions has previously stated: “where risk assessments indicate that additional steps are required, these will include a range of measures, including for example, the use of privacy filters for portable computers, and restricting employee use of personal phones, during working time”.
The Foreign and Commonwealth Office is also quite explicit in its directions: “If staff need to work remotely and view information that is sensitive, they must ensure that they cannot be overlooked. ‘Privacy screen panels’ are available to mitigate the risk of ‘shoulder surfing’.
While we have yet to see such specific instructions in the police, education or health sector, anecdotally there is growing interest in how physical security can play an integral part of data security strategies. For example, in the education sector, there is more interest in how visual privacy filters over computer screens can be used to help compliance with the JCQ guidelines for e-assessments, which are designed to ensure that candidates’ workstations are not exposed to anyone else’s sightline. This is an alternative to setting up physical workspace screens in between students (expensive and bulky in confined rooms and also have to be stored afterwards) or placing workstations back to back or spaced 1.25m apart (again, limited options in an already space-constrained environments and arguably not fool proof).
What else can the public sector do to protect itself better from the risks of visual hacking or ‘shoulder surfing’?
Build visual privacy policies into security strategies – visual privacy deserves its place in the bigger security framework and should not be a second-ranking afterthought.
Educate employees – everyone has a role to play in preventing security breaches, so make sure that staff are aware of when their screens – desktop, laptop, tablet or even smartphone – can be viewed, whether in the office or out-and-about.
Make it more difficult – in the office, make sure that screens are either switched off, go quickly on to standby or screen-saver mode within a shorter amount of inactivity time, plus require passwords and log-ins when return to active mode. Privacy filters can be easily attached to monitors, laptops, tablets and smartphones, so that only the direct viewer at close range can see on-screen information (to anyone else, the screen will look blank). They also help to prevent screens from scuffs and scratches.
Visual privacy is obviously just one element of tackling security. Indeed, the SPF refers to the need for a layered approach to security and this is spot on: there is no single solution to dealing with information breaches in the public sector, but rather, an acceptance that vigilance is required on all fronts, including the very real issue of visual privacy.
By Peter Hartley, 3M
3M is a trademark of 3M Company.
About 3M Privacy Filters
Peter Hartley is UK Account Manager for 3M Privacy Filters. For more information about 3M Privacy Filters, please visit: www.3M.co.uk/privacyfilters