Wearables could compromise corporate data
18 July 2016 | 0
As smart watches and other wearables gain popularity, experts are warning of potential data security risks in workplaces.
Some employees have begun connecting their personal smart watches with corporate Wi-Fi networks, which could mimic the problems caused when personal smart phones started showing up at work several years ago. That earlier bring-your-own-device (BYOD) trend fostered an explosion of software products from various vendors for managing devices securely, alongside laptops and desktops.
As wearables begin to flood the workplace, the risk to employers could begin to look like “BYOD on steroids,” said Peter Gillespie, an attorney at US company Fisher Phillips.
Smart watch use
Gillespie is concerned that as smart watches are allowed to attach to emails, or internal productivity software in some cases, vital corporate and personal data could be lost, stolen or corrupted. The problem is only just emerging and few companies seem to understand the potential harms, Gillespie and others said.
“As of now, wearables and Internet of Things devices are not getting attached to employer networks and so it’s not been viewed as a serious problem,” Gillespie said in an interview. “But I do think employer IT and HR departments should be aware that the consumer rollout of wearables has not been designed with enterprise data security in mind.”
He’s unaware of even a single example of a user of a personally owned wearable device creating a data security problem for a company, but added: “It’s something we’re looking at in terms of anticipating potential problems before they happen.”
Many smart watches connect to data via a smart phone over Bluetooth, but some are being sold with cellular connectivity and can provide a user’s GPS location and other data. If connected to a corporate directory and other corporate data, there’s the potential, albeit small, that such data could be hacked. Or a user’s health and fitness data could be hacked, depending on how a company configures its network security.
“It’s very difficult to anticipate how creative folks can get about pulling off data and making use of it…and whether that turns into a problem,” Gillespie added.
Phil Hochmuth, an analyst at IDC, said enterprises recognise the use of personally owned wearables on corporate networks as a potential security issue. “They are looking for solutions to get ahead of it, although not on a large scale,” he said.
So far, typically only a handful of workers in a given company will use a wearable to gain access to email or customer relationship management tools like those available from Salesforce, Hochmuth said. “So far, it’s not like businesses are deploying these kinds of wearables widely,” he said.
Hochmuth said the corporate risk associated with a consumer wearable inside an enterprise is similar to the BYOD smart phone risk. “They’re both connected devices, likely owned by a worker, and in some cases can store a lot of data or sync with corporate apps that contain sensitive information,” he said. “A device like an Apple Watch could be seen as a risk if the phone is corporate-owned but the watch isn’t.”
Enterprise mobility management vendors like BlackBerry and others are creating software that applies specifically to wearables and require protections like passcodes. But so far, the productivity gains of using smart watches and other wearables in the enterprise are still unproven; this has so far held back the security risk, Hochmuth noted.
Aside from consumer devices like the Apple Watch being used at work, the bigger productivity opportunities for enterprises come from specialised and industrial-focused applications, like augmented reality glasses or wearable data-input devices or sensors. “In industries such as medical, oil and gas, or law enforcement, these specialised devices will interact with sensitive data and the devices will be strictly controlled and managed,” he added. “Strong authentication and even geo-fencing are some of the approaches businesses are considering to secure these types of devices.”
Typically, such specialised wearable devices will be owned and under direct control of an organisation, so a user doesn’t take them home or have a chance to use them for personal tasks.
Several EMM vendors offer tools that manage wearables along with other computers like laptops, although it isn’t clear the EMM tools are being applied by employers to wearables in any significant way. BlackBerry, MobileIron, Citrix and AirWatch are among the vendors offering mobile device management tools that govern various devices, including some wearable devices.
Such software could be used to both protect sensitive corporate data and data about individual workers — including their health and whereabouts.
So far, the biggest consumer wearable segment is the fitness band, popularised by Fitbit and others. The demand for smart watches hasn’t reached the expectations of two years ago, but most analysts still predict a rosy future for smart watch sales, albeit at a slower pace.
Despite some muted warnings by US government officials to consumers about sharing their fitness data with vendors of wearable devices and others, one recent survey shows that consumers are less concerned about wearable privacy and security than they were two years ago.
That online survey of 1,000 US residents, conducted in March by PricewaterhouseCoopers International (PWC), said: “One might have thought that privacy would be the biggest hurdle facing wearable technology today. Not only is this not true, but concerns around privacy have actually lessened for…smart watches and glasses.”
The PWC survey also found that 67% of consumers said their company should pay for their wearable, partly with the expectation that it could be used to increase workplace productivity. The report says 75 million wearables will permeate the workplace by 2020 and quotes Gartner that by 2018, some 2 million employees will be required to wear a health and fitness tracking device as a condition of employment.
“While the benefits of wearables in the workplace are indisputable, employee privacy can pose a challenge,” PWC’s report said. “Theoretically a company can track an employee’s location, hours worked, breaks clocked and even steps taken. Personal time (such as late-night drinking for a friend’s birthday) might well be monitored as part of the corporate wellness program. Conversely, employees who don’t participate might be perceived as hiding something.”
The report added: “Companies could be subject to data breaches, given the content and magnitude of the data. Wearables have the potential to capture/store more personal data than any other device that we’ve ever owned, including details about employees’ every move, habits, interests, and health information.”
The PWC reported concluded that questions about wearable security and privacy have yet to be resolved. “As wearable technology becomes ubiquitous in the workplace, transparency and employee education will go a long way toward resolving these issues.”
IDG News Service