Next time you're sitting at your neighborhood Starbucks surfing the Web and you get that sense that somebody is watching you--take heed. They probably are. Using a computer in public comes with the added risk that those nearby may be able to glean sensitive information by casually viewing your display over your shoulder.
The snooping may not be as obvious as you might think either. The interloper does not need to be breathing down your neck. Someone from across the room may not be able to directly read the data on your screen, but they can still take a photo of your display with a mobile phone. Most mobile phones have fairly high resolution cameras capable of zooming in to reveal tremendous detail not visible with the naked eye.
An excerpt from the Visual Data Breach Risk Assessment Study prepared by People Security paints an ominous picture. "At a large IT conference we conducted an experiment by offering attendees free internet kiosks, some equipped and some not equipped with privacy filters. We found a general apathy for privacy concerns. A quarter of users (26 percent) accessed corporate email from the machines, representing a significant risk as the kiosk was specifically arranged so that screens were highly visible to other attendees passing by. Also, only 35 percent of kiosk users chose the machines with privacy filters. This was in sharp contrast to the results of the survey where 80 percent of respondents said that they would choose the privacy filter equipped machine in similar circumstances."
The People Security report declares, "This shows a significant gap between what people believe about privacy and how they actually behave. Of the 35 percent of people that chose the privacy filter equipped machines, 18 percent accessed corporate email. Interestingly, among the 65 percent of people that chose machines without privacy filters 37 percent of those people accessed corporate email. This means that if a user chose an unprotected machine then they were twice as likely to display corporate information on it. These results show that there is significant risk to businesses that comes from employees making poor choices in how they access and display sensitive information."
These findings are even more concerning when you consider that 70 percent of those surveyed stated that their company has no explicit policy regarding working or accessing corporate data in public places. Only 16 percent claim that their employer frowns on working in a public place.
Meanwhile, more than half of the respondents work outside of the office for five or more hours each week. A third work outside of the office for ten or more hours per week--and it's safe to say that at least some of that work is being conducted in hotel lobbies, coffee shops, and other public areas where free wireless network access is available.
The Firesheep add-on for Firefox has given even novice snoopers tools that can be used to spy on unencrypted wireless data at public Wi-Fi hotspots. Combined with the revelation that data on your PC might be exposed to casual snoopers, it is increasingly apparent that users should not access corporate e-mail, bank or credit card accounts, or other sensitive resources while in public.
IT admins need to consider the risks of exposing data in public places, and the potential that sensitive information might be compromised by nearby snoopers. Organizations should ensure that users are aware of the threat from snoopers, and develop official policies regarding conducting business in public places.