In the age of BYOD (Bring Your Own Device), IT continues to face new security challenges. But, gone are the days when rogue smartphone devices dominate the conversation.
Today, wearable devices and the unsanctioned access they can provide to corporate data are in the news. Built more for convenience than security, connected wearable technologies have the potential to wreak havoc on corporate security. So, how can you prepare for the coming flood of wearables onto your network?
Smart watches and other wearables (such as smart glasses, hearables, and fitness and health trackers) are connecting to corporate networks at a record pace. As a matter of fact, IDC predicts that by 2019, more than 89 million smart wearable units will ship worldwide. That’s more than double the 2015 estimate of 33 million. And, in the U.S. market alone, sales are expected to reach 19 billion, more than ten times its value five years ago.
With these devices offering a vast number of applications targeting enterprise users, what started out as fun consumer devices are now permeating corporate networks with employees benefiting from popular features such as “at a glance” email and messaging. Unfortunately, these technologies of convenience, which can also have a positive impact on productivity, also often provide access to sensitive corporate data. And there’s the rub.
Wearables are hyper-connected devices and often have Bluetooth, Wi-Fi and in some cases even direct cellular connectivity. Applications from the paired smartphone are automatically loaded on to the wearable. This means when used in the enterprise and associated with a corporate applications, a single wearable vulnerability could snowball into something far worse. For example imagine inadvertently leaking your sales pipeline and customer information.
Unfortunately, it’s hard to prevent employees from bringing wearable technology into the workplace, short of disabling Bluetooth and Wi-Fi on smartphones, which is not likely to happen. As a growing trend, the business case for wearable technologies in the work environment is still being debated. Do these devices accelerate learning, sharing and productivity? Maybe, as currently most users accept that these devices can offer:
- Anytime, anywhere at a glance access to information (mail, calendar, sales data, and CRM)
- Collaboration between employees (messaging, knowledge sharing)
- Authenticating the user for physical and logical access
But, they also present very real security risks, which include:
- Users losing wearable that have cached company sensitive information.
- Malware on the devices that can easily siphon off data and other corporate secrets to other devices.
- Phishing attacks that get the watch’s PIN can then be used to access data on other corporate or personal devices.
Corporate IT already has the tools needed to prevent jail broken smartphones from connecting to the network (Enterprise Mobility Management) but those measures fall short of protecting the new class of smart wearable devices. While there have already been some well publicised hacks on the Apple Watch, it has yet to be publically jail-broken. Likely it’s only a matter of time.
However, it doesn’t take a jail-broken device to gain access to that sensitive information. Simple access to the wearable along with some basic social engineering is enough. With my phone nowhere in sight (powered off and in the next building over), with a simple 4 digit PIN, I can access emails with sensitive financial and employee data cached and stored on my watch. This highlights the most basic of vulnerabilities associated with this type of device.
How can you reduce your corporation’s security risk associated with wearables? Here are some initial steps:
- Write a corporate policy around the acceptable use of wearable technologies within the enterprise and make this a well-known practice that employees can understand and follow.
- Require non-trivial passcodes (no 1234 or 1111, etc.) on wearable devices linked to corporate data.
- Ensure that lost or stolen devices are reported immediately.
- Educate users on recognising and reporting spear phishing attacks that may be focused on wearable devices.
Keep in mind that wearables are not all doom and gloom. They can be great productivity tools providing users with some very promising capabilities that will one day actually bring additional security to the enterprise. For example, the use of biometrics (heart rate or rhythm) to authenticate user access to devices, computers or networks, or new methods of physical access to open doors or replace badges in the workplace.
Wearable devices are a big part of everyone’s future. As the technology continues to evolve and eventually grabs hold in the enterprise, it will revolutionise high value information sharing across most industries. What seems like a harmless watch or pair of glasses today could be a significant security nightmare tomorrow. Where there is easy access to valuable information, you’ll find motivation for hackers and cyber criminals.
While it’s exciting to embrace the power of new wearable technologies, it’s also equally, if not more important, to consider the new security threats these devices pose in their early adoption and how to combat them.
Andrew Young, VP of Product Management, WatchGuard Technologies