Your Top Data-Exposure Risk: Employees
Too many IT departments lack policies to help employees protect data
- By Jason Cronk
- Sep 01, 2018
People are fallible creatures. As the saying goes, nobody’s
So it should come as no surprise that employees
are a top source of data breaches. According to IBM’s
latest X-Force cyber-threat report, inadvertent insiders—
or people who are unknowingly the root cause of security incidents—
were responsible for more than two-thirds of the total records
compromised in 2017.1
Certainly, IT departments have worked hard to combat data risks
that have a human element, like phishing attacks, but there are other
risks that have long gone unaddressed. One of them is the visual display
of sensitive data.
You have probably seen someone working in a public place—like
a plane, train, coffee shop or hotel lobby—with the contents of their
laptop screen on full display for others to see. Such incidents can expose
data and result in a data breach that you may never be able to
trace back to a time, place or person.
This is why it’s important to understand visual privacy risks and
the steps you can take to mitigate them.
Drawing an Audience
The visual display of sensitive information should be a concern for
any IT department that gives workers network access outside the office.
Case in point: Almost nine of 10 mobile workers say they’ve experienced
someone looking over their shoulder at their laptop in public
places, according to a Ponemon Institute study.2
This “shoulder surfing” may be nothing more than random curiosity
or it may have malicious intent.
Visual hacking involves capturing or viewing private, sensitive or
confidential information for unauthorized use. Any passerby in public
places or fellow passenger on public transit could visually hack
data shown on a screen with a quick, unnoticed tap of their smartphone.
They could even remember or quickly jot down displayed information,
like company finances, a customer’s credit-card number or
a worker’s network log-in. With high-quality CCTV cameras everywhere,
the visual hacker might not even be in the same room.
What You Can Do
Here are four ways that IT and information-security departments can
help protect data on screens:
Architect. Designing privacy-friendly systems that minimize the
use of sensitive data.
Secure. Hiding sensitive data from potential threats and avoiding
Supervise. Enforcing policies and procedures for the appropriate
use of data, and then demonstrating compliance with them.
Balance. Informing individuals about the collection or use of
their data, and giving them some control over that data.
While all four can serve as important controls, supervision is one
area where many organizations fall short. Too often, workers simply
don’t have guidance for accessing sensitive data in public areas or
even protecting visual privacy in the workplace.
Policies should be in place to outline if, when and how mobile
workers can access sensitive data on laptops or mobile devices. Policies
should also provide guidance for minimizing data exposure when
accessing data in public is necessary, such as by angling screens away
from public spaces and maintaining a clean workspace.
Of course, data privacy shouldn’t entirely rely on worker behaviors
because, again, to err is human. Enforcing policies is hard and
demonstrating worker compliance with policies is expensive and timeconsuming.
This is why policies need supporting technical measures
that provide added protection in instances of employee negligence.
For example, providing privacy filters and requiring their use on
all laptop or mobile device screens, including personal devices used
for work, supports employees when they forget to angle their screen
away from prying eyes. The privacy filter attaches to a device’s screen
and blacks out the angled view of onlookers to help reduce the risk
of visual hacking.
You can also use location-based access controls to help prevent
workers from viewing sensitive data outside the office. You can use
practices like data masking to limit the display of sensitive data.
There are many opportunities for technology to support policy objectives.
An Expectation of Privacy
We’re in a new era of data protection. Today, amid new regulations
like GDPR and fresh stories about data misuse, there are expectations
among customers and internal stakeholders alike that companies
be better stewards of data.
Strong cyber-security measures can help you meet these expectations,
bu policies, procedures and technology that help limit the
visual display of sensitive data—especially as it becomes more mobile—
can no longer be avoided.
This article originally appeared in the September 2018 issue of Security Today.