In nearly nine out of ten instances, security experts were able to visually hack corporate information, according to research published by Ponemon Institute. Titled “The 3M Visual Hacking Experiment,” the study was conducted on behalf of the Visual Privacy Advisory Council and 3M Company.
Visual hacking is a low-tech, visual method used to capture confidential information for unauthorized use. It includes capturing documents on desks or screens via vision or unapproved smart devices.
Based on a voluntary sample of eight participating companies and 43 unique office locations throughout the United States, the study revealed that while organizations are investing in information security at record levels, many remain vulnerable to low-tech threats such as visual hacking.
“Visual hacking can target any industry but may be especially dangerous in healthcare and financial industries, given the sensitive information involved in nearly every customer interaction and the desire for malicious parties to obtain it,” said John Brenberg, Information Security & Compliance Manager, 3M and member of the Visual Privacy Advisory Council.
Visual hacking is easy
In 88% of the trials, sensitive information was obtained by visual hackers. Sensitive information types include access and login credentials (47%), confidential or classified documents (35%), financial, accounting and budgeting information (12%), and attorney-client privileged documents (6%).
A little over half (53%) of sensitive information, including access and log-in credentials, confidential documents, and financial information, was captured from an unprotected device.
Twenty percent of the data hacked was considered a very valuable information asset. And it took less than 15 minutes to complete a visual hack in 45% of the hacking attempts.
Multiple pieces of information are hacked:
An average of 5 pieces of sensitive information was obtained per trial. This shows that companies are not only likely to be hit, but to be hit from multiple directions at once.
Only 30% of visual hacking attempts were stopped. On average, 2.8 pieces of sensitive information were already obtained per interrupted incident. The remaining 70% of visual hacking attempts went unnoticed, or unobstructed by employees.