Wearable displays offer tangible benefits to enterprises, but may pose unique security risks related to data, network, personal information and government regulation. Here’s what enterprises need to know to secure and protect their wearables implementations.
Every week, I talk to enterprises that are actively exploring smart glasses and smart watches to increase employee efficiency and effectiveness while reducing costs. These forward-thinking companies are innovating with wearables use cases for hands-free workers to enhance communication, improve workflow, reduce decision timeframes or decrease exposure to hazardous conditions. (See our point of view, Putting Wearable Displays to Work in the Workplace for more information.)
But there’s an area companies are not proactively addressing yet: wearables security and data privacy.
Fortunately, mobile and bring-your-own-device (BYOD) security implementations offer a number of clues. But even if your enterprise has taken precautions to securely operate mobile devices within your four walls, it may be insufficient for wearables, which will test the extensibility and scalability of an existing mobile security implementation. Further, wearables raise unique security considerations.
Unique mobile devices with unprecedented security implications
Wearables can be thought of as mobile devices at the edge…with the added dimension of ultimate portability (i.e., wear anywhere) and visibility (i.e., the ability to actually “see” real-time enterprise data). Unlike mobile devices, which have distinct periods of use, some wearables are also potentially always-on and always gathering data. In these ways, wearables are unique.
That’s why Security executives need to pay extra attention to maintaining confidentiality, integrity and availability (aka CIA) for wearable displays. What’s more, it’s important to prepare early and create security policies, procedures and encryption protocols before wearables are deployed.
To get started, Accenture recommends thinking about the scalability of your current network infrastructure and the manageability of the apps to be deployed to smart glasses, smart watches or other wearables. Understand the specific threats these devices may pose to your enterprise and implement controls to decrease any risks. Here are four potential areas to consider:
Data leaks—Determine what data the wearable display may access within enterprise systems, as well as what data the device may capture during usage. Security implications will vary based on the type of data collected in an application with a higher level of security assigned to sensitive data or proprietary information. (Note: Some companies may want to extend containerization, a common method to protect mobile apps, to wearable displays.) By assessing these factors beforehand, you can understand the access level that will need to be administered based on access rights. Role-based access control will still need to be granted to employees via enterprise-approved methods of authentication while also applying the principle of least privilege, which means that employees can access only the information that they legitimately need to do their work.
Network security—Consider how to protect against security threats such as phishing or man-in-the-middle attacks on wearable displays. One unique consideration for wearables is multi-factor authentication for network access. For example, employees can swipe smart card readers for laptops but not for smart glasses due to the form factor. Securing networked devices on small screens (i.e., lens of glasses, face of watch) also requires some extra thought. For example, to improve user visibility, enterprises may choose to alter the content displayed on the wearable screen—such as eliminating the URL address bar, which includes site security information. However, this can make it more difficult for employees to detect deception-based cyber-attacks. Without knowing the authenticity of a given web site, they may inadvertently launch a virus on the network.1,2 Another potential security implication is network overload or disruption. Enterprises should be aware of the type and quantity of data (wired versus wireless) that is traversing their networks. As wearables adoption increases, it is important to plan for additional points of entry on the network, as well as to protect against exposure for reconnaissance, access or disruption. During a man-in-the-middle attack, for instance, employees could mistakenly send or receive errant data that could incapacitate the network.
Personally identifiable information (PII)—Data leaks via wearables may lead to identity theft of PII, which the National Institute of Standards and Technology (NIST) defines “as any information about an individual maintained by an agency.”3 Enterprises are responsible for meeting PII regulatory standards for customers and employees. This responsibility extends to website visits, online purchases, photos and even calendar information like appointments that people might access while wearing smart glasses or smart watches. Protecting PII is especially important for industries such as healthcare. Using wearable displays, for instance, while looking at patient records would give the device access to PII that the hospital would need to protect. Regardless of industry, companies will need to be innovative to minimize PII theft threats while also ensuring that wearables usability is not interrupted.
Government-imposed violations of privacy—A related issue to address is privacy violation since companies could hypothetically collect employees’ habits, behaviors and even health information via a wearable device. Failing to adequately protect this data could lead to negative attention for the enterprise. Legislation also stipulates privacy concerns for employees. For instance, the US Freedom of Information Act and similar state laws might require releasing information that a government employee mistakenly thought was private.3 Similarly, the European Union is strengthening its data protection laws. Companies that collect, use or store personal data for non-personal use (usage that does not reflect or reference an individually identifiable user) will have to uphold these new requirements. For example, a company may collect data on which sites and pages a customer visits; however, if another party could use this data (along with other information about the person) to identify an individual directly, the company would be obligated to protect the storage and usage of this PII information.
Beginning to address these security concerns will give your wearables implementation a head-start. To talk about how wearables fit into your enterprise, contact us at firstname.lastname@example.org or email@example.com.
Beware security pros: The wearable revolution is coming. (2014). Information Management, 7-7.
Knowles, R. (2014). The wearables revolution is coming security professionals must be ready. Retrieved October 6, 2014, from http://www.techradar.com/news/world-of-tech/future-tech/the-wearables-revolution-is-coming-security-professionals-must-be-ready-1227542