Wearables - A New Real (Enterprise) Security Worry

An article I read recently in CIO began in an excellent and very to the point way:

Congratulations on getting that new wearable device over the holidays. You're on your way to a new, trackable, data-filled life.

Or you’re about to be hacked.

Yes - just like that. You wait and you want that new wearable, saved your money or got it as a gift under the tree and then, unknowingly, you have entered the realm of real-world security threat. And you thought it was just reserved for the network or latest smart home device...

The world of threats and exploits has now found its way to your wrist, your head, or wherever this "wearable" may happen to be located. Pointing directly to the recent hack of VTech (which also makes a wearable for kids) and its customer database, which includes the information of 5 million parents and 200,000 children, was recently compromised. Stephen Cobb of ESET, based on statements he made concerning wearables getting to the point where criminals can see a way to exploit them for gain:

"Some of their toys took photographs and some of those photographs were shared on their back-end system," Cobb says. "In the case of a wearable, this could have location information, it could have health related information." 

With that in mind, while there is concern for kids, as well as wearables worn for adult personal usage, a much larger picture looms here - and that's wearables usage in the workplace. As if the CIO and IT staff don't have enough to deal with already with mobile devices moving around the organization, the usage of wearables by workers accessing company information and more regarded as sensitive becomes the next. It could be a smart watch with a built-in camera or smart glasses for example. 

I referenced this article a while back about wearables being a Pandora's box for security in a previous blog that I had written, the article discusses vulnerability in terms of connection to one's smart phone for one, as it being the weak link and not the actual wearable device itself - connecting over Bluetooth short-range wireless spectrum to wirelessly send and receive data between the wearable device and smartphone. It even refers to biometric authentication such as your fingerprint or face recognition for safety to the actual wearable device. 

Here in reference to this particular blog focus points to to the wearable device and its potential to expose sensitive data, video and more. Mark McCreary, chief privacy officer and partner at Fox Rothschild LLP said: "I'm going to be worried about things like Google Glass and cameras on smartwatches and anything that's either able to record audio or visual."

Stated that even if employees are casually recording in the workplace without thinking anything of it, that video or audio could have sensitive information in it and be uploaded into different places – like a personal cloud account – that are not as protected as a company's own secure systems or cloud storage environment. Liken it to casually storing photos and more in Dropbox for the relatives to see - now replace the relatives with a hacker. Thus, not having control of data and other sensitive materials in this manner could result in major problems for an organization as well as their IT operations. 

One wearable-based strategy being employed by enterprise organizations today relates to those involved in HR-based wellness programs, giving out tracking devices (like Fitbits) to their employees. While done with good intentions, Beth Zoller, legal editor at XphertHR, says that it presents possible human resources and legal issues in terms of who gets to see that data. 

"There are invasion of privacy issues," she says, where the employer has access to an individual employee's health information and more. Most Fitbits can (along with recording activity) record sleep patterns which an employee may not want an employer to have. She also states: "There is the risk of employees who are wearing wearable devices that the lines between work and nonworking time is a blur." Privacy thus enters into the picture along with security, as these days one can in no way be discussed without the other.

Creating policy to wearable usage in the workplace, as with mobile devices as well, is of great importance in terms of management and security being enforced in the most efficient ways.  Bringing one's own wearable, what's been referred to as WYOD (Wear Your Own Device), or even wearing one that's company issued truly requires that policy be set as well as implementing any type of device management and security technique available.

With policy and security (as well as privacy) measures in place, whatever they may be, it can only be the lengths that the one looking to expose any possible vulnerability will go to jeopardize the situation, or an employee's mishandling of a situation under signed policy - in which they would then face the consequences, as with any policy which they are required to sign. 

Article of reference here from CIO: How secure are wearables, anyway?