The use of wearable technology in the UK workplace is set to take off over the next few years. This is the subsequent development of two related trends: bring your own device (BYOD) and the consumerisation of IT.
Just the same as when smartphones entered the market, wearables are now being brought into the office by employees, and this will only accelerate when the Apple Watch launches later this year.
However, as these wearable devices will inevitably connect to corporate data there will be accompanying privacy and information security risks, such as data theft. In order to avoid these problems, businesses must act now to launch security policies that lock down any potential risks posed by wearables at work.
The rise of the wearable technology category, which includes smartwatches, fitness trackers and smart glasses, seems inexorable. And 2015 is shaping up to be the year of wearable tech, with a raft of new devices at CES, the world’s biggest electronics trade show.
According to new research conducted by Trend Micro and Vanson Bourne, which assessed business readiness for wearable devices, 61% of IT decision makers said their organisation already actively encourages the use of wearables in the workplace. A similar proportion (60%) said they have either implemented, have started to implement, or are interested in implementing wearables in the future.
Of the same group of respondents, smartwatches (such as Pebble, Samsung Gear and Sony SmartWatch) were the most popular devices for deployment or potential deployment – favoured by 65% – followed by activity trackers (58%) and smart glasses (40%).
Among the organisations that are either rolling out wearables or are planning to, one of the main drivers was improved productivity (58%), followed by incorporating wearables in a broader BYOD programme (52%), a staff wellbeing programme (32%), or a business insurance programme (27%).
As wearables grow in functionality and sophistication, there’s every reason to think that they too will access the corporate network in some way. Three-quarters (76%) of UK respondents said their organisation allows staff to access corporate data (e.g. work emails) on their personal mobile devices in general.
But the connection of wearables to the office network raises with it an entirely new set of security headaches for IT managers. Organisations must consider how they will manage these devices in order to reduce these risks. The track record of businesses mitigating security risks from the BYOD trend shows that the earlier measures are implemented, the better. However, the research found that, even now, almost one in ten (9%) said their organisation has no security protocols or guidelines for personal devices that connect to corporate data.
While 85% of respondents said they were aware of security risks such as data theft and auto-syncing corporate data, a worryingly high 64% said they were not concerned with the growth of wearables in the office. They really should be – unlike the world of fixed computing, a security layer cannot be added onto these devices after an incursion has taken place. There just isn’t enough memory available. It’s up to business to ensure they have ‘security-by-design’ – which meets the requirements of the modern enterprise.
To fail to plan is to plan to fail
There is an understanding that security policies must change in light of the proliferation of wearables in the office. Some 82% of respondents said they thought their firm’s IT or BYOD security policies will be updated. Moreover, half said their organisation must introduce limitations on which data is captured by wearables, while 43% said their security policies should become more rigorous as a result. Almost three quarters of respondents (73%) agreed that organisations need to introduce a wearable device policy.
While there’s no silver bullet to solve this issue, there are steps that a business can take to ensure that wearables pose less of a security risk in the workplace.
First, the IT department must avoid saying ‘no’. Saying no will often drive employees from shadow IT to rogue IT, which is much harder to deal with. Be a ‘department of yes’ and have clear policies on how various devices can be used.
Then a company must identify the risk and think about how it is managed. For example, limit access to sensitive data to a select group of people or just those with authorised devices. Accept there may be a security breach, run drills to prepare and ensure a response is conducted in the right way.
A business must also strive to educate its employees as well. They are responsible for company data as well and if they feel responsible and empowered they will act responsibly. If security solutions exist for wearables, then make sure they are installed.
Chief information security officer’s must also look at how secure the third party servers are to which data is being uploaded. It’s actually not the devices themselves that are likely to be hacked, but the back-end systems that are storing and collecting corporate data.
UK law stipulates that if wearables create a security threat, the employer has an obligation to mitigate those risks. The European Union General Data Protection Regulation is set to mandate breach notifications and there will be large fines for non-compliance. It makes sense that UK organisations begin to plan for the potential privacy and security impacts of wearables now.
Sourced from Ross Dyer, technical director, Trend Micro