| The Ponemon Institute, based in Traverse City, MI, recently investigated the ability of researchers to collect sensitive information from 43 corporate offices. The study was sponsored by 3M Corporation a publicly-traded company which is headquartered in St. Paul, MN. Here are some of the results: |
Data Breach & Social Engineering Expert
Hacking & Hacker Definitions:
Visual Hacking: A low-tech method of collecting information. The hacker generally visually captures sensitive, confidential and private information for unauthorized use.
White Hat Hacker: “Ethical Hacker” is a person who hacks for good to find their own, or other organization’s, vulnerabilities and report them for improvement.
Black Hat Hacker: Is someone who hacks for evil maliciousness or personal gain.
The Ponemon group of researchers had valid temporary employee identification for seven corporations. The management of the corporations was aware the research was happening. However, the office staff employees had no knowledge.
In 88% of the offices, the visual hackers were able to collect sensitive organization information. This occurred by them simply by wandering around the offices.
The visual hackers spent up to two hours in each office. In general, the researcher wandered around, collecting documents marked as “Confidential” and taking pictures of computer screens. The collected documents were actually put into the researcher’s briefcase while regular employees had full view of the actions.
In the vast majority of the offices, the regular office staff did not ask any questions or challenge the interloper in any way. In the 43 offices visited, the hacker was only confronted by employees seven times when using a phone or camera to take photos. When collecting confidential documents to steal, the Ponemon hackers were only confronted by a company employee only four times. When looking at items in people's workspace, computer monitors, and at printers, copiers and fax machines, only twice was the intruder challenged.
In only one office was the activity of the white hat hacker reported to management.
In about half of the locations investigated, it took the investigator less than 15 minutes to find and collect sensitive information. A Black hat hacker may have more or less time in the office, but a malicious insider could have all the time in the world.
Information collected included employee directories, customer information, financial data, access and login credentials and confidential documents. In one location, a researcher operated an employee’s computer, displayed an Excel spreadsheet and took a picture of it with a cellphone.
In more open offices with cubicles, the researchers were able to gather more information than they were in offices where private offices were more prevalent. Customer service, communications and sales management areas were more vulnerable to visual hacking. While legal, accounting and finance areas were least vulnerable. Interestingly, IT help desk and data center operation areas fell roughly in the middle. In Research and Development departments, however, the hackers were not able to collect sensitive information.
Companies fared better where awareness and mandatory training were part of employee education. Also, organizations that had clean desk policies, standardized document shredding policies, and suspicious activity reporting processes were much more secure.
Evidence Solutions’ experts believe education is key. Share this newsletter and take the time to educate your staff and employees. It will pay big dividends in the long run.
Evidence Solutions, Inc. offers training courses in Data Security, Social Engineering, Hacking & Data Loss Prevention and more. To schedule your employee training session:
