Smart watches: don’t let your network become a fashion victim
By Andrew Young, VP at Watchguard
The rapid development of mobile processors and internet bandwidth continues to significantly influence the way we work. Whilst employees use as many as three or four personal devices to tap into the corporate network from anywhere at any time, they often give little – if any – thought to the subsequent security implications which arise from granting network privileges to this proliferation of lifestyle wearables in the office.
IDG predicts that by 2019, an astonishing 89 million smart wearables including fitness and health trackers, smart glasses and ‘hearables’ will be transformed into every day working tools. This represents more than a doubling of today’s estimated 33 million devices.
Whilst commonly perceived as chic, lifestyle gadgets, wearables play host to thousands of productivity boosting apps that have migrated from the wider mobile market to offer “at a glance” messaging and email notifications, for example. But what appears to be a convenient way of fast-delivered information and easy-to-use tools can cause a huge headaches for unsuspecting IT departments.
All wearable technology devices are hyper-connected, enjoying Wi-Fi, Bluetooth and often direct cellular connectivity. Whilst the immediate result is an exponential rise in the attack surface of the corporate network, trouble can really ensue when pairing a wearable device with a smartphone.
When paired, tablet and mobile applications are automatically transferred to and installed on the wearables. In other words, a single wearable vulnerability could snowball into something far worse. Imagine inadvertently leaking your sales pipeline and customer information.
Given the popularity of the wearable devices among employees, it’s as hard to ban them from the office as this would essentially involve the disablement of all Wi-Fi and Bluetooth connectivity. Therefore, discussing wearable technologies in the work environment is on most enterprises’ agenda and is still being debated. Appealing benefits are:
- Instant collaboration among the workforce
- Authenticating the user for logical and physical log in and access
- Information such as sales data, CRM, mail etc. can be accessed anywhere, at any time
Although corporate IT possesses the intelligence to prevent jail-broken smartphones from connecting to the network, it can’t guarantee a safe network as these measures fall short of securing the wearable technologies. Alongside this, other security concerns are:
- Phishing attacks that can capture a smart watch PIN code and then access data on connected personal or corporate devices.
- Malware attacking the device and siphon off company secrets and data to unauthorised devices.
- Employees losing wearable devices that keep sensitive company data.
But gaining access to sensitive data is simpler than identifying a jail-broken device. Basic social engineering knowledge is enough given the simple access to wearables. To reduce a company’s security risk with wearables, employees should be taught best practices. The bare essentials include:
- A set corporate policy around wearables in the company.
- The requirement of non-trivial passcodes for devices linked to corporate data.
- Stress the importance of reporting stolen or lost devices immediately.
- Educating employees on how to identify and report spear phishing attacks.
Whilst it certainly might seem a lot to take on board in response to these otherwise benign devices, keep in mind the potential for these technologies to enable far more advanced security policies which include biometric authentication using heart rates and physical access through near-field communication with electronic doors.
Whether by security or productivity, wearable technology will be part of every connected company in the near future. As with every new technology, it’s always intriguing to embrace the new power and features of it. However, companies need to address the additional security threats wearables pose in their first adoption and how to prevent/combat them with security policies everybody can refer to.