Wearable technology: a Cybersecurity Risk on your Wrist?
Computing devices have evolved remarkably in this century. They have moved from our desktop to our laps, then to our pockets and now onto our bodies. Research and market intelligence company, IDC estimates that the wearable devices market will reach a total of 19.2 million units in 2014, driven primarily by gadgets, such as Fitbit devices and Jawbone’s UP bracelet.
If industry predictions run true, 2014 will be the year that wearable technology really takes off. Earlier this month Google kicked off its first big come-one-come-all Google Glass sale, opening up the future-forward devices to people beyond the few thousand initially chosen to be beta explorers. In just a few hours Google claimed that all the Glass sold out. And if the media rumblings are true, we should soon see Apple entering the wearable tech scene with its iWatch product that has been hotly anticipated for some time.
But as we connect ourselves more and more to the Internet it’s important to be mindful of the risks and implications of these new devices. Fitness bands that monitor and capture information about our movement using GPS can provide a malicious user with details about our daily routines and patterns as well as our current location.
Beyond these questions surrounding data protection and privacy, there’s the huge question of what the security implications of connecting these kinds of devices to the corporate infrastructure will be. For the IT team that is already defending their organisations from ever more sophisticated cyber criminals, wearable technology is just another attack vector that needs addressing. As an extension of BYOD, businesses should already have information and network-security policies in place, to cover many of the concerns applicable to wearable technology. Although most IT departments already have guidelines that address such issues as workplace social networking, safe computing and BYOD usage, wearable technology raises several questions for the further development of these standards.
For instance, will all employees be allowed to use wearable technology, or will certain types of employees be barred from doing so? Will anyone be required to use it to do their job? And how will personnel be identified and approved for its use? In addition, businesses should think about whether to restrict capabilities, such as by disabling certain features and figuring out where in the organization wearable technology will be allowed or prohibited.
However, despite the potential risks, the benefits of BYOD and wearable technology are often too strong to ignore. In order to retain control in this mobile world, IT security professionals must be able to see everything in their environment, so they can establish risk level and then secure it appropriately. For most enterprises, the right solution is to implement policies that clearly define the proper use of employee-owned devices in the enterprise and then have enough checks and controls in place to enforce those policies.
At the end of the day, security of mobile devices is ultimately a question of three phases:
Before – establishing control over where, when and how mobile devices are used and what data they can access and store.
During – visibility and actionable intelligence is vital for security professionals to identify the threats and risky devices, and monitor their activities on the corporate network
After – when the inevitable happens and the network is compromised by a threat, be able to retrospectively review how that threat entered the network; which systems it interacted with and what files and applications were run, to ensure it can be cleaned up as quickly as possible.
At the end of the day, where IT security is concerned, there is no silver bullet and, as cyber criminals become ever more cunning, it is a major challenge for organisations to stay one step ahead. However, increasingly, it’s the way companies deal with hacking incidents when they actually occur that really matters. Having smart plans in place to detect, prevent and, if necessary, remediate quickly can mean the difference between a minor technology hiccup and a full system meltdown.
Sean Newman, Security Strategy, Sourcefire, now part of Cisco.