What Is Shoulder Surfing?
Shoulder surfing is the act of observing someone's screen — or any sensitive display — without authorization. It can be deliberate (a competitor, an insider threat, a corporate spy) or opportunistic (a curious colleague, a co-working space neighbor, a café visitor).
The attack requires nothing more than proximity and eyesight. No device. No login. No network connection. The attacker simply looks.
In a banking call center, that might mean a supervisor reading a customer's account balance from across the room. In a hospital, a visitor glimpsing patient records on an unlocked workstation. In a co-working space, a stranger memorizing — or photographing — the proprietary data on the screen next to theirs.
The threat is not hypothetical. The 3M Global Visual Hacking Experiment found that 91% of visual hacking attempts succeed when carried out in a standard office environment.
Why Traditional DLP Is Completely Blind to It
Enterprise DLP solutions are built around a single core assumption: data moves through a digital channel. They inspect files copied to USB drives, scan emails for sensitive content, monitor network traffic for unauthorized transfers.
Shoulder surfing breaks every one of these assumptions simultaneously.
When an unauthorized person reads your screen, no file moves. No email is sent. No network packet is flagged. The data travels through light — and lands in a human brain, or on a phone camera, completely outside your security perimeter.
There is no DLP rule for line-of-sight. No SIEM alert for proximity. No firewall for eyeballs.
Real Scenarios You Recognize
Scenario 1: The Open-Plan Office
A financial analyst is reviewing a sensitive M&A document at their desk. A colleague from another team walks past, slows down, and reads three lines. The document contains insider information. No access log was created. No alert fired. The analyst never noticed.
Scenario 2: The Call Center
A customer service agent handles a complaint call and pulls up the customer's full account — name, ID number, transaction history. The agent two seats over, who handles a competing product line, can read the screen clearly. Every call, all day. This is not a technical breach. It is a structural one — and DLP cannot see it.
Scenario 3: The Co-Working Space
A startup founder works from a shared office. The person next to them works for a larger competitor. For two hours, they sit 60cm apart. No malware was needed.
Scenario 4: The Phone Camera
Shoulder surfing has a modern upgrade: instead of memorizing what they see, attackers photograph it. A three-second window, a phone raised casually, and a full-resolution image of your screen is on a personal device — uploadable to any AI service, shareable to any contact, storable indefinitely.
What the Regulators Require — And Where the Gap Is
Regulators have begun explicitly addressing physical screen exposure, but enforcement lags behind the technology.
- ISO 27001 Annex A 7.7 requires a clear screen policy and technical controls to enforce it. A policy document does not satisfy this — an automated technical control does.
- HIPAA 45 CFR §164.310(c) mandates physical safeguards for workstations accessing protected health information. An uncovered screen in a shared space is a physical safeguard failure.
- DORA Article 6(2) requires that all information assets are protected from unauthorized access — and unauthorized access does not require a credential. A line of sight is sufficient.
- MAS TRM, HKMA CFI 2.0, APRA CPS 234, and GDPR all contain equivalent physical access and data protection requirements.
In every case, the screen layer is the blind spot.
Why Privacy Screens Are Not the Answer
The standard response to shoulder surfing is a physical privacy screen — a polarizing filter that narrows the viewing angle of the monitor. They are inexpensive, low-tech, and widely deployed. They are also incomplete:
- They do not cover phone cameras positioned at angles outside the filter's range
- They reduce visibility but do not eliminate it — and they do not detect when someone is looking
- They do not log incidents — there is no audit trail
- They do nothing for unattended workstations, where the screen is fully visible to anyone who approaches
- They cannot be centrally managed, monitored, or reported on
A physical filter is a passive deterrent. It is not a security control.
ScreenStop: Active Shoulder Surfing Prevention
ScreenStop is the first Screen DLP solution built to detect and prevent shoulder surfing in real time — using the workstation's existing webcam and an on-device AI engine.
When an unauthorized person approaches a screen, ScreenStop detects them. When a phone camera is raised toward a display, ScreenStop detects it. The response is immediate and configurable: blur the screen, lock the session, or trigger an alert.
Every event is logged to the dashboard per workstation, giving security teams a full audit trail for investigation and compliance reporting. No special hardware. No video sent off-device. No internet required. Works on Windows and macOS.
Four detection modes:
- Shoulder surfing — unauthorized person in viewing range of the screen
- Phone camera detection — mobile device pointed at the screen
- Unattended workstation — user absent, screen exposed
- Unauthorized person — face not recognized as the registered user
ScreenStop does not replace your existing DLP stack. It closes the one gap your existing stack cannot see.
The Bottom Line
Shoulder surfing is not a niche threat. It is the default attack vector in any shared physical space — and it is invisible to every traditional security tool.
As organizations expand into hybrid work, open offices, and shared environments, the exposure grows. The fix is not a policy. It is not a privacy screen. It is software that watches the workspace the way an attacker does — and acts before the damage is done.
See ScreenStop in action on your own workstation
Existing webcam. On-device AI. Real-time shoulder surfing detection.
Request a Demo →