These days, the most vulnerable spot in your company’s cyber security walks in and out of your front door multiple times a day.
That’s right – long gone are the days when your data lived safely behind firewalls. Sensitive information now lives within mobile clothing and accessories such as wristband fitness trackers, transaction-enabled devices and even bras.
Welcome to the brave new world of wearables, the focus of the Travelers Indemnity Company’s, or simply Travelers, latest entry in its Global Technology’s Risk Advisor series, “The Wearables Revolution Has Arrived” (PDF).
Breaking Down The Types of Wearables
In their report, Travelers broke down wearables into five categories:
- Smart glasses and headgear – e.g. Google glasses and Samsung’s Gear VR;
- Smart watches – e.g. Apple and Android watches and ;
- Fitness trackers – e.g. Fitbit, Nike FuelBand, and Microsoft Band;
- Wearable medical devices – e.g. Medtronic Continuous Glucose Monitoring system and the ZIO Wireless Patch; and
- Smart clothing and accessories – e.g. Visijax products and the aforementioned OMSignal Bra.
According to Travelers, “Regardless of their physical size or commercial application, wearable devices have three enabling technologies that make them ‘smart’:”
Many wearable products are able to track more than the simple information for which they’re marketed. Two examples of this include:
- High-end fitness trackers that can track not only steps but other health vitals and even offer email and social media functionality and connectivity; and
- Smart watches that offer mobile payment functionality via transmission (e.g. paying for your Starbucks without lugging around your wallet).
Wearable Technology Security Issues
Travelers breaks down the risks posed by wearables into three “classes”:
- Bodily injury; and
- Technology errors and omissions.
Each risk class poses its own problems to businesses, though the second, “Bodily harm” is specific only to wearable manufacturers and will not be discussed here. The following sections will look at the business risks of the remaining two classes and list approaches to minimize those risks.
Class 1: Cyber Risks Posed by Wearables
If you’re worried about wearable technology security issues, you’re not alone. In fact, cyber risks and data breaches were the second-biggest concern of US businesses in 2015:
The following two “Illustrative Risk Scenarios” provided by Travelers demonstrate that wearable technology security issues bring their own brand of risks to businesses:
Note: there were personal risk scenarios mentioned in the report as well – we will focus on the business-specific examples only here.
- Signal interception: an employee brings his own smart glasses to work, which are connected to his smartphone. His phone, in turn, is connected to a company network where sensitive customer data is stored, such as credit card and account numbers. A thief intercepts the Bluetooth feed from the smart glasses display en route to a cloud data store, stealing customer’s login credentials to drain bank accounts.
- Corporate espionage: an executive enters his building wearing a wireless identity authenticator. Unbeknownst to him, a similarly dressed corporate spy enters a few steps behind him armed with a wireless signal interceptor. After capturing the executive’s unencrypted PIN number from the electronic signature, the spy can now move about the building with all the permissions the executive enjoys, including access to intellectual property, which he then sells to competitors.
To minimize wearable technology security issues, Travelers suggest that businesses look for the following features in the wearables they allow and, if they cannot find them, they should demand them from manufacturers:
- Custom security levels: give users the ability to choose the security level they are comfortable with when they install their device or pair it with their smartphone. Users seldom consider security when wearing their devices, so defaulting to the least secure settings opens a vulnerability for hackers to exploit.
- Remote erase feature: enable wearable users to remotely erase and/or disable their device if it is ever lost or stolen. Apple does this with the most recent version of the iPhone. Wearable device manufacturers should consider offering the same feature.
- Bluetooth encryption: Bluetooth offers an encryption API when exchanging data between a device and its target data store, but few companies take advantage of it because it decreases battery life.
- Encryption of critical data elements: the most critical pieces of data transferred between wearable devices and data stores are user IDs, passwords, and PIN numbers. Incredibly, most wearable devices transmit these data elements in plain text with no encryption at all.
- Cloud security: data is often transmitted from a wearable device to a smartphone and then to a cloud data store. Virtualized clouds can secure data with multiple diverse operating systems, each operating within a different security context. Banks often secure depositor payment details this way; wearables companies should consider similar functionality and your business should demand it.
Class 3: Technology Errors and Omissions Risks Posed by Wearables
While it’s presumed that wearable manufacturers take every possible precaution to release a flawless product to the marketplace, it’s inevitable that errors will happen and that details will be missed.
The following two “Illustrative Risk Scenarios” provided by Travelers demonstrate that wearables bring their own brand of “Murphy’s Law” to businesses:
- Ecommerce site shutdown: a smart watch user connects to a company network. The smart watch is infected with malware, due to vulnerability in the device software. The malware infects the corporation’s network, executing a DDOS attack, shutting down the company’s e-commerce system for two days.
- Virtual reality device software failure: a trucking company contracts with a training company that uses wearable virtual reality devices to train long haul truckers for their Commercial Driver’s License (CDL) certification. A glitch in the device software prevents completion of the CDL program, resulting in the trucking company not having an adequate number of drivers. The trucking company fails to complete shipping contracts, losing revenue and customers. Additionally, the training company suffers damage to reputation and a loss of business.
While Traveler’s suggestions to alleviate risk in this class were primarily aimed at limiting the liability of wearable manufacturers, here are a couple of common-sense recommendations you can use to reduce the risk to your business in these scenarios:
- In the case of malware, your ecommerce solution should be equipped with the latest and greatest malware detection and quarantine solution, one that protects your systems no matter where the threat originates.
- Any training system should be tested end-to-end once put into place. That would allow for early detection of errors and a quick resolution.
The growing number of wearable “smart” products is sure to usher in a new age of wearable technology security issues for businesses. While this may lead you to ban wearables altogether, their business benefits in terms of increased productivity and functionality are undeniable.
As with all new technologies, the key lies in managing risk; reducing the damage that a new technology can inflict on your business. With that approach in mind, your business can more comfortably move forward into exploring the wearables revolution.
Smart Watch Photo via Shutterstock
More in: Cybersecurity