Shoulder Surfers ‘cyber snap’ confidential data. IT Governance warns: guard & filter your screens

We’ve all had that feeling: someone in our near vicinity is reading our mobile device or laptop. Maybe you were on a train or a plane and noticed that someone was watching you. It might have been in a café environment where you were relaxing.

Chances are, it was just a simple case of idle curiosity on the part of a bored commuter or fellow caffeine addict rather than a deliberate cybercrime in progress. But before you get too comfortable with the idea that ignoring the problem on the grounds of paranoia will make it go away, it’s best to realize that the professional data thieves are much harder to spot than the gaupers who make it more obvious.

Shoulder surfing techniques are used in public places to steal data

Glancing over your shoulder for personal information, “shoulder surfing,” has become a much greater threat due to the prevalence of mobile phones equipped with cameras and video recorders. Thieves can snap pictures of credit cards, credit applications, or record entire conversations while appearing to be texting or talking on the phone. They can also acquire access to even more valuable data assets in the same way, by videoing your fingers deftly typing in your security password.

Shoulder surfing, to quote TechTarget’s SearchSecurity definition, is “…using direct observation techniques, such as looking over someone’s shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it’s relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.” – I would add to that list the risk posed by visitors to your office facilities, and even colleagues who have the opportunity to view your PC.

They’re behind you! – Is someone pointing a camera-phone at your screen?

Unless it’s protected with a filter that restricts viewing angles, your screen probably displays confidential data to anyone either side close enough to raise a smartphone. Be honest: would you notice this happening – especially if they were standing discreetly to one side of your workstation? Some people get jobs in offices just to gain access to data which has a marketable value. Employees or consultants in your organisation may be doing this, right now! Passwords will be observed as they are typed. Employee records that provide identity thieves with a mine of information are on your server – and there are buyers waiting to handle this data and sell it on. Access to company accounts and restricted folders containing confidential data is much easier if you adopt the identity of a trusted, security-cleared member of staff.

The stakes are high too:  U.S. Army Gen. Keith B. Alexander called cybercrime “the greatest transfer of wealth in history.” The director of the National Security Agency (NSA) and chief at the Central Security Service (CSS) reemphasized an immense problem the U.S. is facing: intellectual property loss via cyber espionage. That IP is incredibly precious to your organisation’s long-term interests, and yet there may be workers in your offices snapping the screens that display your latest designs and patented technologies. The worst of it is, this behaviour is not generally perceived as a significant threat, so employees rarely report incidents of this ‘cyber snapping’.

Cyber security gaps haunt businesses – especially in regard to mobile apps

Looking over your shoulder may seem relatively low risk in terms of the frequency of the likely criminal activity, until you consider the prevalence of mobile devices and the amount of remote working that takes place. To quote Cynthia Hodges in her recent article ‘Cyber security gaps haunt businesses’ “Cyber security experts say increasingly available technology which allows smartphone users to create their own mobile networks through mobile hotspots has left internal networks as vulnerable to cyber-attacks as consumer devices.” [Source:]. Mobile networks are a major threat to information security. Mobile hotspots are one of the best physical locations from which to gain unauthorised access – thanks to lax security practices – to data held on company servers. Mobile data usage has, as I have said, created an increased risk in terms of shoulder surfing activity. Ergo:  the best places to launch an attack (mobile hotspots) are also great locations for the thieves capturing data displayed on laptops, tablets and smartphones. And yet in the minds of trusted employees, these are public locations where people often feel safest, among their friends and co-workers. They are also places where a few drinks can significantly lower the sense of threat. For cyber criminals, cafes and bars are hunting grounds.

ISO27001 controls extend to mobile applications and visual security

So what can you hope to do about this problem? An effective cyber security policy should take full account of mobile applications and the threats to visual security.

In ISO27001, the information security standard increasingly being adopted by creators of mobile apps, including Google and Microsoft, control 9.2.1 states ‘Equipment shall be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access’. This means that even your tablet device, laptop or smartphone is included, because the screens must be “protected”. The use of privacy filters to restrict viewing from either side of the screen and password controlled screen savers should be considered. So too should the risk of confidential data being photographed using mobile devices, in office environments and public places. Communicating good practice like this should be a fundamental requirement of every organisation’s information security policy.

For more information on how to plan your cyber security defences based on ISO27001 and keeping your business safe, download our free whitepaper here >>