The Inside Job: How to Stop Attacks from Within

Andrea Danti/

Internal threats can use alternative tactics such as visual hacking to target sensitive data.

Mari Frank is an attorney and certified privacy expert and the author of the “Identity Theft Survival Kit,” “Safe Guard Your Identity,” “From Victim to Victor,” and “The Guide to Recovering from Identify Theft.” This column has been written on the behalf of the Visual Privacy Advisory Council.

A stable employee base has become a thing of the past for many companies as workforces undergo dramatic changes:

  • Many jobs today are filled by contract or temporary workers. Nearly 26 percent of the average company’s workforce is now contingent in some sense, according to Aberdeen Group.
  • A steady and significant workforce exodus is underway, with roughly 10,000 baby boomers turning 65 every day from 2011 to 2030, according to Pew Research Center. 
  • The younger workers taking the place of retiring workers are less likely to be long-term employees. The median tenure of workers aged 25 to 34 is three years, significantly down from 10.4 years for workers aged 55 to 64, according to the Bureau of Labor Statistics. 

These factors, combined with increased globalization, have led to workforces less familiar with each other and less loyal to their companies. And while this shouldn’t provide cause for companies to be skeptical or untrusting of their workforce, it should provide an incentive for taking a fresh look at the issue of insider threats.

Already today, about one-third (34 percent) of IT and security professionals say they have experienced an insider incident or attack, according to SANS Institute. 

The Human Factor

Companies can be so focused on technology vulnerabilities, they risk overlooking human and insider threats.

At the same time, insider threats often use alternative tactics to steal sensitive or classified data, making them more difficult to detect. In fact, a recent survey of cybersecurity professionals by Crowd Research Partners found 62 percent said insider attacks are far more difficult to detect and prevent than external attacks.

One area companies should be especially mindful with when it comes to insider threats is visual privacy.

For example, visual hacking involves obtaining or capturing sensitive information for unauthorized use. This could include using a smartphone camera or wearable technology to record documents left on a printer or information displayed on a screen. It also could be as rudimentary as writing down employee log-in information taped to a computer monitor.

In today’s workforce, untrained employees or contractors can be especially vulnerable to such tactics. The workers may have good intentions, but they can be careless, thoughtless or simply unaware of how to protect sensitive information.

Addressing Visual Privacy

A visual privacy audit is the best place to start for addressing visual privacy risks from internal threats. It can help companies identify their key risk areas and evaluate security measures they already have in place as part of a visual privacy policy.

Some best practices in visual privacy include requiring privacy filters be fitted on all computers and devices used to access sensitive information. The filters blacken out the angled view of onlookers, and are available for the full range of monitor, laptop and mobile-device screens.

A clean-desk policy is another best practice. It requires employees remove sensitive documents and turn off device screens when they’re away from their desks. This applies not only when workers leave for the day, but also when they step away for meetings or lunch, or even a 2-minute bathroom break.

Copiers, printers and fax machines used to handle sensitive information also should be kept in secure rooms, and shredders or secured waste containers should accompany them.

To help drive home these efforts, visual privacy and insider threat awareness should be incorporated into security training, and then reinforced through a mix of ongoing refreshers and employee communications.