GDPR puts the spotlight on physical privacy

By Peter Barker, 3M

With the arrival of the general data protection regulation (GDPR) in May of this year, the spotlight on data security has continued to intensify. It’s a multi-faceted challenge, requiring a plan of action with a variety of different approaches. In addition to all the usual high-tech digital aspects of information security, many businesses – both channel and end-user – are now appreciating the importance of physical privacy and, within that, the need for better visual privacy. Risk mitigation is also a potential new revenue stream for dealers: more on that later.

GDPR is a principle-based regulation. This means regulators don’t provide organisations with a set of definitive actions to follow,” said Enza Iannopollo of Forrester Research, when 3M recently sat down with her to discuss security measures, policies and privacy-compliance programmes, including GDPR. “It doesn’t matter whether an unauthorised data disclosure happens because a hacker launches a sophisticated cyberattack on a company’s website or because a stranger takes a picture of highly sensitive data displayed on an employee’s laptop screen. It takes only a quick look at an unprotected screen for an unauthorised individual to get those keys and gain access. And the risk grows with the increasing sophistication of social engineering.”

Iannopollo points out that many of us have inadvertently seen something on a smartphone, laptop or desktop monitor that we know was not meant for our viewing. Not only are ‘visual hacks’ fast, they do not require any technical skills, compared to software or networking hacking. Once obtained, sensitive or confidential information – for instance, personal details about employees or their contact details, whether from a screen or a piece of paper – could then potentially be sold or shared for illegal or malicious purposes.

Mobility issues

With the growth of mobile and remote working, it is easy to imagine how the risk could escalate. There is no reason to expect that trend to slow down, let alone reverse: more and more of us carry our offices with us. However, visual hacking is also a risk within office buildings, particularly those that are open plan and populated by employees, contractors and other visitors. The proliferation of screen-based devices increases the potential landscape of attack: many of us have a desktop monitor, a laptop, a smartphone and a computer tablet.

Although GDPR has sharpened the focus on information security, it has been a consideration for some organisations in the UK for several years. For example, there are several government departments that either mandate or recommend visual privacy measures as part of their working guidelines. Visual privacy is also an implicit requirement within the FCA rules.

The brand benefits

There are strong positives to employing visual privacy measures. Not only are organisations’ valuable information assets better protected, such steps are also a demonstration that customers’ data matters and is being looked after, helping to engender trust and confidence in a brand.

Readers may be wondering how real the visual privacy risk is and whether there is any proof of a visual hack causing a major data breach. The latter is hard to know, but the Global Visual Hacking Experiment – carried out by renowned security industry experts The Ponemon Institute and commissioned by 3M in 2016 – certainly underlines how easy visual hacking is to achieve.

157 trials were carried out by a ‘white hat’ hacker posing as a temporary office worker, complete with a visible and valid security badge, in eight countries, including the UK, in a variety of organisations (who had agreed to the trials and were given notice two days in advance).

Successful visual hacking

The hacker attempted to secure confidential or sensitive content in three ways: looking for information left on desks, monitors, printers, copiers and in other open locations; by taking a stack of documents clearly confidential from a desk and placing them in a briefcase; and finally, taking images of paper documents and on-screen information using a smartphone camera.

In 91% of attempts worldwide the ‘visual hacks’ were successful, with half taking 15 minutes or less. Alarmingly, the hacker was only challenged in approximately a third of attempts. An average of 52% of the sensitive information obtained was from computer screens (the UK faired a little better at 44%, but that is still a high figure). The information gained was wide-ranging: personal identification, customer and employee details, access and log-in credentials, classified documents, attorney-client privilege material, financial and accounting data.

Perhaps the results are not that surprising, given that many people are quite cavalier about information in the workplace, not thinking it necessary to shield screens or lock documents away from view when not at their desks. Plus, many of us have probably come across someone who has their log-in and password details pinned somewhere in plain sight. However, what was interesting about the results was the fact that when visual privacy measures were put in place, the number of successful visual hacks dropped by more than a quarter.

Visual privacy policies

The good news is that compared to other forms of information security, implementation of visual privacy processes is relatively simple, fast and cost-effective to achieve. The first step is making sure that staff have better awareness of the risks and their own role in prevention. Actions can be as simple as making sure that screens are less easily visible, by angling them away from being overlooked, even sitting with backs against a wall when working in public places. Automatic screen savers and mandatory re log-in after a few minutes’ inactivity are features within the reach of any computer user.

Encouraging clean-desk policies, routine shredding of documents or simply making sure that when they have pressed remote print or copy, employees collect their documents immediately, are other simple but effective measures. Locking desks at night and making sure that briefcases also have some kind of lock is also good practice. Surveillance cameras in the workplace might feel a bit ‘Big Brother’, but they could also act as a deterrent to hackers of all kinds.

A further idea is to install privacy filters on screens – from smartphones to desktop monitors – which prevent information from being seen unless at close range and within a 45 degree angle, otherwise viewers merely see a black screen. Easy to slip on and off for when users need to collaborate with colleagues or clients, these privacy filters also help to protect digital displays. In addition, they are a good way for dealers to expand their portfolios and get a foot in the door with new customers, since they are a relatively easy purchasing decision for companies to make. Compared to most software-based solutions, privacy filters are low-cost, simple and fast to implement.

Finally, staff should feel that it is acceptable to routinely check people’s credentials and to challenge an unknown visitor, very politely of course. Clearly, better physical privacy has multiple elements to consider, but since they are all achievable, surely it makes sense to build them into overall information security strategies and solutions?

Click here to download 3M research and whitepapers.

Don’t forget to follow Dealer Support on Twitter!