By Patricia Titus / Special to Healthcare Facilities Today

Information security spending continues to reach new heights. It grew to more than $75 billion worldwide in 2015, an increase of almost 5 percent from the previous year.

However, as organizations spend more on their cyber defense, too many are neglecting to protect sensitive data in plain sight. This includes data being displayed on an employee’s computer screen, data accessed on a kiosk or mobile workstation, or physical documents left unattended on a desk or printer.

The 2016 Global Visual Hacking Experiment, an expansion of the 2015 Visual Hacking Experiment conducted in the U.S. by Ponemon Institute and sponsored by 3M, found that visual hacking is a woefully under-addressed global threat. The combined 2015 and 2016 studies included 157 trials in 46 participating companies across China, France, Germany, India, Japan, South Korea, the United Kingdom and the United States. In each trial, a white hat visual hacker assumed the role of a temporary office worker and was assigned a security badge worn in visible sight.

The white hat hacker then entered each facility and performed three overt tasks: view and log sensitive information visible on a computer screen, desk or printer, grab a stack of business documents labeled as “confidential” off a desk and put them in a briefcase, and take a picture of sensitive information displayed on a computer screen with their smartphone.

On average, the visual hacker was successful in accessing sensitive corporate information in 91 percent of global trials with 52 percent of the visual hacks occurring via an unprotected employee computer screen. Globally, 27 percent of data breaches involved sensitive information, such as login credentials, attorney-client privileged documents and financial information, and happened in less than 15 minutes in nearly half of all attempts.

High-risk industries

Visual hacking can target any business or organization. But it’s an especially significant threat for financial and healthcare industries, where highly sensitive – and highly valuable – financial and personal data is constantly being accessed, displayed and exchanged.

In banks and credit unions, teller computer screens and workspaces with sensitive documents may be within view of coworkers and customers. Sensitive customer information also may be viewable from outside the building, either through windows or from the drive-through service lane.

In hospitals and clinics, personal patient data could be exposed at self-service check-in kiosks or on any number of staff computers, especially when left unattended with personal data still displayed on them. Outside a hospital, a doctor reviewing patient information on a laptop during his or her morning commute could unwittingly expose personal details to nearby passengers or “shoulder surfers.” 

Protecting data

Organizations in these high-risk industries can use a mix of environmental considerations, behavior changes and new technologies to help protect customer information.

First, IT managers and security professionals should evaluate facility layouts to ensure employee workstations, customer service areas, conference rooms and other areas are designed with visual privacy in mind.

Policies and procedures should also be updated. For example, implementing a clean-desk policy will help ensure documents containing sensitive information are not left unattended on desks. A comparable “clean screen” policy also should require that workers log off or lock down their computers when they step away from their workstations.

Physical safeguarding is also important. Privacy filters should be used on monitors, laptops, tablets and smartphones. These filters, which apply over a device screen, help block unauthorized side views of potential onlookers by darkening the screen.

Persistence pays off

Visual hacking may be a low-tech threat, but increasingly sophisticated consumer technology combined with cunning individuals can make it a crafty threat. Organizations should be vigilant and ever evolving in their efforts to protect against it.

Patricia Titus is the Chief Information Security Officer at Markel Corporation and member of the Visual Privacy Advisory Council.