Users who are otherwise careful to protect their information often fail to protect confidential information they display on computer screens from shoulder surfers. According to a recent survey, more than half of employees fail to protect their data despite admitting that they are able to read the confidential information of …
They told you that?
"Barclays Bank, for example, makes use of computer privacy panels that mean that only someone directly in front of a computer are able to see its screen"
hahaha. yeah, right.
Not the only weakness
Many companies rely on technology to protect their assets - and completely or almost completely ignore the process and the people surrounding that technology.
Password sharing is rife in some companies.
Too many companies do not educate employees on security policies ("Oh, they're out on the 'net somewhere. You should go read 'em".)
Too many companies do not employ sanctions for breaching policy.
Too many companies do not employ SIEM tools or the processes to make good use of them.
Too many employees walk away from terminals that they're logged in through
Too many employees talk too much, in public places, about their companies' security weaknesses
And on, and on, and on.
A tool is only a tool. Having a tool does not mean you're doing a good job.
If you can't trust your co-workers, and vice versa, your company has bigger problems.
Like I'm really going to talk about the XBox-360 stock trading program my co-worker is writing...
Actually, the HR and Accounting are to blame because when everyone had private offices, the chances of someone looking over your shoulder, without you knowing, were zero. Of course, cube farms allow you to save on drywall, paint and mahogany veneer furniture. Oh, and floor space.
"IT security professionals polled were aware of the threat posed by a visual data security breach, the vast majority (82 per cent) had little or no confidence that their workers were doing anything to prevent their data from being viewed whilst working in a public environment."
All this proves is that IT types have a holier-than-thou attitude.
Pint because "working lunch" sounds so much better than "off down the pub"
Holier than though or realistic?
I've only worked in one company where not locking your desktop was considered a verbal warning and then written warning offence.
People are trained to think of security in certain ways e.g watch out for dodgy websites and viruses makes them then think that as long as thats covered everything is secure etc, and often dont think any further than what they are taught.
True conversation I have had with a gov client whilst sorting out problem.
Client "Do you have security clearance to work on this"
Client "Really because this is high level security information and you would have to be vetted".
Me "I have access to your system, and everyone else in your office and building I have to be security vetted to get that level of access".
Client various version of rinse and repeat about me being cleared to see their information.
Goes on this way for several minutes
Me "All fixed you should have no problems now"
Client "ok can you make sure my secretary can access it all as well"
Me "Does she have clearance?"
Client "No, but its my secretary I usually just let her have my password but it would be easier if she can just see it on her computer, and whilst your here...."
Anyway locked down the system and reported it as a security breach, but I have no faith in the human elements of security.
Give me strength
"The UK government has rolled out policies to guard against further visual data security breaches. For example, new recruits to the Treasury are briefed on the importance of visual data security as part of their induction training"
So these arseholes are smart enough to work for the treasury but too dumb to realise that other people might see their confidential information on screen in a public place? Spitting Image would have had a field day with stuff like this.
Good News Is No News?
I know it's more exciting to read about major online banking thefts, and irate Halifax ATM clients, but it would be even nicer to no read about it again.
There's not a lot anyone can do to protect confidential data visible on the screen, but it is possible to make user authentication proof against spy cameras, keyloggers and other nasties. Traditional stuff, like PI numbers, passwords and user ID's just don't work, these days. Look at the ATM and online banking fraud figures for Europe and the U.S.
Two U.S banks and one i Hong Kong are currently implementing a solution called 'SeelPlatez', which is unhackable, uncrackable (and cheap...)
Picture this scene:
•Your ATM card is stolen, on the back of which you have written your PIN number.
•Together with this, they stole the piece of paper, on which you wrote your online banking User ID and password.
•To make things worse, a spy camera watched your last access.
•A keylogger also recorded each keystroke
•So did a network snooper