In 2014, around 6.8 million smartwatches were sold worldwide. Even though this market is considered to still be in its infancy, many expect that it will rapidly grow over the coming years. According to a report by CCS Insights, an estimated 350 million wearables will be in use by 2018. As a result, IT departments need to start thinking about the impact wearable devices will have on security as they begin to infiltrate the enterprise.
Bring Your Own Device (BYOD) was a term commonly used a few years ago to talk about policies or support for employees using their own smartphones or tablets. Today though, the term Bring Your Own Everything (BYOx) has come to cover a wider variety of devices, including wearables.
Employees are bringing personal wearable devices into the workplace, syncing these devices with company and personal devices, to access corporate networks and view corporate data. With the number of outlets to corporate information increasing, this means that more outlets need to managed and the potential risk of leakage rises.
Devices like Google Glass, HoloLens or smartwatches, which feature built in cameras, may need to be managed by the IT departments to ensure they fit with company policies.
Similarly, wearables that feature built in microphones would also need to be taken into consideration. As with many highly sensitive areas, it may be that IT enforces any wearable to be under the corporate Mobile Device Management scheme, to add control over device hardware, or prevent the individual with the wearable device from entering sensitive areas.
In addition, data that makes its way onto wearables must be secured on your servers and in between. If an app is used to control the wearable, or to process the data before it’s sent to a server, it will all need to be secured against the threat of hackers.
A big concern in the enterprise space is the security of new devices being introduced to the workplace, particularly if they can store sensitive information about the business. Although for most wearables, the smartphone is the host device meaning a higher- level of security should be present, there are some devices, such as LG’s Watch Urbane LTE, that don’t need a smartphone in order to operate.
However, the majority of wearables require a smartphone to be paired for connectivity. This means there’s already a security protocol to help alleviate some concerns, where the wearable cannot be used without its host. In addition, the wearable can be used as a second or even third-factor authentication device, disabling anyone else from using it if, for example, they fall into the wrong hands.
As wearables use sensors to collect data such as heart rate or other health related data this begins to increase the value of the data collected for users. In the healthcare sector, sensitive data collected from patients could make wearable devices more of a threat to hackers.
Obviously not all wearables devices will bring risk for the enterprise. Many of the fitness trackers that are available on the market, solely monitor the user’s daily activity, for example, steps, sleep and exercise. However, with wearables that are used as communication devices such as Samsung Wear and Apple Watch, which feature functionality that are able to interact with potentially sensitive information, IT professionals need to be aware of the type of information that could be accessed.
Having had experience with BYOD, IT departments noticed that they can’t stop employees from bringing their own devices into the working environment. What IT departments need to consider is what policies they need to put in place to prevent the risk of information leakage and controlling the potential access to corporate data.
Here are some areas that should be taken into consideration when thinking about wearable devices in the workplace:
- Have a company-wide amnesty to discover who is bringing what to work and which devices are accessing corporate data
- Draw up and enforce an IoT and BYOD policy and educate staff about the potential risks of data leakage
- Any devices that do not meet the specified requirements should not be given access to join corporate networks
- Extend mobile policy to cover wearable technology – this should specify rules over connecting productivity apps, passwords, locking and access to websites
- Having a bring your own app policy (BYOA) policy to determine what kind of app behaviours are going to be allowed or not
- Implementing an open end policy to determine what apps are allowed to interact with corporate data, depending on the security of the app itself
As our white paper on wearable technology in the enterprise indicates, there are a wide range of opportunities for wearable devices to disrupt industries. However, like any personal mobile device that is being used to access corporate data, there is a certain risk that is involved. As IT departments can’t control the devices that are brought into the workplace, policy strategies should be in place to control how the devices are being used and what information they are authorised to access.