by Bharat Mistry
There’s a global awareness raising initiative for just about every aspect of IT and cyber security today. World Backup Day, Safer Internet Day, Data Protection Day – they all share a common purpose; to engage, educate and motivate individuals and organisations around the world. This Saturday 9 April will see one such event – the fifth annual World Internet of Things (IoT) Day.
The IoT is already having a huge impact on our lives – both at home and, more importantly, at work. But in this race for the new we run a very real risk of adopting technology which has been designed with little regard for security or privacy. So let’s use the occasion of World IoT Day to think more carefully about how to secure smart technology in the enterprise.
The IoT is coming
The Internet of Things can mean many things in the corporate world. On the one hand it includes sensor-driven industrial systems designed to improve operational efficiency and increase production. But on the other, there’s the wealth of wearable smart devices being brought into the enterprise to boost employee productivity, staff morale and well-being, and support insurance providers’ demands.
Research commissioned by Trend Micro last year shows us the level of adoption of wearables across Europe and the Middle East. An overwhelming majority of IT professionals we polled (79%) claimed they’d seen increasing numbers of staff bringing wearable tech into the workplace – whether that’s smart watches, fitness trackers, head-mounted displays or other connected tech. Tellingly, 90% of respondents claimed security policies would need to change as a result, while over half admitted they’d need to restrict what data can be captured by these devices.
As these devices get more powerful, there’s a real risk of them exposing corporate data by automatically syncing and downloading when connected to the network. Location data could also be tapped for social engineering attacks on staff. Then there’s the future risk of any mic or camera embedded in a smart device being hijacked and used to spy on sensitive meetings.
In a separate report last summer, Trend Micro found serious security and privacy flaws in six big brand name smart watches including the Apple Watch, Motorola 360, LG G Watch, Sony Smartwatch and Samsung Gear Live. These included no device authentication by default and – with the exception of the Apple Watch – a lack of a device wipe function after several failed log-in attempts. What’s more, the ‘trusted devices’ feature on Android removes the need for a smartphone password when held next to a verified device. This means a thief with both smartphone and smartwatch in their possession could get unrestricted access to both devices.
IT security bosses already have experience of these challenges in relation to the Bring Your Own Device (BYOD) trend. And to an extent some of the same principles can be applied to secure the growing number of ‘Bring Your Own Wearables’ (BYOW) in the enterprise.
Here are a few tips to get started:
- Research employee use of wearables. How many own them? Do they connect to the corporate network? Do they sync data? If so, how high value is that data? What security features do these devices have?
- Adjust corporate use policy to include wearable technology. Any device which doesn’t meet your baseline for security – in line with the organization’s risk appetite – can’t join the corporate network
- Update employee training and awareness programs to teach users about the security and privacy risks of BYOW
- Encryption for data at rest on the device, strong user authentication by default and auto-timeout/remote wipe capabilities would help improve the security of wearables