Protecting Data Against Wearable Technology Risks

Many tech giants have recently made a big push in wearable items.

Security Talk
Paul Martini

Many tech giants have recently made a big push in wearable items – from watches with integrated cellphones, to smart glasses that can record what we see in day-to-day life. Yet, many of these seemingly harmless items are raising security concerns.

Paul Martini, co-founder and CEO of iboss, says that it’s through a device’s ability to interact with the outside world that those security concerns come into place. “For example, if Google Glass did not have the ability to record video, there would be no worry that sensitive data within an organization could be recorded and lost,” he says. “If a smart watch did not have a microphone, there would be no worry that confidential information could be audio-recorded and transferred outside the network. So, by looking at these devices’ abilities to interact with the analog world around them, we can begin to assess the challenges of applying appropriate security measures to protect valuable assets and information.”

In addition to a device’s ability to obtain data, we need to look at storing and transferring data, Martini says. “This is the difference between the original calculator and Samsung’s Galaxy Gear smart watch. Whereas the calculator watch had the ability to sum and multiply numbers, it didn’t have the ability to transfer and in most cases store the information. In contrast, the Galaxy Gear watch sends and receives text messages, makes phone calls and stores voice recordings. Fundamentally, these watches have the ability to both store and transfer data. This is the second critical piece that makes today’s wearable technology like this a security concern for business. Although the data being stored may be harmless, it does not discriminate about the type of data being stored or transferred. The data could be sensitive, violating one of many privacy laws such as HIPAA, or be the company’s Intellectual Property. The ability to store and transfer data is where the problem resides.”

What are possible solutions?

The solution is a combination of creating organizational rules and updating network security infrastructure so that it can detect, and in some cases control, the movement of data to and from these devices. Creating organizational rules regarding acceptable technology, wearable or not, is step one. Then, it’s important to understand how a device works with regard to its ability to store and transfer data. Take the Galaxy Gear watch. Its connectivity is typically via Bluetooth and it must connect to a cellphone to transfer information. Without a cellphone, the watch has no ability to transfer data over the network. It can, however, store pictures and audio recordings within its onboard memory without a phone present. In this case an organization needs to ask whether or not smartphones are allowed on the network. If they are, then the additional risks the watch may bring to the organization are trivial. Most of the functions the watch can perform, for example taking pictures and recording audio, can also be done on the phone. However, if smartphones are not allowed within the workplace due to the risks a camera, audio and storage bring with them, then a smart watch should not be allowed either.

What about Mobile Device Management?

There is a condition where allowing a smartphone might be acceptable, but something like a smart watch would not. If the organization uses Mobile Device Management (MDM) to manage what is enabled or disabled on the mobile phone, then a phone might be acceptable. For example, using a MDM solution, the camera on a phone could be locked so that no pictures could be taken while at the office. This would not prevent a watch from taking and storing pictures, however. An organization has to look at the whole picture when thinking about the risks and acceptable use policy regarding wearable technology. Wearable technology should only be considered acceptable in the organization if it brings value to the company or makes an employee’s life easier so he/she can perform better.

After acceptable use polices, what is next? 

An organization should consider upgrading its network security infrastructure. This will help to detect, and in cases prevent, data loss through the use of wearable technology. Advanced security solutions analyze data flows and can identify the type of device sending and receiving data. In the case of wearable technology, the solution could detect data communication out of the network that originated from the device and then alert an administrator of the transfer. Even if the security solution is not able to block the communication generated from the wearable device, detecting it may be enough to alert an administrator that an unacceptable device is being used on the network. When considering wearable technology, remember to take a step back and determine what capabilities the technology has. If the risks outweigh the rewards, consider preventing their use within the organization.  

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security December 2014 issue cover

2014 December

This issue of Security Magazine covers our 12th annual Top Guarding Firms list. Check out the best of the best as of December 2014. The 21st century has brought with it new types of security threats. Read how to combat and protect against these threats.

Table Of Contents Subscribe

Security Emergency Preparedness Training

Which security personnel emergency preparedness training is the top priority to you and your enterprise?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.