Your DLP can’t stop a smartphone: The data-leak crisis no one talks about

Organizations are rightly worried about exfiltration of sensitive or proprietary information, but one data-leak vector remains largely invisible and unaddressed by traditional data-loss-prevention (DLP) tools: Employees using their smartphones to take photos of sensitive data displayed on computer screens.

Photographing data on screens may seem inefficient, but just last month three Iranian nationals were indicted for stealing trade secrets from Google and another Silicon Valley firm this way. Two of them had previously been caught using more "traditional" methods, like uploading files to cloud storage, before resorting to photographing screens.

The three were arrested because they were already on investigators' radar. But if one of your employees took photos of proprietary information displayed on their workplace computer's screen, how would you ever find out? How could you stop internal network diagrams, confidential financial reports, or copyrighted software code from escaping into the wider world via smartphone photos?

DLP tools are powerless in such situations. They can't monitor what's being photographed, or which devices are doing the photographing. The IT team will get no alerts. The information in those photos will be transmitted to the employee's cloud account or kept in a back pocket or purse, and you'll be none the wiser.

"Traditional DLP loses visibility the moment sensitive data is on a screen," says Ron Wee, CEO and Co-Founder of digital-watermark provider AgileMark. "A smartphone camera is the simplest exfiltration tool ever invented."

Showing what you know

AgileMark offers a possible solution to this problem. The company creates software that embeds visible watermarks in every image displayed on a computer screen, revealing not only the system name of that machine and the name on the user account, but also the current time and date. 

Any photos taken of that screen will include that meta-data, providing a rich forensic trail and making it easy to trace photos back to the person who took them.

AgileMark can also encode those identifying details into a less obtrusive graphical mark rather than plain text, preserving traceability for investigations while reducing employee resistance to prominent name-based watermarks.

However, AgileMark's software doesn't stop someone from taking photos. Short of confiscating employee phones at the door and turning your workplace into the sort of sensitive compartmented information facility (SCIF) you'd find in the White House or the Pentagon, your employees will remain free to take as many photos as they want. And of course, such policies would have no effect on employees working from home.

That's why AgileMark stresses deterrence as a substitute for prevention. The theory goes that if employees can see their own names in the images on the screen, they'll twice about taking photos of those images and no data will escape.

"Psychological deterrents [can] discourage unauthorized photography," writes Wee in a blog post, "by making potential data thieves aware that their actions are being monitored."

The elevation of accountability

In the same blog post, Wee takes the traditional "CIA triad" of data security — confidentiality, integrity and availability — and adds "accountability" as a fourth component.

That's an interesting twist, and it dovetails with current efforts to make AI agents "accountable" by assigning humans to be responsible for them. Someone who's personally liable for security lapses will take greater care to make sure security policies are enforced. Or, as the AgileMark website says on the front page, "when security is visible, people behave differently."

Along the same lines, AgileMark says its software "nudges" users with on-screen alerts when risky conditions arise, such as when a laptop uses public Wi-Fi without a VPN or similar security measures. It will also do so, Wee says, when the user engages in potentially risky behavior, targeting the employee with "micro-interventions."

For Wee, such deterrence will be essential to cybersecurity going forward. It may be the best way to defeat low-tech means of exfiltration such as smartphone photo-snapping.

"The future of cybersecurity isn’t just detection. It's behavioral correction," Wee says. "We're not adding more alerts. We're reducing the need for them."