peshkova - Fotolia

Get started Bring yourself up to speed with our introductory content.

Wearables security: Do enterprises need a separate WYOD policy?

Wearable technology is infiltrating the enterprise, much like BYOD has. Expert Michael Cobb discusses the security concerns of wearables and outlines how to create a WYOD policy.

With wearable technology becoming more readily available and mainstream, what are some of the security concerns enterprises should be aware of? Should enterprises create a wearables security policy?

Wearable technology -- think smartwatches, fitness trackers and smart glasses -- is one of the fastest growing IT trends, and adoption in the workplace could well mirror that of the smartphone. This raises new concerns for businesses around security, privacy and compliance. Many wearable devices can store and transfer data, but often don't come with built-in security options such as PIN protection or user authentication features, and they usually store data locally without encryption. Wearable devices also allow users to easily and discreetly record video and audio, while captured location information could provide a malicious user with details about daily routines as well as someone's current location.

Although there haven't been any major publicized attacks involving wearables yet, as the technology becomes more widely incorporated into business environments and processes, hackers will no doubt look to access the data wearables hold or use them as an entry point into a corporate network.

As with any new technology, organizations should conduct a comprehensive assessment of personal privacy and business data risks and compliance, as well as determine whether the use of wearables will benefit employees and add value to the business before spending the resources to secure it. Managing a multitude of new and different devices is a big challenge that has resourcing implications; administrators will need to understand the capabilities and security requirements for each device. Bear in mind, though, that banning wearable technology outright may well drive employees from shadow IT to rogue IT -- which is much harder to deal with.

In the near-term, most wearable technology will need a companion smartphone to connect to the Internet, which couples it very tightly to BYOD. As a result, existing workplace social networking, safe computing and BYOD usage policies are a good first step at managing wearables security in the workplace. A separate wear your own device (WYOD) policy will need to be created, though, to cover the differences in functionality and mode of operation. The acceptable usage policy needs to clearly define employees' responsibilities and what they can and can't do using various wearable devices. For example:

  • Define which types of employees will be allowed to use wearable technology.
  • State where they can and can't be used -- certain capabilities may need to be restricted in certain areas.
  • Only allow access to enterprise content via approved apps that include user authentication and a secure content container.
  • Ban contractors from using wearables to collect videos, still images, audio recordings or other types of information about the business, customers or employees.

Employees will also need to understand the business purpose for using wearables, the information the devices collect and the privacy protections that have been established for their use. Provide employee security and privacy training specifically for those using wearables, and ensure only the minimum amount of data is collected necessary to support business tasks. The policy will only be truly effective, though, if it's enforced -- so be sure to update network security controls to detect and control the movement of data to and from wearable devices. Features like an automatic wipe or biometric authentication will help reduce the attractiveness of stolen devices by ensuring a device is rendered useless if stolen.

Enterprises certainly need to prepare now for the impact of wearable security risks on IT infrastructures; it creates another attack vector that needs defending. Although existing security policies and controls may cover many of the concerns applicable to wearable technology, they will need updating to cover the distinct functionality these devices deliver. Finally, having well-tested plans in place to detect, prevent and remediate a data breach quickly is increasingly important in the WYOD world.

Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Learn about the data governance challenges wearables present

This was last published in August 2015

Dig Deeper on BYOD and mobile device security best practices