by Raimund Genes
The use of wearable technology in the UK workplace is soaring, according to a new study we just published in conjunction with Vanson Bourne. Over two-thirds (69%) of enterprise IT leaders say staff bring wearables to work and 91% claim these numbers will increase over the coming year. But what about the privacy and corporate information security risks involved? Will wearables turn BYOD into an unmanageable security blackhole? And what additional security steps might be necessary to lock down risk in this area?
We held a roundtable discussion yesterday to find out.
There’s no doubt that 2015 is shaping up to be the year of the wearable device. Some 61% of IT decision makers said their organisation actively encourages the use of them in the workplace. A quarter said they’re already rolling them out while 19% said they’re interested in doing so in the near future. Why? Well, many (27%) said it’s necessary as part of their corporate insurance programme.
But others, like cloud services company Appirio, believe there are more benefits. The firm’s EMEA SVP, Tim Medworth, explained during the roundtable that a voluntary CloudFit wearable device program has helped the firm foster a more collaborative, competitive environment, as well as healthier staff and lower insurance costs.
But what about the cost to enterprise data security and privacy? While 85% of respondents said they were aware of security risks like data theft and auto-syncing corporate data, a worryingly high 64% said they weren’t concerned with the growth of wearables in the workplace.
They should be. We believe that vendors simply aren’t transparent with what kind of data is being collected because security is an afterthought, if a thought at all. However, unlike the world of fixed computing, you can’t add a security layer onto these devices after the event – there’s simply not enough memory available. It’s up to the vendors to ensure security-by-design which is up to enterprise standards.
Time to plan
There was recognition by those surveyed that things had to change. Some 82% said they thought their firm’s IT or BYOD security policies will be updated. In addition, half said their organisation needs to introduce limitations on which data is captured by wearables, while 43% said their security policies should become more rigorous as a result.
We think there is no silver bullet to the problem. Organisations need to find out how much data wearables are collecting and work out what is an acceptable level of risk bearing in mind any industry regulations. CISOs must also turn their attention towards how secure the third party servers are to which data is being uploaded. After all, it’s not the devices themselves that are likely to be hacked but the back-end systems funnelling and storing collected corporate data.
According to UK law, if a wearable creates a security threat, the employer has an obligation to mitigate those risks, and if it can be used to collect corporate data and deliver it outside the firm, the board is responsible for dealing with any security issues, explained Vinod Bange, partner at Taylor Wessing.
With the coming EU General Data Protection Regulation potentially mandating breach notifications and large fines for non-compliance, UK organisations had better start planning now for the potential privacy and security impacts of IoT wearables.