Ponemon Study Points to Risks of Visual Hacking, or 'Shoulder Surfing'

Whether you call it 'shoulder surfing,' or just plain eavesdropping, new research from 3M and the Ponemon Institute outlines the risks of visual hacking.

visual hacking

It happens every day in offices, coffee shops and airplanes around the world—one person will look over another person's shoulder and see private information on a computer screen.

Although some might just call it eavesdropping, it's actually a real cyber-risk, known as visual hacking. 3M and the Ponemon Institute have been studying the visual hacking problem for several years, and recently released the 2016 Global Visual Hacking Experiment study, detailing the impact of the phenomenon.

The study included trial results from 46 companies in eight countries—the United States, United Kingdom, India, Korea, Germany, Japan, China and France—to identify the risks and responses to visual hacking. The study involved a researcher wearing a temporary security badge and given space in the participating organization. The researcher conducted multiple tasks to identify visual risks, including simply walking through the participating offices to see what information was viewable on company desks and computer screens.

The study found that, in total, across all regions, 91 percent of attempts at visual hacking were successful.

"A successful visual hack in the experiment was defined by recording potentially sensitive or confidential information," Larry Ponemon, founder of the Ponemon Institute and chairman of the Visual Privacy Advisory Council, told eWEEK.

The confidential and sensitive information that was observed included information about customers or consumers; access and login information/credentials, confidential or classified documents, attorney-client privileged documents as well as financial, accounting and budgeting information.

A common approach used on many websites to help protect users is to obfuscate password entry with asterisks (for example, the use of *** instead of clear text). Ponemon commented that sensitive information that was visually hacked in the experiment was in clear view—not obscured.

"Concealing a password might help solve part of the problem, but there is so much more information that can be visually hacked—hard copy documents, email contents, presentations and more," Ponemon said. "Preventing visual hacking requires a holistic security and privacy program designed to protect information from a range of threats."

The study reported that organizations that have comprehensive privacy-control practices in place reported 26 percent fewer visual privacy breaches. Ponemon explained that a combination of company policies and visual-privacy products is the best approach to helping prevent visual hacking. 3M, the sponsor of the Ponemon visual hacking study, sells screen privacy products.

From a policy perspective, Ponemon suggests that companies advise employees to shut down and password-protect their computers and mobile devices when they are not in use, as well as implementing a clean-desk policy that ensures documents with sensitive information are removed from plain view when not in use.

"Your employees are the first line of defense against visual hacking, but changing human behavior can be difficult," Ponemon said.

It's also important to reinforce policies with internal communications efforts, training and auditing, he added.

"Visual hacking is often overlooked as a low-tech threat," Ponemon said. "But organizations need to start taking it seriously because the repercussions can be just as harmful to an organization as a cyber-attack."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.