When it comes to cyber security, people are the biggest problem. Or, you could make that \u201cproblems.\u201dAt least machines or computers will do what we tell them to do \u2013 unless somebody else sneaks in and tells them to do something different. People, not so much \u2013 even if their intentions are good. They forget, get careless, get fooled or, in some cases, turn malicious.And there are many different ways to fool them, which is why experts are essentially unanimous that the \u201chuman element\u201d is the weakest\u00a0link in the security chain.The bad guys know this as well, of course, and with security technology improving, have focused on that weaker link: Instead of hacking the system, they hack the human.The most common way to do it is through social engineering \u2013 tricking people into clicking on a link that appears to be from a legitimate vendor, on a legitimate website or in an email from a \u201ctrusted\u201d source.Indeed, it is social engineering that tends to be the major focus of security awareness training.Larry Ponemon, chairman and founder of the research firm Ponemon Institute, doesn\u2019t take issue with that. But he contends that organizations and individuals need to focus on \u201cvisual hacking\u201d as well.Other experts, and Ponemon himself, agree that the shift has been under way for some time. Visual hacking is nothing new. It long predates the digital era. David Monahan, research director, security and risk management at Enterprise Management Associates, calls it, \u201cthe oldest form of hacking.\u00a0It has existed since there were three people, something to write on and a secret two of them wanted to keep,\u201d he said. \u201cWe usually call it shoulder surfing.\u201dBut most of the warnings about shoulder surfing are aimed at those who use their mobile devices in public places \u2013 airports, parks or coffee shops with free WiFi \u2013 where hackers try to pick up credentials or other sensitive information simply by looking at an unguarded screen.Ponemon\u2019s post was more about visual hacking in the office. He wrote of a recent research experiment his company did, sending a white-hat hacker into the offices of eight U.S. companies, under the guise of a temporary or part-time worker.\u201c(I)n 88% of attempts, the white-hat hacker was able to visually hack sensitive information from a worker\u2019s computer screen or hard copy documents,\u201d he wrote. That information included, \u201cemployee contact lists, customer information, corporate financials, employee access and login information, and credentials or information about employees.\u201dThe hackers also succeeded quickly \u2013 63% within a half hour.Five tips to protect your data from visual hackingBe aware of your surroundings: Who is around you? Who is behind you?Don\u2019t use public WiFi to access or transmit any sensitive data.Use privacy filters for device screens, including desktop computersLock your computer before leaving it unattended.If you see a visitor or anyone doing anything unusual, say something.In an interview, Ponemon said he does not have statistics on how common that form of visual hacking is, but said the point of the research was to see how easy it would be. And it turned out to be disturbingly easy.\u201cThis is the kind of thing that can happen if you\u2019re not aware of people wandering around where they don\u2019t need to be, like people coming into hospitals looking for people who might be famous celebrities,\u201d he said.Other experts, while they agree that there is a risk, say this kind of visual hacking is extremely rare.Lance Spitzner, training director for the SANS Securing the Human Program, said he has taught more than 600 security awareness officers and, \u201cthey have never really raised this as a concern, except for classified environments.\u201dMonahan said the reason it is rare is because it is much more difficult \u2013 it involves creating a plausible ruse to get inside a building, and once inside, there is more personal risk to a hacker who is identified.And since it requires a person on-site, \u201cit does not scale as well as remote and automatable hacking,\u201d he said.\u201cYou can\u2019t collect the same volumes of data as you can with remote hacking,\u201d he said.\u00a0\u201cTry sitting in someone\u2019s office for 229 days collecting information like a remote attacker or visually recording 60 million data records.\u201dHe added that login information is nearly impossible to get, even if somebody is looking at a screen because, \u201cthe vast majority of password fields are masked.\u00a0They might see it as someone types it or find it on a sticky note but that is still a time consuming effort, so small potatoes.\u00a0Thousands of people have their credentials compromised daily by malware.\u201dPonemon doesn\u2019t dispute any of that, agreeing that visual hacking in an office likely will not yield anything close to the volume of data that a remote advanced persistent threat (APT) attack could collect.But he said it can be very useful for \u201csurgical,\u201d targeted attacks. \u201cIt\u2019s a matter of quantity vs. quality,\u201d he said. \u201cIt\u2019s for small amounts of very high-value material.\u201dChristopher Hadnagy, CEO of Social-Engineer, is one expert who agrees. While it may not be the most common form of hacking, he said it is on the rise, in part because, \u201csome attacks just must occur in person to be successful. Bank heists, art theft, stealing blue prints or physical hardware \u2013 all require the attacker to be onsite.\u201d And Hadnagy contends it is not all that difficult. \u201cWhy spend 10 years digging a hole under ground if I can spend five minutes walking through the front door?\u201d he said. \u201cIt is that mentality that lets the attacker take the risk. The reward outweighs the risk in their mind.\u201dIndeed, while it may not qualify as a hack, word this week from the Indiana State Medical Association (ISMA) of the "random" theft of a pair of backup hard drives is just one recent example\u00a0of the threat from those on the inside. The association said the theft meant the private data of 39,090 of its clients may be at risk.The one thing there is little disagreement about is that the best way to lower the risk is through improving the \u201csecurity culture\u201d of organizations. Some of that, Ponemon said, can be done through low-tech means like privacy filters for screens and lock boxes for documents. Some of it can be through rewarding employees for spotting security vulnerabilities.But effective security awareness training\u00a0is seen as the major key.Spitzner said human behavior \u201cabsolutely\u201d can be changed through training, but won\u2019t be through the traditional \u201cdeath by PowerPoint\u201d lecture, which was done largely to check a compliance box.\u201cMarketing has been changing people\u2019s behavior for hundreds of years,\u201d he said. \u201cThe problem with us is that training has mostly been done by security professionals, who tend to be some of the worst communicators in the world. It needs to be done by communications professionals.\u201dHadnagy added that there is still a great need for more, and better, training. \u201cI can\u2019t tell you how many times people I train don\u2019t even know what a phish is, or a vishing call, or a shoulder surf,\u201d he said. \u201cIf they don\u2019t even know, how can they defend? Education is probably the single most important step to protection any company can have.\u201dSpitzner said if training\u00a0focuses on how security awareness will benefit not just the company but employees themselves, \u201cthen it becomes part of their DNA,\u201d and the failure rate drops from 30 percent to 60 percent to less than 5 percent.And even those in the 5 percent, he said, tend to recognize what they did immediately, and report it to IT. \u201cThat\u2019s almost as good,\u201d he said.