Accessing emails and corporate data on the go can led to serious data breeches through shoulder surfing

09 February 2010

When working on laptops in public places, users are generally unaware of the activity going on in their surroundings, making them vulnerable to curious bystanders, opportunistic criminals or even practiced experts peering over their shoulder to read or record on-screen information. Being the victim of shoulder surfing can make laptop users feel uncomfortable and can impede work productivity if it means shutting down and closing the laptop as a result of being observed.

According to research commissioned by 3M United Kingdom plc in 2007, there is an 80 per cent chance that laptop users have already been a victim. Almost a quarter of UK computer snoopers do it for the opportunity to read people’s business emails and 16 per cent are trying to get a glimpse of someone’s company documents.

The effective management of private, personal and confidential information is an ever increasing concern for international organisations large and small, as factors such as remote working, global travel, public wi-fi availability and the explosion in laptop sales combine to put their employees under imminent threat from data exposure. While on the one hand this threat stems from the indifference of many employees to the security risks posed by use of company laptops in public places, on the other hand many organisations are failing to educate their workforce on best practice for maintaining and improving data protection compliance.

According to a British Standards Institution (BSI) 2009 survey, of over 500 small and medium businesses, almost one in five has unwittingly breached the Data Protection Act (DPA) at least once. 65 per cent provide no data protection training for their staff and nearly half admit that there is no one in their business with specific responsibility for data protection. 15 per cent are not confident that their data sharing practices conform to the DPA and worryingly, almost 5 per cent frequently share data regardless. Furthermore, 18 per cent said that data protection is less of a priority in the current economic climate.

On the contrary, data protection has never been so important and organisations should not let down their guard. Loss of data – whether it is sales and marketing plans, legal cases, customer names, purchasing details, human resource information, salary scales or proposed redundancies – can have potentially damaging consequences to competitive edge and credibility leading to serious financial consequences, loss of customers and reputation.

The number of data breaches and the costs involved for UK organisations is rising at a staggering rate. This trend is reflected in a Ponemon Institute study released in February 2009 (2008 Annual Study: Cost of a Data Breach), which examines the costs incurred by 30 UK organisations from 10 different industry sectors after incurring a data breach. The study found that the total average costs of a data breach grew to £60 per record compromised - an increase of 28 per cent since 2007 (£47 per record). The average total cost per reporting company was more than £1.73 million per breach (up from £1.42 million in 2007) and ranged from £160,000 to over £4.8 million.

The Information Commissioner’s Office (ICO) has called the amount of data being stolen, lost in transit or mislaid by staff “unacceptable”. Around 33 European countries have passed some form of privacy and data protection legislation, and many of these have a requirement for notification to either the regulatory authorities or those affected by the breach. In the UK, under current legislation, the individual inside an organisation charged with implementing the DPA is responsible for notifying the ICO of any significant breach and deciding together whether there is a need to notify any potential victims. From 2010, companies that recklessly or deliberately break the data protection rules will face fines of up to half a million pounds.

So what measures can be implemented by organisations to defend against losses that can never be quantified? As a first line of defence for employees using company laptops while travelling or in public places security filters that help guard the laptop screen are a simple and cost-effective privacy tool. Such screen filters are ideal for shoulder surfing prevention and help improve data protection compliance. They are easily fixed to laptops, can be removed or replaced instantly and laptops can be closed with the filters in position. They work by restricting the viewing angle of laptop displays so that only users positioned directly in front are able to see the data.

The shoulder surfing threat does not only lie in wait outside the office, there is an internal threat in open plan offices as well. By specifying these simple on-screen privacy tools in their security policies, backed up by clearly defined defence strategies, organisations can tighten up on data privacy and ensure effective, practical implementation throughout their mobile and office-based workforce.

3M are exhibiting at Infosecurity Europe on 27th – 29th April at Earl’s Court, London, www.infosec.co.uk.