“Everyone knows that hackers only go after big organizations!” the wearable medical device representative shouted at me after my presentation on the need to build security and privacy controls into such devices, as well as having policies and procedures governing their use within the business organization. “It is a waste of our time, effort and money to establish and build in such security and privacy controls!”
This one person’s strong opinion is one that I’ve heard many times over the years about implementing security and privacy controls in general. And it is becoming more dangerous from a security and privacy perspective to not only those using wearable devices of all kinds (medical, fitness, tracking, etc.), but wearables also bring significant risk to the organizations whose employees are wearing them.
Risks exist that need to be mitigated
Have you established information security and privacy policies for the use of wearable computing devices within your organization? No? Well, what are you waiting for? Research shows that 1/5 Americans own and use some type of wearable
Those wearables not only create privacy and security risks through the wide range of video and audio surveillance capabilities many have, but also through their wireless connectivity to networks and other types of smart devices; creating pathways to valuable data. These risks must be addressed sooner rather than later. Let’s imagine if your organization had 500 employees. Considering the research that would mean 100 of your employees used these devices, and likely many of them are within your business environment, putting your systems and data at risk in a wide range of ways.
Such devices may be covered by the organization’s BYOD policies and procedures, depending upon how those documents are worded. However, it is very likely you’re your organization has not yet addressed this topic. The Information Security Audit and Control Association (ISACA) published a cool infographic showing the results of an Internet of Things (IoT) study they did in 2014. The results are interesting. Consider this:
- 60 percent believe wearable devices are equally risky with smartphone, laptops and other more commonly-considered BYOD devices. But…
- 89 percent do not have policies that cover wearable devices.
Employee privacy must also be addressed
Organizations need to establish rules now for how wearables will be used within the organization. And not just from the perspective of protecting the business from the employees who are using the wearables, but also from the perspective of protecting the employees to whom the business has given a wearable to use while doing business activities.
Businesses are now giving wearable devices to employees to do a variety of activities. Here are just two examples:
- To authenticate to systems and do such things as allow access to restricted areas, use business services, and even pay for food in the company lunchroom
- To track their locations within corporate campuses to determine their whereabouts, and for workers in oil fields to use to view real-time video to monitor conditions
The use of wearables by businesses will only continue to grow.
What controls should be established for wearables?
Consider this. As a result of the many FDA safety checklists that must be followed, medical device manufacturers are used to following checklists when creating their devices to meet regulatory requirements. So, over a year ago, I created a medical device information security and privacy checklist for them to use to build in security and privacy protections, and also establish requirements within their organization. Businesses of all types can use a similar checklist to establish their own security and privacy requirements for the use of smart wearables within their organizations.
There are some additional key points to address. From a security and privacy management standpoint here is a high-level list to use for how the business uses wearables:
- Use only secure wearables. Make sure the data is encrypted, that access controls are implemented, and that systems are kept patched with the latest security updates.
- Use wearables only to support business activities. Do not use wearables to track employees outside of business activities, or to record information about the employees using the wearables outside of business time and facilities.
- Explain to employees the business purpose for using wearables, the information collected with them, and the privacy protections that have been established for their use.
- Provide employee security and privacy training specific for those using the wearables.
- Minimize the data collected using the wearables to only that necessary to support business purposes.
Here are some guidelines to follow for how the business allows employees and contractors to use their own personal wearables:
- Do not allow employees or contractors to use wearables to collect videos, still images, audio recordings, or other types of information that is about the business, customers, patients, or employees.
- When they are using a wearable to collect information in any way, require employees and contractors to notify those in their immediate vicinity that they are doing so, and direct them to respect and follow the requests to not include those around them, or anything within their work areas, in their data collection activities.
Wondering about that angry man shouting at the beginning of this post? I noted his company and will plan to avoid using their apparently high risk devices unless his business leaders are wiser and will take actions to secure them.
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One (http://techpageone.dell.com/). Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.
Tags: cybersecurity, Dell, FTC, Information Security, Internet of Things, IoT, privacy, privacy professor, privacyprof, Rebecca Herold, smart device, TechPage, wearable, wearables