The most popular and comprehensive Open Source ECM platform
While businesses increasingly are beefing up security controls to prevent hackers from the outside from penetrating their computer systems, they often overlook their vulnerability from within their organization. Low-tech hacking techniques for gaining access to systems can be very effective.
3M recently conducted an experiment with the Ponemon Institute to uncover security vulnerabilities due to human factors. It turns out that people within an organization provide a variety of easy vulnerabilities for hackers to exploit. In the experiment, white cover hackers were sent undercover as a temporary or part-time worker into businesses. After only two hours of being on site, in 88 percent of the trials, the hackers successfully obtained sensitive information. Researchers wandered the area and were able to take pictures of computer screens and pick up and take document that were marked as “confidential”.
In 45 percent of the cases it took researchers only 15 minutes to gain access to sensitive information and in 63 percent of the cases it is less than half an hour. An average of five pieces of information were hacked per trial, information that included employee contact information, customer information, corporate financial information, and employee access and login information.
In one case, the researcher even opened an Excel spreadsheet on a computer and started taking pictures of it on their cellphone, but no nearby workers said anything. No one questioned what the researcher was doing.
Larry Ponemon, chairman and founder of Ponemon Institute, said that “in today’s world of spear phishing, it is important for data security professionals not to ignore low-tech threats, such as visual hacking. A hacker often only needs one piece of valuable information to unlock a large-scale data breach. This study exposes both how simple it is for a hacker to obtain sensitive data using only visual means, as well as employee carelessness with company information and lack of awareness to data security threats.”