Ensuring physical privacy is as much a part of GDPR compliance as is digital privacy. As a principle-based regulation, GDPR requires organisations to identify and assess specific risks that must be mitigated, rather than follow prescriptive rules. So, GDPR compliance is broken if someone has managed to: take a photo of sensitive information displayed on a flatmate’s laptop; seen something confidential on a commuter’s phone; or removed a confidential document from an unguarded briefcase in a café.
With so many stories about networks being hacked, physical security is at risk of being overlooked, but it is so important. People working from home are obligated to protect company data in all forms. As people start returning to open-plan offices or are allowed to work from shared offices or public places, the risk of visual privacy breaches may increase.
When 3M sat down with Enza Iannopollo of Forrester Research in the run-up to GDPR’s introduction in 2018, she said, “All it takes is some sensitive customer or employee data being exposed to the wrong set of eyes to result in a potentially highly detrimental—and highly publicised—data breach. Visual privacy is not just about meeting compliance requirements, it’s about protecting a firm’s most valuable assets.”
Beyond GDPR, visual privacy measures are either explicit or implicit within a variety of other regulations and industry standards, across healthcare, education, legal, financial services and the public sector. Visual privacy improvements are also often included as part of an organisation’s efforts to achieve ISO27001.
Compliance is not the only driver for adopting better visual privacy measures, as organisations of all kinds realise that what is often referred to as ‘visual hacking’ is relatively easy and fast to achieve. Putting an estimate against the number of data breaches caused by visual hacking is impossible, but various studies and anecdotal evidence indicate that the potential scale is vast.
For example, in 2016, security specialist The Ponemon Institute carried out the Global Visual Hacking Experiment, which was commissioned by 3M and involved a white hat hacker posing as a temporary office worker in eight countries (with the permission of the companies involved). There were 157 trials in total, all of which took place in full view of other office workers, and involved obtaining sensitive or confidential information, by: walking through an office looking for information on desks, monitor screens, copiers and printers; taking a stack of business documents labelled confidential from a desk and putting them in a briefcase; and using a smartphone to take images of confidential information displayed on computer screens.
The trials were successful in an average of 91 per cent of attempts, with approximately half taking 15 minutes or less. Worryingly, the white hat hacker was only challenged in 30 per cent of all attempted visual hacks.
Those trials took place in open-plan offices, but the risk of visual privacy breaches also extends to public spaces. This theory is supported by another Ponemon Institute study for 3M: in the Open Spaces survey, nine out of ten people questioned said they had caught someone looking at data on their laptops.
Time to take steps
Visual privacy is relatively easy, fast and cost-effective to improve. An obvious first step is making sure that everyone within an organisation is aware that visual privacy is part of GDPR and other compliance requirements, and of their responsibilities to mitigate potential risks.
Visual privacy measures need management support if they are to work, across a wide variety of job functions, including IT, facilities management, risk officers, legal and finance. Office staff should feel it is appropriate to politely confront anyone that they do not recognise, is not wearing appropriate ID, or is in an unauthorised part of a building.
Some other steps are very straightforward, such as reinforcing clean-desk policies and locking confidential documents in cabinets. Printed material should not be left in copier, fax and printer trays. If not already activated, the ‘pull printing’ feature found on many modern multi-function-printing devices can be used to only release a document into the hands of an authorised recipient.
It should go without saying that — when working in public or in shared offices — it is important to be careful. A quick trip to the coffee counter may give someone else enough time to view, record or extract confidential content. Use lockers where available, put locks on briefcases, and make sure that any unattended digital devices do not have ‘live’ or accessible screens.
Finally, protect information on screens: apply automatic log-ins and screensavers to reduce the amount of time a screen is unnecessarily visible. In public places, encourage employees to angle screens away from onlookers and to sit with their backs against walls, rather than in the middle of the room in view of passers-by.
Of course, there are occasions when it is not possible to hide a screen, especially when working in public, so consider applying privacy filters: on monitors, laptops, tablets and smartphones. On-screen data is only visible straight-on and at close-range, otherwise onlookers just see a blank image. The latest generation of these filters can also be flipped up or down, depending on whether or not someone wants to share their screen with a colleague or customer.
Achieving GDPR compliance and overall improvement of data protection and security has multiple layers, of which reducing the risk of visual hacks is just one. However, it is also one of the most addressable, and so building better visual privacy into GDPR efforts and other risk management policies makes sense for any organisation.
Written by Dave Williams, 3M.
The post Ensuring visual privacy is part of GDPR compliance appeared first on PrivSec Report.