It’s laughably low-tech, but shoulder surfing, or snooping over people’s shoulders to pry on information displayed, is increasing – and there’s a good chance it’s happening to you.
Originally, shoulder-surfing involved bank PIN numbers being stolen, usually at ATMs or the supermarket. This old trick still works. The Christmas holiday saw two groups of alleged shoulder surfers appear in an Auckland Court charged with fleecing elderly shoppers of tens of thousands of dollars.
These cases highlight a bigger problem that businesses need to guard against.
The proliferation of mobile devices, along with the growing culture working in cafés, makes it easy for snoopers to pry on sensitive information on smartphones, tablets and laptops.
A while back, a senior UK public servant was caught napping on a commuter train while working on his laptop. A fellow passenger snapped the government secrets displayed on his screen and the Daily Mail duly reported on his carelessness.
Today’s bigger mobile screens make shoulder surfing on smartphones possible – a third of new smartphones now have screens larger than 5 inches.
Online tech news-site The Register says businesses are chucking away millions on anti-malware software, while ignoring shoulder surfing. Quoting a European Association for Visual Security report, The Reg said 71 per cent of employees had snooped on material someone else was working on over their shoulder.
Computer Forensics’ MD Brian Eardley-Wilmot says the problem is growing but could easily be tackled.
Referring to another report, the Pomenon Institute’s ‘2014 Cost of DataBreachStudy’, he said over-the-shoulder snooping grew by 15 per cent in 2013. And the average cost of “visual hacking” to a company was now US$3.5 million.
“We may be talking US figures here but New Zealand is similarly affected,” says Eardley-Wilmot.
“This is data theft, clear and simple – whether it’s in a shop or a café. It is understandable that an elderly person might reveal their eftpos PIN number while shopping at the supermarket, but the prying into company information displayed on mobile devices – that can be dealt with.
“People may have to check their smartphone in public, or work on their laptop in a café, but there are ways of guarding sensitive information.
“Malicious outsiders aren’t the biggest threat. Careless data reveals in public are – and they can happen in the office too, with colleagues snooping over people’s shoulders,” says Eardley-Wilmot.
Indeed, a PC World survey found most data breaches to be the result of just such blunders. It discovered 27 per cent were the result of snooping and only 12 per cent the result of external hacking.
Protecting your data from shoulder-surfers
However, there are some simple steps you can take to protect yourself, says Eardley-Wilmot.
“The simplest is to use a privacy screen. Someone looking straight-on will still see your screen, but anyone snooping from another angle will see nothing.”
Other strategies include:
- Building awareness of shoulder-surfing into the company’s IT policy. The ISO/IEC 27001 standard, which involves developing a systematic approach to managing sensitive company information, can help here. It covers people, processes and IT systems.
- Educating staff about the problem, so they know to prevent other people snooping – both in and out of the office. This is particularly important in offices with lots of visitors. Staff should also be aware that not all employees may be privy to confidential information.
- Using blank screens – this means having screens that switch off quickly when employees leave their desks. Requiring a new log-in if a computer isn’t used for several minutes is also important.
- Being mobile safe – a recent report found 69 per cent of people now work from a café at least twice a week. This means staff need to be aware of mobile privacy issues and how to work safely in public.