Your Top Data-Exposure Risk: Employees

Too many IT departments lack policies to help employees protect data

People are fallible creatures. As the saying goes, nobody’s perfect.

So it should come as no surprise that employees are a top source of data breaches. According to IBM’s latest X-Force cyber-threat report, inadvertent insiders— or people who are unknowingly the root cause of security incidents— were responsible for more than two-thirds of the total records compromised in 2017.1

Certainly, IT departments have worked hard to combat data risks that have a human element, like phishing attacks, but there are other risks that have long gone unaddressed. One of them is the visual display of sensitive data.

You have probably seen someone working in a public place—like a plane, train, coffee shop or hotel lobby—with the contents of their laptop screen on full display for others to see. Such incidents can expose data and result in a data breach that you may never be able to trace back to a time, place or person.

This is why it’s important to understand visual privacy risks and the steps you can take to mitigate them.

Drawing an Audience

The visual display of sensitive information should be a concern for any IT department that gives workers network access outside the office.

Case in point: Almost nine of 10 mobile workers say they’ve experienced someone looking over their shoulder at their laptop in public places, according to a Ponemon Institute study.2

This “shoulder surfing” may be nothing more than random curiosity or it may have malicious intent.

Visual hacking involves capturing or viewing private, sensitive or confidential information for unauthorized use. Any passerby in public places or fellow passenger on public transit could visually hack data shown on a screen with a quick, unnoticed tap of their smartphone. They could even remember or quickly jot down displayed information, like company finances, a customer’s credit-card number or a worker’s network log-in. With high-quality CCTV cameras everywhere, the visual hacker might not even be in the same room.

What You Can Do

Here are four ways that IT and information-security departments can help protect data on screens:

Architect. Designing privacy-friendly systems that minimize the use of sensitive data.

Secure. Hiding sensitive data from potential threats and avoiding unnecessary details.

Supervise. Enforcing policies and procedures for the appropriate use of data, and then demonstrating compliance with them.

Balance. Informing individuals about the collection or use of their data, and giving them some control over that data.

While all four can serve as important controls, supervision is one area where many organizations fall short. Too often, workers simply don’t have guidance for accessing sensitive data in public areas or even protecting visual privacy in the workplace.

Policies should be in place to outline if, when and how mobile workers can access sensitive data on laptops or mobile devices. Policies should also provide guidance for minimizing data exposure when accessing data in public is necessary, such as by angling screens away from public spaces and maintaining a clean workspace.

Of course, data privacy shouldn’t entirely rely on worker behaviors because, again, to err is human. Enforcing policies is hard and demonstrating worker compliance with policies is expensive and timeconsuming. This is why policies need supporting technical measures that provide added protection in instances of employee negligence.

For example, providing privacy filters and requiring their use on all laptop or mobile device screens, including personal devices used for work, supports employees when they forget to angle their screen away from prying eyes. The privacy filter attaches to a device’s screen and blacks out the angled view of onlookers to help reduce the risk of visual hacking.

You can also use location-based access controls to help prevent workers from viewing sensitive data outside the office. You can use practices like data masking to limit the display of sensitive data. There are many opportunities for technology to support policy objectives.

An Expectation of Privacy

We’re in a new era of data protection. Today, amid new regulations like GDPR and fresh stories about data misuse, there are expectations among customers and internal stakeholders alike that companies be better stewards of data.

Strong cyber-security measures can help you meet these expectations, bu policies, procedures and technology that help limit the visual display of sensitive data—especially as it becomes more mobile— can no longer be avoided.

This article originally appeared in the September 2018 issue of Security Today.

Featured

  • Facing Facts for Facilities

    Despite the proliferation of constantly evolving security solutions, there remains a troubling trend among many facility operators who often neglect the most important security assets within their organization. Keys and shared devices like radios, laptops and tablets are crucial to successful operations, yet many operators are managing them haphazardly through outdated storage systems like pegboards and notebooks. Read Now

  • Report Reveals Security Training Reduces Global Phishing Click Rates by 86%

    KnowBe4, the cybersecurity platform that comprehensively addresses human risk management, today launched its “Phishing by Industry Benchmarking Report 2025” which measures an organization’s Phish-prone Percentage (PPP) — the percentage of employees likely to fall for social engineering or phishing attacks, indicating the organization’s overall susceptibility to phishing threats. This year’s report found a global average baseline PPP of 33.1%, meaning a third of employees interact with phishing simulations before taking part in best-practice security awareness training (SAT).COVER 2025-PIB-NA-Report_EN-US Read Now

  • TSA Begins REAL ID Full Enforcement Today

    Today, the Transportation Security Administration (TSA) announced the imminent implementation of its REAL ID enforcement measures at TSA checkpoints nationwide. Read Now

  • Body-Worn Cameras on the Rise

    On the evening of Oct. 29, 2024, the owner of 300 Guard based in Houston, was shot while on duty at a convenience store. He returned fire. He was wearing a plated vest and thankfully recovered in the hospital. Read Now

  • Brazil Port Enhances Surveillance and Supports Wildlife Conservation with Sustainable Technology

    Ferroport, which operates the iron ore terminal at the Port of Açu in São João da Barra, Rio de Janeiro, Brazil, has deployed state-of-the-art video surveillance cameras from Axis Communications to enhance nighttime security and visibility, while decreasing environmental impact and prioritizing sustainability. With cutting-edge technology, the port now has precise surveillance cameras that capture high-quality nighttime images, while reducing the amount of artificial lighting that negatively impacts the surrounding ecosystem. Read Now

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.