Is wearable technology threatening your data security?
Whether or not you actively encourage the use of wearable devices, it’sprobably the case that at least some of your employees are using them onwork’s time.
From keeping your team connected through to driving efficiency, manybusinesses find plenty of upsides with this new breed of technology. But withthis comes new risks. Especially if your guidelines for IT usage were draftedin the post-smartphone but pre-smartwatch era, now may be the time for are-write.
Wearables at work: a snapshot…
In some sectors, employer-supplied wearable technology is now the norm.Hands-free wireless headsets paired with wrist displays are one example;whereas in retail and warehousing, wearable devices can help allocate tasks,track movements and measure productivity. Google Glass can also find a place inthe workplace; for instance by enabling workers on site to access technicaldata and read it hands-free while they work.
Then there’s the growth of bring your own (BYO) devices; mostlysmartwatches. In a survey last year, more than twothirds of UK ITmanagers reported that at least some members of staff were bringing wearabledevices into the workplace. Almost all of those surveyed believed that this waspart of a growing trend. Here, we’re in a position akin to 8-10 years ago withsmartphones; many early adopters already have them, while products such as theApple Watch and Samsung Galaxy Gear are helping to broaden their appeal.
Here are some of the specific risks that can arise from the use of suchdevices and how your policies may need to be adapted to address this.
Most popular smartwatches are designed to complement rather than replacephones. If employees are using phones to store and access business data,there’s the risk of the watch being used as a further potential gateway toaccess this information. HewlettPackard recentlyevaluated 10 popular smartwatches and found that 30 percent were vulnerable toaccount harvesting in one form or another.
- If you are dealing with BYO devices, consider mobile device management (MDM) with containerisation to enable personal and corporate data to exist separately on the same device. Couple this with encryption protocols designed to instantly render data unusable if it falls into the wrong hands.
- Check with your IT security providers that the measures you have in place are not in any way compromised by the use of wearable tech. If they are, consider a ban on tethering smartwatches to devices that contain business data or provide access to your network. Depending on your existing infrastructure, it may be that some brands or models are considered safe but others are not. If so, issue a list of allowable devices.
- Make adherence to password protection and other authentication safeguarding protocols an absolute requirement.
- Make it clear that if an employee loses a wearable or portable device that contains or potentially enables access to corporate data, this loss should be reported to you immediately. This way, you can activate a remote data wipe via MDM.
From quirky little games through to health and fitness trackers,wearable devices bring the temptation to download lots of new apps to get themost of the hardware. If these are from dubious sources, it opens up the riskof various malicious actions via embedded spyware and back door access to data.
- Ensure your existing policy on what apps can and cannot be installed on works phones and tablets also makes specific reference to wearables.
- For things like fitness trackers (a very big feature of the wearables market) consider offering free installation of safe, best-in-class apps; a relatively simple way of promoting staff wellbeing while making it less likely that employees will stray towards unsafe software.
By its very nature, wearable tech tends to be discrete. This raises thepossibility of new ways for rogue employees to circumvent existing rules.Imagine, for instance, a temp quietly getting on with photographing customerdata with a Google Glass camera. Then there’s the possibility of employeesdeciding to deftly activate the voice recorder on their watches when in aclient meeting or perhaps in an attempt to capture the unguarded comments ofco-workers.
- If, whether for purposes of client confidentiality, IP protection or general safety, you have areas where smartphones are forbidden, make sure there’s also specific reference to smartwatches in your policy.
- If your policy on prohibiting the downloading and disclosure of confidential information gives examples of banned practices (e.g. syncing via mobile phones or use of flash drives), consider adding the use of wearables to that list.
- State that all forms of covert audio or visual recording are forbidden and refer to wearables specifically.
Making sure employees are aware of their responsibilities, checking yourIT security is fit for purpose and keeping a close eye on how this technologyis developing: all of this is required to ensure you continue to get the mostout of wearables while keeping your business safe. If sensitive information is exposed or any data is lost, there could be significant financial impacts to your business - so it's vital to have a professional indemnity insurance policy in place to ease the burden if a case is brought against you.