Visual hacking aka the low-tech method to grab sensitive information

Often underestimated, visual hacking happens almost every day in every company. Have you ever found a confidential document that somebody forgot to pick up near the printer? Or have you ever had a look at a colleague’s computer screen while they were working on customers’ data? Even if done without malice, these are two examples of visual hacking, defined by 3M as a “low-tech method of capturing sensitive, confidential and private information for unauthorized use.”

The visual hacking experiment

To raise awareness of this often undervalued risk, Ponemon Insitute, on behalf of 3M, conducted the 2016 Global Visual Hacking Experiment. A white-hat hacker was sent to 46 selected companies all around the world. While pretending to be a temporary office worker equipped with valid security badge and personal access to the company’s network (co-workers were not aware of the experiment), he had to perform three tasks:

  • Look for sensitive information left on desks, monitors, screens and other locations, like printers, fax machines, etc.;
  • Take confidential business documents left on desks and place them into his bag;
  • Use a smartphone to take pictures of confidential information displayed on computer screens.

Visual hacking is a real and underestimated problem

Here are results of the experiment in brief:

  • 91% of visual hacking attempts were successful, the white-hat hackers managed to complete the above tasks in full view of office workers.
  • 49% of total attempts were successful in 15 minutes or less.
  • 27% of the data hacked was sensitive information: employees’ and customers’ sensitive data, login credentials, classified documents and financial information.
  • 52% of sensitive information was hacked from employees’ computer screens.
  • 68% of the time, the white-hat hackers weren’t stopped by employees.

Controls reduce the risk of visual hacking

Based on the results of the experiment, companies with suitable controls in place experienced on average 26% fewer visual hacks. This is because employees were aware of the risk of visual hacking, so they followed procedures and best practices to minimise this risk. Staff awareness programmes should be carried out periodically to make sure that all employees, newly employed included, are up to date with the company’s policies and procedures.

The best way to carry out a staff awareness programme is through e-learning courses: the Information Security Staff Awareness e-learning course is easy to adapt to your company’s needs and branding, it can be accessed anytime from anywhere in the world, and you can keep track of who has completed the course and passed the final test.

Train your staff to reduce the risk of data breaches with the staff awareness e-learning course!