The ticking cybersecurity risk: Managing wearable tech in the workplace
Smartphones and tablets took time to effectively crossover from consumer device to business staple. Wearables, despite still being the infants of IT hardware, are already starting to make that leap.
According to research firm IDC, worldwide wearable shipments will surpass 45 million this year, up more than 130% from 2014. Given this massive growth, it’s clear these devices won’t just wind up on the wrists of health-conscious consumers; they’ll also play a significant role in the workplace.
Despite the productivity benefits smartwatches, bands and connected glasses can bring to employees, organizations need to proceed with caution. Wearables’ novelty is matched by their vulnerability, exposing employers’ IT infrastructure to malicious intruders and data theft. Like smartphones and tablets before them, wearables demand sound policies and technical safeguards in order to compensate for their cybersecurity gaps.
Limitless business opportunities, with a side of threats
It doesn’t take much imagination to think up the diverse business applications of wearable technology. The ability to manage email, reschedule meetings or access key files with a few taps on a smartwatch could add needed simplicity to a remote employee’s workday. Some organizations are starting to embed wearable fitness trackers into their corporate wellness programs and benefits packages.
Specific industries are also exploring how wearables can accommodate workers’ niche processes. Gartner estimates that smart glasses (e.g., Google Glass and other head-mounted camera tools) are on track to save the field service sector $1 billion annually by 2017. Similar gadgets have the potential to reimagine traditional manufacturing and distribution jobs, facilitating faster inventory management and fulfillment. Even consumer-facing occupations, from retail sales associate to nurse practitioner or delivery driver, seem ripe for wearable innovation.
Before connecting to a corporate network, fitness bands and smartwatches have access to a trove of personal user information: biometrics, passwords, financial data. In a recent interview, Evernote’s wearable app developer explained how the license agreements that accompany many wearable devices are problematically vague, creating little assurance as to their inherent data protection.
Within an office, wearable devices may operate via both Wi-Fi and Bluetooth, creating multiple entry points for malicious actors to infiltrate enterprise systems. Such exposure could lead to disastrous compliance repercussions, particularly when identifiable customer or patient data is involved. More likely than not, hacker groups are starting to experiment with ways to use wearables as a vehicle for larger exploits. Just weeks ago, Kaspersky Labs uncovered a security gap in the authentication mechanisms used in certain fitness bands that allows third parties to connect to the device (and potentially extract data) unnoticed.
As Bring Your Own Device evolves into Wear Your Own Device, corporate IT departments that don’t ban wearables outright will need to navigate these emerging challenges and identify the best way to secure their environments.
Recommendations to prepare for, and protect, wearables
Managing wearables in the workplace, like most software or hardware, requires proper end user hygiene and sophisticated IT defenses.
At a minimum, organizations should encourage wearable-equipped staff to disable Bluetooth or automatic Wi-Fi detection settings when their devices aren’t in use. IT managers might also instruct employees to connect to a guest network when need be, ensuring some degree of separation. Software/firmware updates are also a critical part of security management, and while the emergence of self-updating technologies may alleviate some challenges, these advances in-and-of-themselves are fraught with peril.
In territory as unchartered as wearables, it’s that much more important for organizations to understand who their adversaries are. The form factor, computing, and power limitations of such devices may create new blind spots that make room for a new crop of bad actors. We see this all the time with low power or CPU-constrained devices that do not use proper encryption algorithms because of power consumption or compute limitations. Thermostats, wireless home security systems and home control devices, automobiles, and fitness equipment all have problems today due to these tradeoffs. The emergence of shared platforms (such as Android and Apple) with security in the base plumbing will help—nearly everything today is custom from the ground-up.
Organizations must work to bolster security before wearable adoption reaches a critical employee mass. Corporate cyber defenses that were sufficient five, ten years ago won’t necessarily be enough to ward off wearable threats. One approach is to start with a threat assessment in order to gauge what data is passing through the corporate network, and what investments can be made to guard it. Establishing geofences that disable the network in sensitive spaces, such as R&D labs, is another step to consider.
Whether in-house or outsourced to third party experts, firms should develop a team that continuously monitors and updates the wearables (and other smart devices) connecting to the corporate network. While we’ve all become accustomed to updating our traditional computers, embedded devices are a challenge. Technical, practical and cultural problems will cause software updates to lag or be impossible, so an added layer of supervision is rarely a poor choice.
Aside from being proactive about threat detection, IT leaders also need response plans ready to go in the event of a breach. These should encompass not only technical disaster recovery protocol, but also specific procedures for breach notification and regulatory compliance.
It’s hard to deny the utility wearable devices can lend to organizations of any size or industry. But it’s just as hard to ignore the level of risk wearables will introduce to corporate environments unequipped to welcome them. As everything from social media to cloud apps proved, consumer technology has a habit of wedging its way into the enterprise whether IT departments are ready or not. With wearables, there’s still time for organizations to prepare.