How the open plan office is helping hackers

Guarding against visual hacking

Making note of sensitive, confidential and private information is a major risk to organisations. Workers move around, changing desks, making it all too easy for hackers to see stuff they shouldn't.

Jack Halewood, UK Account Manager of 3M Privacy Filters, points to research his firm commissioned which found there is an 80% chance that UK workers have already been victims of others reading over their shoulders.

"While it may be hard to pin down the contribution that 'visual hacking' makes to information leaks, the risk is real: after all, how many of us have been in a situation where we can easily overlook the content on someone else's screen?" he asks.

Halewood says he has heard of instances where information has been posted on social media as a result of someone's screen being viewed on a train, plus another example where another passenger suggested a spelling correction to a senior executive reviewing a document.

"While these are examples taken from public working environments, given the fact that many organisations have open plan working – often with visitors, contractors or suppliers walking through the building – the 'insider risk' is clearly there," says Halewood.

Preventing hackers leaving the office with important files

Erik Driehuis, EMEA vice president of Digital Guardian, says that in larger shared spaces, employees don't always know all of their colleagues, so wouldn't necessarily be able to spot an imposter on sight.

"Whilst there is currently no technology that can protect firms from thieves willing to memorise documents or write them out by hand, there is the technology that can protect the company data from unlawful removal, copying or destruction. This security sits on the files and documents themselves, blocking access to those without permission and preventing them being removed from the company server," he says.

He says he has heard of thieves converting sensitive files into JPGs, changing the name, putting it in a ZIP file and burying it inside a non-related folder, before trying to remove the whole lot from the server. In many cases, this would be a successful ploy. "However, if the sensitive file has been digitally stamped, then no matter how well hidden or buried it is, a thief would be blocked from transferring it onto a USB stick or emailing it outside of the company without permission," he says.

Checking employee behaviour

One of the biggest access control techniques which could help boost information security and minimise the usefulness of credential theft in an open plan office is behavioural analysis, says SecureAuth's CTO, Keith Graham.

"By continuously analysing aspects of the user's behaviour during normal use, including keystroke dynamics, cursor movement, window interaction, and by comparing this to a previous behaviour profile for that user, one can determine whether it's the legitimate owner of the credentials trying to access the system," he says.

Graham adds that if the legitimate user leaves a workstation unattended and an attacker attempts to use it, the continuous authentication can recognise that the new behaviour doesn't match that of the previous behaviour and take action accordingly, such as raising an alert and/or locking the endpoint to prevent further unauthorised access, or stepping the user up and prompting them for a second factor.

Educating users about the perils

With open plan offices now the norm, organisations need to have policies and procedures in place to define what information can be accessed and where to safeguard themselves against hackers walking through the office.

After all, do you know who is reading this article over your shoulder?