Wearables, like smartphones, laptops, and Macs before them, are finding their way into the enterprise. Healthcare and fitness devices are the most popular options today, followed by smartwatches and smart glasses, according to a recent survey by PricewaterhouseCoopers (PwC).
Meanwhile, some companies are issuing fitness devices as part of wellness programs to reduce health insurance costs. In some cases, businesses are collecting or monitoring data that was not previously available without the written consent of employees. Regardless of who owns the devices, IT departments, security personnel, and corporate leaders need to be prepared for unanticipated breaches.
"It's fairly easy to listen to these devices because they use unencrypted [Bluetooth Low Energy]. For under $100, somebody could build a device that will listen in on that communication," said Robert Clyde, CISM and board director of IT governance association ISACA, in an interview. "Generally, you have to be 30 feet or closer, but with an amplified antenna you can do this from well over 100 feet away, which means no one would know you're nearby."
[What is your wearable saying about you? Read Fitbit, Other Fitness Trackers Leak Personal Data: Study.]
According to Clyde, hacking into an individual's healthcare or fitness device could be valuable from a competitive business standpoint if a person's heart rate were monitored in the context of a business negotiation. Because health monitors are maturing from simple consumer devices to more sophisticated "medical-grade" devices, the risk to individuals could include employment discrimination, blackmail, contract interference, damage to reputation, or privacy invasion. From a corporate standpoint, the new streams of data -- and how they're dealt with in transit and at rest -- may raise red flags with HIPPA, ADA, or other regulations that require strict compliance.
In short, the scope of attacks, and their potential fallout, have not been completely contemplated, nor has the potential effect wearables could have on enterprise security.
"Tracking steps is not very interesting, but if the device is used for access control or identity confirmation, the consequences can be more severe," said PwC principal Mike Pegler, in an interview. "It's important to think of these as a system. The weakest link of the chain could be the point of entry."
Disney reportedly spent $1 billion on MagicBands for visitors to its Magic Kingdom. Guests can use the bands to unlock their hotel room doors, authenticate themselves, make purchases, and relay other types of information, which Disney can use to personalize visitor experiences (and, presumably, encourage more spending). The same capabilities can be used in business settings to simplify tasks such as authentication and access, and to improve efficiency and safety. Whether clothing, visors, wristbands, or other form factors, the number and types of wearables is predicted to explode. As a result, companies need to contemplate the potential effect on the workplace.
"Anyone wearing or utilizing these devices needs to realize that the information they are inputting, such as personal information, credit card information, and medical information, is susceptible to hacking attacks," said Matti Kon, president and founder of software development company and system integrator InfoTech, in an interview. "Devices built on cloud computing [are] vulnerable to possible data breaches, and this information is very valuable to hackers."
Of course, the usual security practices still apply. But, there are always new ways to breach existing systems and exploit new endpoints. To help minimize the fallout of a breach, consider these suggestions.