Security Experts:

Screen Watchers Are Real And You're Handing Out Your Information

3M, the company that makes those nifty privacy filters for computer screens and mobile devices, has recently released a quick study that reminds us all that the screen watchers are out there, and they can see the data you’re willingly (albeit unintentionally) sharing with the world. How much of that data would be considered sensitive?

Screen PeepersImagine this; you’re out in the world working as normal. You’re a regional sales manager for an information security company, and as it happens you need to do some work on the flight to wherever it is you’re going. You check your email; you book a white minivan as a rental, and then address some paperwork as you deal with the sales forecast for the fourth quarter of the fiscal year. While you’re doing this, someone who also works in information security industry is sitting rather close, and they can see everything you’re doing. To make matters worse, they work for a rival – but at the very least you’ve just shared potentially sensitive information with a stranger.

Snooping Passengers“If you don't have a privacy screen, I'm going to read your email,” commented RSA’s global CTO of Technical Marketing, Branden Williams, on Twitter recently. “ESPECIALLY if you are a regional sales manager for a company in the industry,” he added moments later.

That imaginary scenario actually happened, exactly as it was mapped out, and Williams witnessed all of it. It’s pure coincidence that the situation fit perfectly within a story focusing on a recent 3M study on a product that could have prevented it. Yet, it proves the data from a similar study in 2011 conducted by People Security, which stated that two-thirds of employees expose sensitive data outside the workplace. The 2011 study revealed that two-thirds (67%) of working professionals surveyed had worked with some type of sensitive data outside the office, including highly sensitive information such as customer credit card numbers (26%); customer social security numbers (24%); patient medical information (15%); and internal corporate financial information (42%).

Further, the study revealed that there is a significant gap between risk and corporate policy to prevent visual data breaches. Seventy percent of those surveyed said their company had no explicit policy on working in public places, and 79 percent reported no company policy on the use of privacy filters to prevent visual data breaches.

According to new data taken recently by 3M, 43% of the 1,000 Americans surveyed said that they glance at a stranger’s screen. The responses ranged from hardly ever (while admitting that they did), to some of the times, and all of the time. Yet the same group is clueless (as are most of us) when it comes to watching the watchers; as 76% of them said they’ve never noticed a stranger looking at the screen on their mobile device.

When it comes to what they’ve seen, including the example previously mentioned, some of the things displayed to the world by unassuming mobile workers include social media, email, private photos, bank details, and work-related materials.

“Companies know they need to protect confidential information, but the threat of a visual data breach has historically been low on the priority list,” said John Stoxen, 3M Director of Business Conduct and Compliance.

This is true, yet organizations often offer the option of a privacy screen or include it with new laptop or other mobile device assignments. Unfortunately, the lack of convenience (they can be a hassle on phones, and if the laptop is overheating then the situation can turn ugly) means they are seldom used. And, as mentioned, there’s no real policy enforcement for their usage, but that can be dependent on the industry.

The best bet is to train mobile workers (which is the entire workforce if you’re realistic) to be aware of those around them, and to avoid working on sensitive data in crowded places or enclosed spaces (airline travelers especially). Yet, that always seems easier said than done.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.