Understanding and Preventing Shoulder Surfing

Complex and high-tech hacking methods often attract significant attention. However, businesses must also remain vigilant against older, more straightforward tactics like shoulder surfing.

This attack involves malicious actors stealing sensitive information through observation techniques like looking over someone’s shoulder. When this happens, organizations’ data can be compromised, leading to considerable financial and reputational damage.

This article provides more information on shoulder surfing and offers tips on preventing it.

Shoulder Surfing Overview

Shoulder surfing represents a risk to a business’s secure information. It can be conducted through no-tech means (e.g., someone peeking over an employee’s shoulder and writing notes on what they see), low-tech means (e.g., a malicious actor using binoculars to peer at classified information from a distance) or high-tech means (e.g., a cybercriminal using cameras to record confidential data displayed on a screen).

Threats can be present in public spaces (e.g., airports, libraries or restaurants) or shared or open workspaces (e.g., settings where the public can view employees’ work). For example, suppose an employee is working remotely from a coffee shop. In that case, a malicious actor can steal information displayed on a phone screen, watch as the employee types passwords into a computer, eavesdrop on conversations or capture PIN numbers as the employee uses them to pay.

In workspaces, a client, customer or other outsider may be able to view sensitive information on a computer or overhear a conversation between unsuspecting employees.

Shoulder Surfing Consequences

Several consequences may result if an employee is a victim of a shoulder surfing incident. The perpetrator may gain unauthorized access to the business’s payment systems, confidential client information and intellectual property. In addition to compromising business data, the malicious actor could steal the employee’s identity and, subsequently, make unauthorized transactions and commit other forms of fraud.

These events could lead to costly regulatory penalties and fines, high investigation and remediation expenses, lawsuits and reputational damage that erodes trust with clients and partners.

Shoulder Surfing Prevention Measures

With the impacts that shoulder surfing can have, organizations need to take steps to prevent this type of attack from occurring. Strategies to consider include:

• Provide regular employee education and training. Businesses should educate employees about the threats and impacts of shoulder surfing and train them to reduce the risk of being the victim of such an attack. Techniques that can mitigate the exposure include being aware of their surroundings, locking their devices when they are not in use, covering ATM keypads when entering pins, sitting with their backs to the wall in public areas, maintaining distance from onlookers while working in open spaces, darkening their screens to make them more challenging to read, disabling SMS preview before entering passwords and not verbalizing sensitive information around unauthorized individuals. Employees should also be encouraged to avoid completing sensitive tasks in public and using public Wi-Fi without a virtual private network.
• Implement physical security measures. Several types of physical security measures, such as screen protectors and privacy filters, can be utilized to hinder shoulder surfing. Organizations can also arrange their workplaces so private information may not be viewable by unauthorized parties.
• Utilize technological solutions. Technological safeguards can reduce the risk of shoulder surfing attacks. Businesses should consider using multifactor authentication logins, biometric authentication, encrypted communication channels, and password managers. It is also important to ensure security software is in place and updated.
• Maintain cybersecurity policies and procedures. It is essential to ensure that cybersecurity policies and procedures are in place and clearly communicated to employees. The policies and procedures should also contain protocols for reporting suspicious activity.

Shoulder surfing threatens to expose sensitive data and can have significant financial and reputational consequences. Organizations must take proactive steps to mitigate this risk.

Did you know that 60% of small and medium businesses don’t survive after a cyber attack? Protect your business with Cyber Insurance, call us at 780.424.2727 or click here to get a quote.