How the open plan office is helping hackers


The open plan office has become increasingly popular for businesses. Closed-off offices and cubicles are fast becoming consigned to the history books, but this trend raises a very important question in terms of protecting sensitive information – just what data is exposed to hackers in the open plan office and how does the CISO manage this information security problem?

Last month, a study by AppRiver found that in practically every street visited in the City of London, home of many high-profile businesses and organisations, has at least one window (the good old fashioned glass variety) framing a user's screen on the first floor.

Just looking…

In fact, some of the streets surrounding Cheapside not only had screens noticeable on the first floor, but banks of them at street level too.

The research found that one corner, flanked by two different high-profile banking institutions, had over 150 screens between them on the ground floor, facing the street and just a few metres from the glass – half of which included a users' nameplate above the workstation. The firm says the practice leaves the organisations vulnerable to 'walk-by' data theft.

The survey found that hackers could potentially see credential 'log in' boxes, emails, what appeared to be corporate database entry screens and numerous 'documents' all visible to the naked eye. The study's findings point to a potential situation where a hacker with time and a zoom lens could potentially piece together the information needed to launch an attack against any of these organisations.

"Historically, if you wanted to rob a bank, you had to physically go into the branch and 'hold up' the staff. But with advances in technology, the money moved online and criminals simply followed," says David Liberatore, senior director of technical product management from AppRiver.

"As a result, and with the constant evolution of IT security enhancements, many of the virtual ways into these establishments are being systematically sealed with criminals looking for new ways to engineer their attacks and liberate the funds. What better way than collecting freely available information by looking through the physical windows of these businesses."

A minefield

Bob Massey, principal consultant of Compliance 3, a company that helps contact centres achieve and maintain PCI DSS compliance, says that as the open plan office can allow easy access to sensitive information, both basic and sophisticated methods and rules need to be implemented.

"Any open plan office has people walking around – some of these could be visitors, clients, job applicants, suppliers – any of which could take the opportunity to either capture data from conversations or pick up documents. To be safe, anybody in a location that they're not authorised to be in should be challenged, and sensitive or personal data removed from the equation," he says.

"The best businesses can do is make sure personal and payment data is inaccessible by staff. That means data is physically removed from the work environment and minimises the risks."