Wearables could compromise corporate data
- 15 July, 2016 20:00
As smartwatches and other wearables gain popularity, experts are warning of potential data security risks in workplaces.
Some employees have begun connecting their personal smartwatches with corporate Wi-Fi networks, which could mimic the problems caused when personal smartphones started showing up at work several years ago. That earlier bring-your-own-device (BYOD) trend fostered an explosion of software products from various vendors for managing devices securely, alongside laptops and desktops.
As wearables begin to flood the workplace, the risk to employers could begin to look like "BYOD on steroids," said Peter Gillespie, an attorney at Fisher Phillips, a national labor and employment law firm representing employers.
Gillespie is concerned that as smartwatches are allowed to attach to emails -- or internal productivity software in some cases -- vital corporate and personal data could be lost, stolen or corrupted.
The problem is only just emerging and few companies seem to understand the potential harms, Gillespie and others said.
"As of now, wearables and Internet of Things devices are not getting attached to employer networks and so it's not been viewed as a serious problem," Gillespie said in an interview. "But I do think employer IT and HR departments should be aware that the consumer rollout of wearables has not been designed with enterprise data security in mind."
He's unaware of even a single example of a user of a personally owned wearable device creating a data security problem for a company, but added: "It's something we're looking at in terms of anticipating potential problems before they happen."
Many smartwatches connect to data via a smartphone over Bluetooth, but some are being sold with cellular connectivity and can provide a user's GPS location and other data. If connected to a corporate directory and other corporate data, there's the potential, albeit small, that such data could be hacked. Or a user's health and fitness data could be hacked, depending on how a company configures its network security.
"It's very difficult to anticipate how creative folks can get about pulling off data and making use of it...and whether that turns into a problem," Gillespie added.
Phil Hochmuth, an analyst at IDC, said enterprises recognize the use of personally owned wearables on corporate networks as a potential security issue. "They are looking for solutions to get ahead of it, although not on a large scale," he said.
So far, typically only a handful of workers in a given company will use a wearable to gain access to email or customer relationship management tools like those available from Salesforce, Hochmuth said. "So far, it's not like businesses are deploying these kinds of wearables widely," he said.
Hochmuth said the corporate risk associated with a consumer wearable inside an enterprise is similar to the BYOD smartphone risk. "They're both connected devices, likely owned by a worker, and in some cases can store a lot of data or sync with corporate apps that contain sensitive information," he said. "A device like an Apple Watch could be seen as a risk if the phone is corporate-owned but the watch isn't."
Enterprise mobility management vendors like BlackBerry and others are creating software that applies specifically to wearables and require protections like passcodes. But so far, the productivity gains of using smartwatches and other wearables in the enterprise are still unproven; this has so far held back the security risk, Hochmuth noted.
Aside from consumer devices like the Apple Watch being used at work, the bigger productivity opportunities for enterprises come from specialized and industrial-focused applications, like augmented reality glasses or wearable data-input devices or sensors. "In industries such as medical, oil and gas, or law enforcement, these specialized devices will interact with sensitive data and the devices will be strictly controlled and managed," he added. "Strong authentication and even geo-fencing are some of the approaches businesses are considering to secure these types of devices."
Typically, such specialized wearable devices will be owned and under direct control of an organization, so a user doesn't take them home or have a chance to use them for personal tasks.
Several EMM vendors offer tools that manage wearables along with other computers like laptops, although it isn't clear the EMM tools are being applied by employers to wearables in any significant way. BlackBerry, MobileIron, Citrix and AirWatch are among the vendors offering mobile device management tools that govern various devices, including some wearable devices.
Such software could be used to both protect sensitive corporate data and data about individual workers -- including their health and whereabouts.
So far, the biggest consumer wearable segment is the fitness band, popularized by Fitbit and others. The demand for smartwatches hasn't reached the expectations of two years ago, but most analysts still predict a rosy future for smartwatch sales, albeit at a slower pace.
Despite some muted warnings by U.S. government officials to consumers about sharing their fitness data with vendors of wearable devices and others, one recent survey shows that consumers are less concerned about wearable privacy and security than they were two years ago.
That online survey of 1,000 U.S. residents, conducted in March by PricewaterhouseCoopers International (PWC), said: "One might have thought that privacy would be the biggest hurdle facing wearable technology today. Not only is this not true, but concerns around privacy have actually lessened for...smartwatches and glasses."
The PWC survey also found that 67% of consumers said their company should pay for their wearable, partly with the expectation that it could be used to increase workplace productivity. The report says 75 million wearables will permeate the workplace by 2020 and quotes Gartner that by 2018, some 2 million employees will be required to wear a health and fitness tracking device as a condition of employment.
"While the benefits of wearables in the workplace are indisputable, employee privacy can pose a challenge," PWC's report said. "Theoretically a company can track an employee's location, hours worked, breaks clocked and even steps taken. Personal time (such as late-night drinking for a friend's birthday) might well be monitored as part of the corporate wellness program. Conversely, employees who don't participate might be perceived as hiding something."
The report added: "Companies could be subject to data breaches, given the content and magnitude of the data. Wearables have the potential to capture/store more personal data than any other device that we've ever owned, including details about employees' every move, habits, interests, and health information."
The PWC reported concluded that questions about wearable security and privacy have yet to be resolved. "As wearable technology becomes ubiquitous in the workplace, transparency and employee education will got a long way toward resolving these issues."