There is no doubt that the world is becoming more mobile. Each year, we see an expanding range of mobile devices enter the market, increasing connectedness and changing the very nature of communication, work, and even our approach to life.
One key factor behind this shift is the proliferation of wearable devices, and more widely, the ‘Internet of Things’ (IoT). These technologies have the potential to provide greater flexibility and time-efficiency for consumers – enabling management of personal, professional and everyday tasks virtually anytime, anywhere.
Demand in this area is growing at a rapid rate. Manufacturers reportedly shipped more than 700,000 Android Wear watches in 2014. The recent launch of the Apple Watch resulted in global pre-orders exceeding 2.3 million and sales forecasts of $15 million in the US alone. By 2018, it is estimated that the wearable market will be worth 12.6 billion US dollars.
It’s clear where this demand is coming from. One recent independent survey found that among males aged 18-34 and people with children under the age of 18 at home, 42% of respondents already own or plan to buy a wearable, with 95% of this segment planning to use wearables for work tasks. This hyper-connected demographic can be labelled Generation Mobile (or ‘Gen M’) due to its embrace of the shifting work/life dynamic.
New information security challenges
As Gen M and others adopt more wearables and these devices enter the workplace, IT departments are going to face a number of new information security risks and challenges. These risks will necessitate a rethink of IT strategies as well as adaption of infrastructure to enable the secure and effective use of wearables in work contexts.
As a relatively new technology, wearables are undergoing a constant process of development and improvement. Companies are continuing to experiment with capabilities and apps to maximise functionality and efficiency for employees.
Today’s wearables are generally driven by notifications – one can think of them as a 'presentation layer' to the smartphone in a user’s pocket. Users can receive information on their wrist and take limited actions to the device as well.
Much like the early set of consumer smartphones that made their way into the enterprise, today’s generation of wearables lack many of the security features common in today’s smartphones. While Apple Watch does provide encryption, the range of wearable devices offer limited remote policy, configuration, or management functions. And because offline data storage is limited, though possible, many of today’s wearables do not include encryption as well.
Enterprises will need to drive both their internal application development teams, contractors, and commercial ISVs to add core security features to their wearable applications.
The bright side is that we’ve seen some ISVs set up and actually add key features, like encryption, to their wearable apps in order to address the limited functionality available intrinsically in the wearable itself.
Another challenge is that not all wearables are created equal. Some, like the Apple Watch, are tightly coupled to the host device (in this case, the iPhone). Others, like the Samsung Galaxy Gear S, have greater capabilities for offline data storage and include autonomous connectivity on the device with its on SIM, allowing for phone calls and SMS messages to be sent directly from the wearable.
And while the device is designed to be paired with a Galaxy phone or phablet, there are well-documented mechanisms to have the device operate autonomously.
These marked differences in architecture mean that enterprises will have to take a critical look at their wearable strategy with a critical lens toward the capabilities of each wearable device.
Building your wearable strategy
Blocking wearables outright is ultimately an unachievable task. At a technical level, enterprises can only attempt to block the application that pairs the wearable to the phone or disable device functions like bluetooth data – options that aren’t even available on every smartphone platform. And blocking these functions will likely cause users to un-enrol from their EMM system, limiting the benefits that having smartphones in the workplace provide.
So what is IT to do? Crucially, enterprises will need to understand the data users handle and what regulatory concerns exist around that data. Once these risks are defined, IT needs to work with HR and legal departments to update acceptable use policies and set expectations about how wearables can be used in the workplace. For users that regularly handle sensitive data, containerisation may need to be leveraged in order to limit data being synced to a wearable.
Users ultimately want to do the right thing, so IT should proactively communicate the risks associated with accessing corporate data on wearables. This communication should be a two-way street – users should understand what data they can and cannot access, but users should also provide feedback over their experiences and the data they want to access.
In some cases, new applications that provide access to data with security intrinsic to the application may need to be developed in order to meet users’ needs for productivity.
These engagements will need to happen on a regular basis as new wearables reach the market. IT will need to be proactive in updating both technical infrastructure and policies to ensure that they meet the latest trends as new wearables reach the market.
Ultimately, wearables will evolve and become increasingly enterprise-ready, just like consumer smartphones and tablets evolved over the past eight years. Wearables present a tremendous opportunity to provide productivity for end users, so it falls to IT to understand and manage the risks accordingly.
Sourced from Sean Ginevan, senior director of Strategy, MobileIron