Your Top Data-Exposure Risk: Employees

Too many IT departments lack policies to help employees protect data

People are fallible creatures. As the saying goes, nobody’s perfect.

So it should come as no surprise that employees are a top source of data breaches. According to IBM’s latest X-Force cyber-threat report, inadvertent insiders— or people who are unknowingly the root cause of security incidents— were responsible for more than two-thirds of the total records compromised in 2017.1

Certainly, IT departments have worked hard to combat data risks that have a human element, like phishing attacks, but there are other risks that have long gone unaddressed. One of them is the visual display of sensitive data.

You have probably seen someone working in a public place—like a plane, train, coffee shop or hotel lobby—with the contents of their laptop screen on full display for others to see. Such incidents can expose data and result in a data breach that you may never be able to trace back to a time, place or person.

This is why it’s important to understand visual privacy risks and the steps you can take to mitigate them.

Drawing an Audience

The visual display of sensitive information should be a concern for any IT department that gives workers network access outside the office.

Case in point: Almost nine of 10 mobile workers say they’ve experienced someone looking over their shoulder at their laptop in public places, according to a Ponemon Institute study.2

This “shoulder surfing” may be nothing more than random curiosity or it may have malicious intent.

Visual hacking involves capturing or viewing private, sensitive or confidential information for unauthorized use. Any passerby in public places or fellow passenger on public transit could visually hack data shown on a screen with a quick, unnoticed tap of their smartphone. They could even remember or quickly jot down displayed information, like company finances, a customer’s credit-card number or a worker’s network log-in. With high-quality CCTV cameras everywhere, the visual hacker might not even be in the same room.

What You Can Do

Here are four ways that IT and information-security departments can help protect data on screens:

Architect. Designing privacy-friendly systems that minimize the use of sensitive data.

Secure. Hiding sensitive data from potential threats and avoiding unnecessary details.

Supervise. Enforcing policies and procedures for the appropriate use of data, and then demonstrating compliance with them.

Balance. Informing individuals about the collection or use of their data, and giving them some control over that data.

While all four can serve as important controls, supervision is one area where many organizations fall short. Too often, workers simply don’t have guidance for accessing sensitive data in public areas or even protecting visual privacy in the workplace.

Policies should be in place to outline if, when and how mobile workers can access sensitive data on laptops or mobile devices. Policies should also provide guidance for minimizing data exposure when accessing data in public is necessary, such as by angling screens away from public spaces and maintaining a clean workspace.

Of course, data privacy shouldn’t entirely rely on worker behaviors because, again, to err is human. Enforcing policies is hard and demonstrating worker compliance with policies is expensive and timeconsuming. This is why policies need supporting technical measures that provide added protection in instances of employee negligence.

For example, providing privacy filters and requiring their use on all laptop or mobile device screens, including personal devices used for work, supports employees when they forget to angle their screen away from prying eyes. The privacy filter attaches to a device’s screen and blacks out the angled view of onlookers to help reduce the risk of visual hacking.

You can also use location-based access controls to help prevent workers from viewing sensitive data outside the office. You can use practices like data masking to limit the display of sensitive data. There are many opportunities for technology to support policy objectives.

An Expectation of Privacy

We’re in a new era of data protection. Today, amid new regulations like GDPR and fresh stories about data misuse, there are expectations among customers and internal stakeholders alike that companies be better stewards of data.

Strong cyber-security measures can help you meet these expectations, bu policies, procedures and technology that help limit the visual display of sensitive data—especially as it becomes more mobile— can no longer be avoided.

This article originally appeared in the September 2018 issue of Security Today.


  • Maximizing Your Security Budget This Year

    7 Ways You Can Secure a High-Traffic Commercial Security Gate  

    Your commercial security gate is one of your most powerful tools to keep thieves off your property. Without a security gate, your commercial perimeter security plan is all for nothing. Read Now

  • Busy South Africa Building Integrates Custom Access Control System

    Nicol Corner, based in Bedfordview, Johannesburg, South Africa, is home to a six-star fitness club, prime office space, and an award-winning rooftop restaurant. This is the first building in South Africa to have its glass façade fully incorporate fritted glazing, saving 35% on energy consumption. Nicol Corner (Pty) LTD has developed a landmark with sophisticated design and unique architecture by collaborating with industry-leading partners and specifying world-class equipment throughout the project. This includes installing a high-spec, bespoke security and access control system. Read Now

  • Only 13 Percent of Research Institutions Are Prepared for AI

    A new survey commissioned by SHI International and Dell Technologies underscores the transformative potential of artificial intelligence (AI) while exposing significant gaps in preparedness at many research institutions. Read Now

  • Survey: 70 Percent of Organizations Have Established Dedicated SaaS Security Teams

    Seventy percent of organizations have prioritized investment in SaaS security, establishing dedicated SaaS security teams, despite economic uncertainty and workforce reductions. This was a key finding in the fourth Annual SaaS Security Survey Report: 2025 CISO Plans and Priorities released today by the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Read Now

Featured Cybersecurity


New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises. 3