The threat of ‘visual hacking' on planes, trains and other forms of public transport is something we don't read too much about when it comes to data security. But it can prove to be a real problem, particularly if the content on your screen is revealing highly confidential business data that could compromise you with a client or competitor.
After all, we've all been sat on a train next to somebody typing away furiously, unaware that we are actually ‘shoulder-surfing' and potentially gaining access to all kinds of intellectual property that, in the wrong hands, could end up getting that person into some serious hot water.
It might seem far-fetched to some, but think twice the next time you are on the way to an important sales pitch or on your way home after a meeting has gone badly. Overheard conversations and glances from strangers sat next to you at the content on your screens could be hugely revealing and embarrassing. Particularly if other passengers work in your industry and connect the dots!
Don't tell your competitors trade secrets
Business not doing so well? Sales down? Margins are tight? You do not want your competitors or members of the public to know any of this information about your brand, clearly, so why would you talk about it or write confidential emails about it in public?
The fact is that ‘shoulder-surfing' or ‘visual hacking' is a threat to organisational data that is just as serious as any other, and not one to be ignored.
Additionally, visual privacy is also really important to employee satisfaction, resulting in a 50 percent reduction in employee productivity if they feel their visual privacy is at risk.
Dealing with this issue should be part of the wider conversation about how to defend businesses against sophisticated cyber-attacks. In July 2017 it was announced that up to £14.5 million will be invested into a new cyber-security innovation centre in London. Yet we haven't perhaps given enough thought to the role of physical device security, when it comes to preventing data breaches.
Top tips for practical data security on the go
Commuters replying to emails and accessing documents while on-the-go are a prime example of just how quickly sensitive and valuable information can fall into the wrong hands.
There are a number of ways of dealing with this issue that employees and IT managers really need to be aware of. Most obviously, just don't do it!
However, it is not reasonable nor sensible to stop people working on the go, if you really do have to deal with confidential information on a packed commuter train or on a long-haul business flight then you could also use a privacy screen, which acts as a pretty robust filter for unwanted eyes. A recent survey by IDC highlighted that the most popular reason UK businesses buy privacy screens is to protect their company image, it is a bigger priority than even data loss or privacy concerns.
While privacy screens don't come with advanced encryption capabilities, they do restrict the view of onlookers meaning only the person in front of the screen can see what's on it.
Some may scoff at the use of such screens, but it sure beats handing over confidential IP to competitors. Plus, as we come up against one of the most important changes to data privacy rulings in a generation – the EU General Data Protection Regulation (GDPR) – businesses are risking a lot more than just lost intellectual property (IP) should they fail to safeguard customer information.
From May 2018, organisations that face a data breach under the GDPR can be fined up to four percent of their annual global turnover, or €20 million – whichever is greater.
Prevention instead of over-reaction
Organisations across the country are busy focusing on the latest technology products and services to help them prevent against cyber-crime. Meanwhile, physical deterrence remains low on the agenda, despite still having the ability to cause large-scale, high-impact data breaches.
Nationwide Building Society was fined £980,000 by the City watchdog following the theft of a laptop from an employee's home** [see note below]. This initially sounds pretty extreme, but not when you consider that the laptop in question contained confidential customer data, putting the details of nearly 11 million customers at risk.
After initially finding that the security was not up to scratch, The Financial Services Authority (FSA) then said that Nationwide's customers had been exposed to the risk of financial crime.
Despite issuing apologies to the 11 million customers effected, Nationwide's failure to monitor or manage downloads of data to storage devices meant it had limited control over information that was held on the laptop, or how it was used.
Don't leave a hole in your data security
Although such device loss-focused breaches may not happen so often, or on the same scale as Nationwide's, as the headline-grabbing incidents we now see on a worryingly regular basis, it doesn't make them any less important.
It's very easy to gain access, or just visibility, of critical industry information and data by sitting on a half an hour train journey. Something that leaves many organisations with a hole in their IT security efforts.
For companies to successfully execute an effective security strategy, they need to go beyond simply relying on sophisticated software, and place a greater sense of urgency on physical security, and the growing impact this has on the wider business.
In the same way that large-scale breaches can leave an organisation with damage to not only it's finances, infrastructure and customer base, exposure of physical security also goes hand-in-hand with reputation. If customer data falls into the wrong hands, they aren't going to care if it was stolen online or in person, the knock-on-effect of lack of trust will be exactly the same.
This will only become more important when the GDPR comes into force, as companies will no longer be able to brush off questions around how and where they are storing customer data and will be forced to be transparent. Conditions for consent will be strengthened and organisations will be penalised for using long, illegible terms and conditions around data consent.
For businesses to really stand a chance at getting ahead in the security game, more urgency needs to be placed around the physical, arguably ‘forgotten' aspect of data security as part of a holistic approach.
Contributed by Atif Mahmood, technical director Targus.
