Same old security problems as UK firms await wearable tech invasion

News by Doug Drinkwater

A new report from Trend Micro reveals an IT appetite for wearable devices in the workplace - but an alarming lack of controls to guard against privacy and security threats.

In its 'Walking into Wearable Threats' report, which gathered the views of 100 senior IT decision makers from the UK, the software security firm surprisingly found that 69 percent of these already allow staff to bring wearables to work with 91 percent expecting the number of employees doing this to increase over the next year.

[It is worth noting, however, that it is not clear if smartphones were categorised as wearable devices. Both Apple's iPhone and many Android smartphones have fitness-tracking applications, while Samsung's Galaxy S5 uses its biometric fingerprint sensor with a paired mobile application so it can be used to monitor heart rate and the user's diet.]

Approximately 61 percent said that their organisation actively encourages the use of wearables while a quarter say that their firm is in the process of rolling them out or already using them. Smartwatches such as the LG G Watch, Moto 360 and Samsung Gear Live remain the most popular choice (65 percent) followed by activity trackers like FitBit and Jawbone.

Interestingly, most businesses seem intent in fitting wearables under their existing BYOD programmes and policies, while more than a quarter of firms say that they are implementing wearables (or plan to do so) as part of a business insurance programme.

Cloud service company Appirio is a good example of this, with SVP Tim Medforth yesterday detailing how the firm has deployed CloudFit, a voluntary wearable device programme, which sees new starters given FitBits to monitor their health. Medforth says that the move has improved health, business engagement (the firm's CEO shares his data publicly) and even health insurance premiums in the US.

However, despite the benefits, the surveyed IT managers also recognised the notable security risks that come with wearable devices. 85 percent said that they were aware wearable devices carried security risks, such as data theft (as cited by 47 percent) and auto-syncing corporate data (34 percent). Despite this, almost two thirds (64 percent) say they are not concerned with the proliferation of devices in the workplace.

Furthermore, 76 percent allow staff to access corporate data on personal mobiles and nearly one in ten (nine percent) say they have no security protocols or guidelines for personal devices connecting to corporate data.

Fortunately most of the respondents believe that security management will have to be tweaked to accommodate the new devices. Approximately 82 percent reckon BYOD policies will have to change and 50 percent think there is a need to put limitations on the data captured. Some 43 percent stress that security policies must become more stringent while an optimistic 73 percent think that organisations will need to draft an independent wearable device policy.

At a roundtable to discuss the findings in central London yesterday, Trend Micro's CTO Raimund Genes said that management techniques have differed from none at all to the extreme – he cited one example of a US-based CISO employing mobile device management (MDM) and virtualisation, a move which resulted in users returning to their bring-your-own devices.

Nonetheless he says management – and data collection – is an issue for all parties especially the end user. “Does that individual wearing the device know what is being captured?” he asked.

Genes said that vendors rarely build privacy by design in their wearable devices, with too many vendors having no history or interest in security over usability.

“I really want to know from the vendor [about security] before I use it in a corporate space – it's pretty easy,” he said. “The vendors' approach is easy – it's about usability and ease of use. We see the same thing with Google Glass and we will see the same if and when other wearable devices succeed.”

Genes said that this approach was particularly true of Kickstarter or other crowd-sourced companies which ‘never put in security by design'. And putting in security afterwards is always harder and whereas it was possible with the internet (firewalls) and Windows viruses (anti-virus), there's no currently obvious answer to wearable devices.

Meanwhile, Vinod Bange, partner at law firm Taylor Wessing, said that wearable devices – and the data they collect – must still adhere to existing legislation such as the 1998 Data Protection Act and added  that recent moves from the FTC in the US and the incoming EU General Data Protection Regulation show that data privacy is being taken increasingly seriously.

He said that some corporates will see that these devices are ‘haemorrhaging data' and - as a result – could abandon device adoption altogether.

However, Genes adds that – as indicated by an earlier Trend report- attacks on wearable/Internet of Things devices are likely to be sparse in 2015 due to the assortment of devices and operating systems and hopes that the ecosystem will build relationships between vendors and software development houses to build and distribute a steady stream of apps suitable for enterprise.

Citing Apple's recent deal with IBM in the enterprise mobility space, he said: "Over time I believe we will see the same thing on wearables."

Trend Micro's report comes just a week after IT security training body ISACA put wearable tech high on its 'IT Risk/Reward' barometer and was released on the same day analyst house Canalys revealed that nearly five million wearable bands shipped globally in the third quarter.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews