How wearables in the workplace create new security risks
Imagine you are the chief security officer for a large enterprise organisation and you suddenly find a small TV crew working its way through your offices, panning a video camera back and forth, recording who knows what: product schedules on white boards, financial reports lying about on desks, an org chart pinned to a wall, customer data displayed on screens—all sorts of confidential information. There would be an audio track, as well, recording hallway conversations about customers, product problems, release schedules, sales probabilities—the possibilities are endless.
As CSO, you would probably scramble to grab any uniformed guards in the building and stop the TV crew in its tracks. You might, if possible, confiscate their recording. After all, if the recorded information were leaked, it could trigger all sorts of regulatory fines.
Few organisations are likely to discover a local news team roaming through their building, but they are quite likely this year or next to have individuals capable of recording video and audio and taking pictures with wearable technology, such as the Google Glass. And from a data security and governance point of view, the risk posed by these devices is just as great as that posed by an invasive TV crew.
In a typical office, healthcare facility, or manufacturing plant, confidential information is everywhere. It’s on desks. It’s on screens. It’s drawn out in bright colours on whiteboards in conference rooms.
True, someone could record this information with a smartphone camera, but in most offices taking pictures, especially of other people’s workspaces, is conspicuous. The unnerving element about wearables like Google Glass—the thing that earned the wearers of the consumer version of this product the sobriquet “glassholes”—is that no one other than the wearer knows what is being recorded. The Glass wearer can trigger recordings with a simple glance, twitch, or remark.
Google has pulled its consumer version of Google Glass from the market. It is now releasing an enterprise version, and the product has genuine promise in fields such as healthcare and technical support. Surgeons can wear Google Glass while receiving instructions and guidance in real time from medical device makers. Technicians can repair equipment in the field, consulting diagrams and documentation visible on their lenses while keeping their hands free.
The potential for wearables to improve patient care, reduce Mean Time to Repair (MTTR) for equipment providers and utility companies, and facilitate a range of other manual tasks all but guarantee that wearables will become more common in the enterprise.
But enterprises need to exercise caution in adopting these devices. They should establish security policies before putting wearable devices in use. And these policies should address at least four aspects of wearable technology.
First, enterprises should remind wearable users that the security and compliance rules already in force apply to wearables and their data. Recorded or transmitted data should therefore be managed with the same diligence and control as other sensitive data. In addition, archives of recordings should be secured and audited. Also, to mitigate security risks, some locations and events may be ruled off-limits for wearables.
Second, enterprises should recognise that wearables are almost always networked devices capable of sending and receiving data over internal networks. Accordingly, wearables should be managed like other mobile devices gaining access to the network. As a result, network access should be tracked and suspicious network activities investigated.
Next, enterprises should be aware that many wearables can run third-party apps. Some of these apps might not be secure. Some might contain malware or harbour vulnerabilities that could give hackers access to internal networks and data. Just as enterprise IT organisations vet the security of apps for smartphones and tablets, so should they vet the security of apps for wearables. They may even want to establish formal white lists and black lists for approved and disapproved apps.
Finally, enterprises should consider establishing social protocols for the use of these devices. Employees may want to be notified before recording begins. Simple courtesy here might remove some of the discomfort that the consumer version of Google Glass engendered, when people in public places were not sure whether they were being recorded.
By thinking about security and compliance upfront, enterprises can ensure that wearables behave like a good pair of sunglasses: protecting what’s sensitive from exposure, while making it easier to act with discernment, even in adverse conditions.