The 2016 Global Visual Hacking Experiment has revealed that low-tech hacking methods involving little or no technology are alarmingly effective. Sensitive information was successfully compromised in 91% of the hacking attempts conducted during the experiment.
Participants in the experiment included 46 companies from eight different countries including the United States, China, France, India, Germany, Japan, South Korea and the United Kingdom. More than 150 trials were conducted.
In each, a white hat hacker was grated access to a company in the guise of a temporary worker. The worker was given a valid security badge, but otherwise the employees of the company were unaware that they were participating in a security experiment.
The goal of each trial was to determine how much sensitive information could be gleaned simply by looking at computer screens, devices, and documents, a technique known as “visual hacking.” The undercover hacker walked around each office environment observing information written on printed documents, displayed on computer screens, and accessible through printers and scanners. In some instances the hacker took documents marked as confidential and placed them in a bag. In other cases the hacker photographed screens using a smartphone. Every action was taken in full view of the company’s employees.
The experiment reveals a troubling and often overlooked aspect of cyber security and corporate espionage. In spite of significant investments in technology and human resources dedicated to securing cyber assets, they remain vulnerable to some of the simplest methods of theft. Physical security of not just facilities but sightlines is revealed to be a priority that most enterprises neglect. In 52% of the trials, information was available simply by observing computer screens.
Of the information stolen, 27% was deemed to be sensitive. This included login credentials, documents confidential under attorney-client privilege, classified information, and financial information. In 49% of the cases it took less than 15 minutes to complete the first visual hack.
Employee complacency was also revealed to be an issue. In 68% of the trials the undercover hacker was never confronted and their activities were not reported afterwards even when suspicious or unusual activity was directly observed.
The layout of the office has a direct impact on the effectiveness of visual hacking. Offices with a cubicles restrict at least some access to documents and screens. Open floor plan offices, by contrast, invite and facilitate covert observation and access. Companies with privacy protection measures in place experienced 26% fewer visual privacy breaches.