The age of wearable technology is here and with it comes new cyber security risks.
Over 3 million wearable devices such as fitness bands and smartwatches were sold in the UK in 2015, a rise of 118% from unit sales recorded in 2014. This surge in popularity has raised concerns that cyber criminals will target such products.
Sensitive data is being used and transferred by wearable technology, some of it of a highly sensitive nature for both individuals and businesses. Organisations using wearable technology need to introduce security policies and procedures to reduce the risks.
Wearable technology comes in a variety of forms such as smartwatches, fitness trackers, glasses and head-mounted displays. According to the IDC, there is likely to be 237.1 million wearable devices in use worldwide by 2020.
As wearable technology firms rush to get their products into the market and win market share, the likelihood of them putting security as their top concern is unlikely. If anything, this market is shaping up to be similar to the smartphone revolution that saw effective security measures being introduced after the initial purchasing rush.
The Security Concerns
Physical Access to Data – Most wearable devices store sensitive data on their internal memory without encryption. Many do not require a PIN or offer password protection making it easy for a thief to access the data within.
Espionage – The wearable technology we see today wouldn’t be out of place in a James Bond movie from the 70’s. It was the realm of fiction then but is a reality now. Wearables such as Smartwatches, allow someone to easily walk into a sensitive area and either take photos or record images without anyone realising.
Wireless Connections – Most wearables connect to smartphones meaning that data is constantly being transferred wirelessly. Many of these types of connection are insufficiently secure against hackers. A method of improving security is to first document just how many connected devices there are in an organisation and then take action to secure them all.
No regulation in place – Due to the newness of the technology the government has not yet introduced regulations to ensure that manufacturers abide by certain principles when it comes to security. A Company that suffers a data breach that breaks compliance or regulatory requirements for their specific industry will not be able to shift the blame onto wearables. They’ll still be held fully accountable.
Lack of patches – As many wearable devices use their own applications and operating systems the likelihood of hackers breaking into them is high. As with conventional computers, software needs to be fully patched and kept up to date to avoid the latest vulnerabilities. So far very few wearable creators have a system in place to deliver patches. You also need to be aware that Anti-Virus/Malware tools aren’t really present for wearables, so if they do get owned, they can’t be cleaned.
Wearable devices work differently to smartphones resulting in many new cyber security risks. As the technology becomes more widespread, companies are going to have to rethink their policies and plans when it comes to handling wearable device management.
Mitigating the Risks
There are a few ways in which you can mitigate the risks posed by wearable technology. By ensuring that wearable technology is included in your organisation's policies you can define the acceptable use of such devices and can bind employees to these limitations via a signed agreement.
Disabling Bluetooth between business-managed smartphones, tablets and other wireless equipment in sensitive areas can increase security and limit the chance of a data leak. Try to insist that staff with wearables ensure that they use devices with biometrics and geofencing to ensure that the person at the other end of the device is an authorised user.
‘Overall it seems like wearables are just widely viewed in the same light as the Internet of things (IOT) when it comes to security concerns; devices with minimal control and security in place, which is essentially very dangerous for corporations. Unlike regular IoT devices (cars, TV’s, games consoles etc) they will be brought into the workplace, so the obvious solution is similar to that of Bring your own devices – either disallow it by policy, or if you have to have them, review your security posture; secure your infrastructure to prevent them from connecting where they shouldn’t i.e. rogue access points, put them into their own designated networks, monitor the network and have its own dedicated security devices etc. - basically standard security stuff and additional segregation,’ says a Senior CIRT Analyst at PGI.
Businesses that take action now to mitigate the risks posed by wearables will be ahead of the curve and should avoid unpleasant surprises when hackers inevitably turn their attention to wearable technology.