Wearables makers were expected to sell 274.6 million devices in 2016, according to a Gartner report. Nearly three quarters of millennials, 71 percent, say their companies should give them wearables like smart watches or smart glasses, shows a PwC survey. Almost half – 49 percent – backed their techno lust by claiming that wearables would boost productivity. Corporate wearables adoption, however, comes at the price of myriad unexplored and unaddressed security risks.
Wearables are tiny, making them easy to snatch while left in a gym, for instance. Since they require little authentication, thieves – or virtually anyone else – can then access all the data stored on them at leisure.
BYOD (bring your own device) policies – where in place – rarely address the new challenges posed by wearables. Most mobile device management systems are still untested in scenarios where corporate wearables feature widely in company networks.
Most, if not all, wearables are connected. They synchronise data with cloud based services or corporate servers. Most of these data are unencrypted. Companies cannot enforce encryption, since these are third party apps. Their embedded software is beyond the reach of a corporation customising its software or making it more secure. This invokes a classic man-in-the-middle attack scenario in which data in transit is totally exposed.
A good many wearables can transmit video, audio, and data. This makes them perfect for spying. Indeed, not a few corporate wearables sell precisely because of their crypto-spying capabilities, like tracking employee location, monitoring driving safety to cut corporate car insurance bills, or even observing employee moods.
Over-monitored employees can turn the tables on their employers, however, by recording images or sound during sensitive corporate meetings. (What is more, some of them could do so entirely unintentionally.) Checking every wearable for activated spying capabilities is an uphill task even for multinationals.
An active wearable usually links to smartphones or tablets through protocols like Bluetooth, NFC, or Wi-Fi/wLAN. Bluetooth, for one, is quite prone to hacking, jeopardising corporate wearables connected or communicating with other devices via Bluetooth. An unsecured Bluetooth connection can be snooped from up to 100 feet, making it easy for a penetrator to hide. The same applies to unsecured Wi-Fi networks inside or outside the office.
Highly fragmented as the wearables industry is, it might find it worthwhile to invest into basic compatibility and communications security standards. It should easily afford to do so, with a 2016 turnover expected to be an impressive $28.7 billion. Indeed, some months ago UL (formerly Underwriters Laboratories) announced it was looking to certify wearables for security and privacy. The move addresses individual privacy, however, leaving corporate concerns unattended.
Many manufacturers install proprietary software and operating systems into their wearables. They often do not support secure third party apps, yet allow unsecured apps to run on their devices. Patching and securing a wearable largely depends on its maker’s goodwill and dedication to improving device software continuously.
Since 37 percent of employees expect their companies to roll-over older technology for the latest, transiting to newer and more secure corporate wearables should be easy.
Companies can further motivate corporate wearable users into accepting secure new devices by highlighting the risk to their most intimate personal and domestic security. While it is very chic to sport the latest wearable, some devices will soon be able to communicate with the Internet of Things and control home appliances and security. Should unsecured devices be hacked, the consequences are potentially hair-raising.
Corporate wearables adoption is burgeoning and backed by a rapidly growing number of employees. Businesses, however, should be very wary of just what they offer their employees in the way of wearables while the security aspects remain unaddressed.
By Kiril Kirilov
