If you’re working with potentially sensitive data in a public location, you need to consider that other people may be able to see what’s on your screen.
ISO 27001 control A.6.2.1 requires that an organisation takes things like this into consideration when using portable computers, such as smartphones and laptops, particularly in a location that isn’t known to be secure.
Have you ever looked at someone else’s smartphone or laptop? I have. Not to steal any sensitive information; I’m just curious to know their operating system, their web browser, and so on.
I know I’m not the only one. In fact, I don’t think everyone even realises how cheeky they’re being when they do it.
Perhaps you would never look at someone else’s computer – but that doesn’t matter. Lots of people do it – I’m sure most are drawn to bright screens, for one reason or another – and at least a few have probably looked at your devices.
Most of the time, when someone glances at your screen, they don’t really have any bad intentions. However, obviously, this isn’t always the case.
You’re checking your work emails on a crowded train. Your carriage, alone, is carrying well over 100 people – and probably about 15 can easily see your screen. This doesn’t sound like much, but when you consider that this is per journey, it quickly adds up.
Are you willing to trust that each and every one of those people will do nothing with the information on your screen? Do you trust that anyone who does get a glimpse of sensitive data, will just forget about it?
Up until now, I’ve been implying that all shoulder surfing mostly happens over a short distance; I’ve been implying that it is done, primarily, by people immediately surrounding the victim. This isn’t always the case.
You mustn’t forget about binoculars. You can buy a pair on Amazon for less than £20, and have them delivered to your door tomorrow.
There are also hidden cameras, and even cameras hidden in plain sight – CCTV cameras. It might be easy to assume that you can at least trust CCTV operators and security personnel, but this isn’t always a given.
When you’re using a computer in any sort of insecure location, it is best to assume that someone is watching your screen, even if you can’t see them. You should recognise the possibility of someone stealing private information.
With that in mind, within reason, you should only show the shoulder surfers data that you don’t really care about them viewing. This may not always be possible or practical, but at the very least, being mindful of these things is generally a good idea.
If you want to view personal information, such as your bank account, use your personal discretion. For example, you probably wouldn’t want someone seeing your full transaction history, but perhaps just your bank balance isn’t such a big deal.
When it comes to corporate data, in general, it is probably best to err on the side of caution. If you want to deal with company emails on the train to work, consider that you could just wait 15 minutes and do it at your desk instead.