Paul Martini |
Many tech giants have recently made a big push in wearable items – from watches with integrated cellphones, to smart glasses that can record what we see in day-to-day life. Yet, many of these seemingly harmless items are raising security concerns.
Paul Martini, co-founder and CEO of iboss, says that it’s through a device’s ability to interact with the outside world that those security concerns come into place. “For example, if Google Glass did not have the ability to record video, there would be no worry that sensitive data within an organization could be recorded and lost,” he says. “If a smart watch did not have a microphone, there would be no worry that confidential information could be audio-recorded and transferred outside the network. So, by looking at these devices’ abilities to interact with the analog world around them, we can begin to assess the challenges of applying appropriate security measures to protect valuable assets and information.”
In addition to a device’s ability to obtain data, we need to look at storing and transferring data, Martini says. “This is the difference between the original calculator and Samsung’s Galaxy Gear smart watch. Whereas the calculator watch had the ability to sum and multiply numbers, it didn’t have the ability to transfer and in most cases store the information. In contrast, the Galaxy Gear watch sends and receives text messages, makes phone calls and stores voice recordings. Fundamentally, these watches have the ability to both store and transfer data. This is the second critical piece that makes today’s wearable technology like this a security concern for business. Although the data being stored may be harmless, it does not discriminate about the type of data being stored or transferred. The data could be sensitive, violating one of many privacy laws such as HIPAA, or be the company’s Intellectual Property. The ability to store and transfer data is where the problem resides.”
What are possible solutions?
The solution is a combination of creating organizational rules and updating network security infrastructure so that it can detect, and in some cases control, the movement of data to and from these devices. Creating organizational rules regarding acceptable technology, wearable or not, is step one. Then, it’s important to understand how a device works with regard to its ability to store and transfer data. Take the Galaxy Gear watch. Its connectivity is typically via Bluetooth and it must connect to a cellphone to transfer information. Without a cellphone, the watch has no ability to transfer data over the network. It can, however, store pictures and audio recordings within its onboard memory without a phone present. In this case an organization needs to ask whether or not smartphones are allowed on the network. If they are, then the additional risks the watch may bring to the organization are trivial. Most of the functions the watch can perform, for example taking pictures and recording audio, can also be done on the phone. However, if smartphones are not allowed within the workplace due to the risks a camera, audio and storage bring with them, then a smart watch should not be allowed either.
What about Mobile Device Management?
There is a condition where allowing a smartphone might be acceptable, but something like a smart watch would not. If the organization uses Mobile Device Management (MDM) to manage what is enabled or disabled on the mobile phone, then a phone might be acceptable. For example, using a MDM solution, the camera on a phone could be locked so that no pictures could be taken while at the office. This would not prevent a watch from taking and storing pictures, however. An organization has to look at the whole picture when thinking about the risks and acceptable use policy regarding wearable technology. Wearable technology should only be considered acceptable in the organization if it brings value to the company or makes an employee’s life easier so he/she can perform better.
After acceptable use polices, what is next?
An organization should consider upgrading its network security infrastructure. This will help to detect, and in cases prevent, data loss through the use of wearable technology. Advanced security solutions analyze data flows and can identify the type of device sending and receiving data. In the case of wearable technology, the solution could detect data communication out of the network that originated from the device and then alert an administrator of the transfer. Even if the security solution is not able to block the communication generated from the wearable device, detecting it may be enough to alert an administrator that an unacceptable device is being used on the network. When considering wearable technology, remember to take a step back and determine what capabilities the technology has. If the risks outweigh the rewards, consider preventing their use within the organization.