From Hacking Systems To Hacking People

New low-tech attack methods like ‘visual hacking’ demand an information security environment that values data privacy and a self-policing culture.

Larry Ponemon, Chairman and Founder, Ponemon Institute, and 3M Privacy Consultant

February 24, 2015

4 Min Read
Source: 3M Visual Hacking Experiment

Forty-four trillion gigabytes. That’s the anticipated size of the “digital universe” by 2020, according to the IDC Digital Universe Study. Encompassing all data created, replicated, and consumed in one year, this digital universe is largely created and used by a company’s workforce, but the task of protecting this enormous amount of data from hackers falls largely to IT security teams.

Data security professionals have built up sophisticated defenses against hackers targeting company networks and systems through high-tech attacks. However, as we layer cryptography with firewalls, intrusion detection systems, and other defenses, hackers will need to identify a new access point to proprietary company information and I believe we’ll soon begin to see a profound shift from malicious parties hacking systems to hacking people.

It’s no secret that human error is a weak point in the data security pipeline. Ponemon Institute recently completed new research that illustrates just how easy it can be to hack people through visual hacking - a low-tech method used to capture sensitive, confidential, and private information for unauthorized use. During the 3M Visual Hacking Experiment, a white hat hacker was sent into the offices of eight companies throughout the U.S., under the guise of a temporary or part-time worker to try and hack sensitive or confidential information using only visual means. The information captured includes employee contact lists, customer information, corporate financials, employee access and login information, and credentials or information about employees.

The findings shed light on the potential impact of hacking people: in 88 percent of attempts, the white hat hacker was able to visually hack sensitive information from a worker’s computer screen or hard copy documents. With identity and access information or login credentials (really, the “keys to the kingdom”) in the hands of the bad guys, our corporate data is at serious risk for a much larger data breach. Unfortunately, these hacks generally happened quickly (63 percent were within a half hour) and went unnoticed (in 70 percent of instances, the visual hacker wasn’t stopped by employees – even when using a cell phone to take a picture of data being displayed on a worker’s screen). Virtually untraceable, visual hacking is a stealth threat vector to guard against as employees are more mobile and data is being accessed not only in the office but also in public places like airport lounges, public parks and coffee houses.

However, visual hacking is just one example of hacking people. Employees can be targeted through other relatively low-tech means like social engineering and spear phishing. Insider threats are also an increasing area of concern. As seen by reports that the high-profile Sony attack was possibly aided from the inside, employees driven by contempt for their employers or motivated by monetary gain have the intelligence and means to thwart many of the data security measures that companies have in place.

Looking to the future, what can companies do to mitigate the risk of their people being hacked? Protecting against these threats will require new thinking and a greater commitment from the workforce at large. Defenses for hacking networks are largely passive for workers and can often operate with minimal interference to day-to-day tasks but to protect against hacking people, IT Security teams will need a consistent and robust defense-in-depth plan, with increased buy-in from employees across all levels and functions.

A shift in corporate culture toward an environment that values data privacy and security is imperative. Focus on changing people and changing behaviors toward the belief that protecting company data is everyone’s responsibility. IT security teams must work with leadership in all areas to encourage candor, even praising employees when they bring forth information on holes in data security plans or report employees with possibly nefarious intentions. A self-policing culture can help mitigate risks, as can a thorough assessment of the access to data needed by employees of certain functions and levels.

Companies can also provide employees with certain tools to thwart hacking people. In the example of visual hacking, provide employees with privacy filters for device screens and lock boxes for physical documents to shield information from wandering eyes. Finally, policies and procedures should reflect measures to protect against hacking people. Employee training sessions on these threats and ongoing communication plans reinforce the company’s commitment to safeguarding confidential information.

As technology progresses, the digital universe will continue to expand exponentially. However, by protecting both people and systems from hacks, IT security teams can protect against the growing number of cyber-attacks moving forward.

About the Author(s)

Larry Ponemon

Chairman and Founder, Ponemon Institute, and 3M Privacy Consultant

Dr. Larry Ponemon is the chairman and founder of Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices, and a privacy consultant for 3M. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework. Dr. Ponemon receives compensation from 3M in connection with his participation as a privacy consultant.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights