Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Mari Frank
Mari Frank
Connect Directly
E-Mail vvv

A Hidden Insider Threat: Visual Hackers

Ponemon experiment shows how low-tech white-hat hackers, posing as temps, captured information from exposed documents and computer screens in nearly nine out of ten attempts.

When we think of hackers breaching systems and stealing information from where we work, we don’t usually suspect the people we work with as the guilty parties.

But insider threats are in fact a very real and growing challenge. SANS Institute surveyed nearly 800 IT and security professionals across multiple industries and found that 74 percent of respondents were concerned about negligent or malicious employees who might be insider threats, while 34 percent said they have experienced an insider incident or attack.

One potential method of attack is visual hacking, which is defined as obtaining or capturing sensitive information for unauthorized use. Examples of visual hacking include taking photos of documents left on a printer or information displayed on a screen, or simply writing down employee log-in information that is taped to a computer monitor. The visual hackers themselves could be anyone within an organization’s walls, including employees, contractors or service vendors, such as cleaning and maintenance crews, and even visitors.

In the Visual Hacking Experiment, a study conducted by Ponemon Institute and jointly sponsored by 3M Company and the Visual Privacy Advisory Council, white-hat hackers posing as temporary or part-time workers were sent into the offices of eight U.S.-based, participating companies.

The hackers were able to visually hack sensitive and confidential information from exposed documents and computer screens. They were able to visually hack information such as employee access and login credentials, accounting information and customer information in 88 percent of attempts and were not stopped in 70 percent of incidents.

Assess and Adapt

The best place to begin clamping down on visual privacy threats, no matter what industry you work in, is to perform a visual privacy audit. This will help you assess your key-risk areas and evaluate existing security measures that are in place.

Some questions to consider when conducting a visual privacy audit include:

  • Does your organization have a visual privacy policy?
  • Are shredders located near copiers, printers and desks where confidential documents are regularly handled?
  • Are computer screens angled away from high-traffic areas and windows, and fitted with privacy filters?
  • Do employees keep log-in and password information posted at their workstations or elsewhere?
  • Are employees leaving computer screens on or documents out in the open when not at their desks?
  • Do employees know to be mindful of who is on the premises and what they are accessing, photographing or viewing?
  • Are there reporting mechanisms for suspicious activities?

In addition to identifying areas where visual privacy security falls short, a privacy audit can help managers to make changes or additions needed to your organization’s policies and training.

Policies should outline the do’s and don’ts of information viewing and use for employees and contractors both in the workplace and when working remotely. Additionally, visual privacy, visual hacking and insider threat awareness should be made an integral part of security training, and reinforced through refresher training and employee communications.

Standard best practices

The specific measures you take to defend against visual hacking from insider threats will be unique to your organization or industry. For example, health care organizations are mandated under HIPAA to use administrative, physical, and technical safeguards to ensure the privacy and security of PHI in all forms, including paper and electronic form. But all organizations have the duty to protect customer and employee information, the organization’s intellectual property, confidences, and privacy interests. Standard best practices that apply to nearly every organization include:

  • A “clean desk” policy requiring employees to turn off device screens and remove all papers from their desks before leaving each night.
  • Requirements for masking high-risk data applications to onlookers using strategies from most secure to least secure.
  • Make shredders standard issue to all on-site units, especially nearby copiers, printers, faxes and a prerequisite for all who qualify to telework or qualify to use secure remote network access to corporate information assets.
  • Install privacy filters on all computers and electronic devices, both in the office and while working remotely, where sensitive data is extremely vulnerable. Privacy filters blacken out the angled view of onlookers while providing an undisturbed viewing experience for the user, and can be fitted to the screens of desktop monitors, laptops and mobile devices.

The growing problem of insider threats shouldn’t instill fear and suspicion in workers about the people they see and talk to every day while on the job. However, workers should understand that the threat is real and that they play an important role in helping protect their company’s sensitive data – and that of their customers – against this increasingly prevalent problem.



Mari Frank, an attorney and certified privacy expert, is the author of the "Identity Theft Survival Kit," "Safe Guard Your Identity," "From Victim to Victor," and "The Guide to Recovering from Identify Theft." Since 2005 she's been the radio host of "Privacy Piracy" a weekly ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
12/24/2015 | 11:06:38 AM
Good advice
Privacy screens and all that are very important, but if I ever see someone with a post-it note of their login password (or heaven forbid, for their password manager) tacked to their monitor again, I'll pull my hair out. 

It's one of the worst security gaffs and so many people do it. It's a great indicator that we need to move beyond passwords as soon as possible.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory w...
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on t...
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute w...
PUBLISHED: 2021-06-21
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some...
PUBLISHED: 2021-06-21
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue