Wearables At Work: 9 Security Steps Worth Taking
Press,
Text,
InformationWeek / Jun 6, 2016
Wearables are finding their way into organizations, whether or not IT departments are prepared to deal with them. As the number of endpoints continues to grow, so does the potential for hacks. These nine pointers will help you prepare your organization to keep ahead of threats.
(Image: Unsplash via Pixabay)
Wearables, like smartphones, laptops, and Macs before them, are finding their way into the enterprise. Healthcare and fitness devices are the most popular options today, followed by smartwatches and smart glasses, according to a recent survey by PricewaterhouseCoopers (PwC).
Meanwhile, some companies are issuing fitness devices as part of wellness programs to reduce health insurance costs. In some cases, businesses are collecting or monitoring data that was not previously available without the written consent of employees. Regardless of who owns the devices, IT departments, security personnel, and corporate leaders need to be prepared for unanticipated breaches.
“It’s fairly easy to listen to these devices because they use unencrypted [Bluetooth Low Energy]. For under $100, somebody could build a device that will listen in on that communication,” said Robert Clyde, CISM and board director of IT governance association ISACA, in an interview. “Generally, you have to be 30 feet or closer, but with an amplified antenna you can do this from well over 100 feet away, which means no one would know you’re nearby.”
According to Clyde, hacking into an individual’s healthcare or fitness device could be valuable from a competitive business standpoint if a person’s heart rate were monitored in the context of a business negotiation. Because health monitors are maturing from simple consumer devices to more sophisticated “medical-grade” devices, the risk to individuals could include employment discrimination, blackmail, contract interference, damage to reputation, or privacy invasion. From a corporate standpoint, the new streams of data — and how they’re dealt with in transit and at rest — may raise red flags with HIPPA, ADA, or other regulations that require strict compliance.
In short, the scope of attacks, and their potential fallout, have not been completely contemplated, nor has the potential effect wearables could have on enterprise security.
“Tracking steps is not very interesting, but if the device is used for access control or identity confirmation, the consequences can be more severe,” said PwC principal Mike Pegler, in an interview. “It’s important to think of these as a system. The weakest link of the chain could be the point of entry.”
Disney reportedly spent $1 billion on MagicBands for visitors to its Magic Kingdom. Guests can use the bands to unlock their hotel room doors, authenticate themselves, make purchases, and relay other types of information, which Disney can use to personalize visitor experiences (and, presumably, encourage more spending). The same capabilities can be used in business settings to simplify tasks such as authentication and access, and to improve efficiency and safety. Whether clothing, visors, wristbands, or other form factors, the number and types of wearables is predicted to explode. As a result, companies need to contemplate the potential effect on the workplace.
“Anyone wearing or utilizing these devices needs to realize that the information they are inputting, such as personal information, credit card information, and medical information, is susceptible to hacking attacks,” said Matti Kon, president and founder of software development company and system integrator InfoTech, in an interview. “Devices built on cloud computing [are] vulnerable to possible data breaches, and this information is very valuable to hackers.”
Of course, the usual security practices still apply. But, there are always new ways to breach existing systems and exploit new endpoints. To help minimize the fallout of a breach, consider these suggestions.
As with the Bring Your Own Device (BYOD) smartphone trend, resistance to wearables in the workplace may prove futile. Regardless of how the devices find their way into your organization, you need prepare for the potential consequences of a breach.
“The low-hanging fruit for the adversary is capturing data that is shared or very lightly protected, rather than targeting the vulnerability of the backend server,” Jacob West, founding member of the IEEE Center for Secure Design, said in an interview. “It’s easier to get at the data that the user shares inadvertently than steal it from the provider once it’s been locked down.”
(Image: skeeze via Pixabay)
Most wearables on the market today connect to smartphones or laptops via Bluetooth, and ultimately rely on a cloud or a web-based system. Since the chain is only as strong as its weakest link, potential weaknesses throughout the ecosystem need to be considered.
(Image: geralt via Pixabay)
It’s easy for the average consumer to assume that wearables are safe, even though they’ve been warned about the dangers of other connected devices for years. “You don’t hear a lot about wearables being targeted for attack. But with the type of data they’re collecting, and the speed at which they’re being adopted, it’s up to the imagination of the hacker to get the data off the device, or to infect the device with the goal of infecting something else,” said Christopher Roach, managing director and national IT practice leader at CBIZ Risk and Advisory Services, in an interview.
(Image: geralt via Pixabay)
![Typical Design Flaws Apply Wearable device designs are not immune to design flaws. In the race to get to market with the coolest device security holes can be overlooked. The oversight can put a business and its employees at risk. 'A lot of mistakes you can make when building a software system are not specific to the type of software you're building,' said Jacob West, founding member of the IEEE Center for Secure Design. 'As people become more mature about how they treat [the] data, and become more educated about the types of data collected, we'll see more adversarial attacks, which we're seeing for more traditional systems.' The prpl Foundation, a nonprofit open source foundation, has peer-reviewed guidelines designed to improve the security of embedded device designs. The guidelines include topics such as addressing fundamental controls for securing devices, using a Security by Separation approach, and enforcing secure development and testing. (Image: geralt via Pixabay)](http://img.deusm.com/informationweek/2016/06/1325787/hands-1004271_1280.jpg)
Wearable device designs are not immune to design flaws. In the race to get to market with the coolest device security holes can be overlooked. The oversight can put a business and its employees at risk.
“A lot of mistakes you can make when building a software system are not specific to the type of software you’re building,” said Jacob West, founding member of the IEEE Center for Secure Design. “As people become more mature about how they treat [the] data, and become more educated about the types of data collected, we’ll see more adversarial attacks, which we’re seeing for more traditional systems.”
The prpl Foundation, a nonprofit open source foundation, has peer-reviewed guidelines designed to improve the security of embedded device designs. The guidelines include topics such as addressing fundamental controls for securing devices, using a Security by Separation approach, and enforcing secure development and testing.
(Image: geralt via Pixabay)
If your company doesn’t already have cyber liability insurance, consider getting it now. The insurance helps insulate a company from the costs of a potential breach, which can be highly damaging — if not fatal — for some organizations.
“Unless you’ve drawn up a contract between two organizations as an outsourced relationship, there’s very little liability for providing insecure, broken software. Most companies eschew all liability through the license agreement,” said Jacob West of the IEEE Center for Secure Design. “This is something that’s going to get a lot of attention from the technical, legal, and insurance industries, because enterprises want to anticipate and redistribute the risk of cyberattacks, and an insurance model is the way we do that.”
(Image: PublicDomainPictures via Pixabay)
When a breach occurs, accusations fly. While it’s impossible to anticipate everything that could possibly happen, it is prudent to put some safeguards in place.
“There’s a heightened level of responsibility if a company is providing someone with a piece of technology. There’s an assumption that you have vetted that,” said James Goodnow, a technology attorney at law firm Fennemore Craig, in an interview. “If a lawsuit arises, you’d look at it primarily from a negligence standpoint: What would a reasonable business do under the circumstances?”
Of course, what is “reasonable” can change over time, particularly when it comes to the use of technology and adherence to technology standards (in the case of manufacturers and third parties). Meanwhile, consumers, employees, and employers should use common sense about the information they put on wearables, and consider the cost and benefits of using the devices, Goodnow said.
(Image: stevepb via Pixabay)
Devices entering an enterprise should be subjected to management practices previously adopted for laptops and smartphones. If you haven’t updated your policy, do so now, and make sure employees sign it.
“Employees who want to bring their own devices should alert the IT department, but practically speaking that’s hard to track and not everyone will do it,” Goodnow said. “You want to identify what’s out there, and if you can find overlay software that allows you to cut off connection to your network, that’s critical. You need to have a system in place that can disconnect the device, wipe it, and identify potential breaches if they exist.”
(Image: TBIT via Pixabay)
Data breaches are dealt with differently in different jurisdictions, which means laws vary from country to country and from state to state. Failing to understand the differences can increase liability exposure, which may take the form of fines in addition to lawsuit costs.
“Most businesses have no idea what the law is on this. Know the law. Read it at a minimum, look it up online, or even better, hire a lawyer to help you develop a system to respond to a data breach,” Goodnow said.
Also, consider a security audit from a credible third party. If your company is sued, and you’ve implemented the changes recommended by the auditor, it may help convince a jury that your company did, in fact, take reasonable steps to secure information, according to Goodnow.
(Image: tpsdave via Pixabay)
The question isn’t whether a breach will happen, but when it will happen. Since it’s impossible to know when an adversary will attack, it’s wise to plan for the event in any case. A forensic examination can reveal what happened and how, although most organizations lack the resources they need to perform effective forensic work. From reputational and cultural perspectives it’s imperative that employees and customers be notified about a breach in a timely manner and informed about what the company is doing to address it, even though the details of the breach may remain unknown for weeks or months.
“The biggest mistake companies make when something happens is to delay communication until they think they have the whole picture, thus reducing their user’s or employee’s ability to protect themselves because they’re not aware of what’s going on,” Jacob West said. “The longer you wait to admit a problem, the more it appears you’re trying to cover something up.”
(Image: Unsplash via Pixabay)
