If you were at Mobile World Congress or CES, you know we’re in the midst of ‘the year of the wearable’. If there was any doubt, the incredible one million Apple Watches sold on day one of availability provided the proof in the pudding.
While we may not all be pitching for a VIP gold Apple Watch, à la Beyoncé, it won’t be long until we’re seeing these devices draped across the wrists of our colleagues.
Are these devices built for the enterprise? No, and that hasn’t stopped any of Apple’s other recent consumer tech from crossing over. We’re already seeing a flurry of enterprise apps launched for smart watches by the likes of Salesforce and Zoho that target enterprises. In fact, Forrester predicts that by 2020 wearables will be a common feature within many enterprises, becoming instrumental to how employees do their jobs over the following four years.
Are these wearable devices simply an extension of a BYO programme or do they raise yet another question over the ability to secure corporate data?
>See also: The devil wears hi-tech: wearable computing in the workplace
Risky business
The security questions surrounding wearables are complicated due to their early stage of development. While the majority of these devices rely on tethering to access the internet – most opting to use Bluetooth 4.0 which has a heightened security capacity – such as with a smart phone, the apps are the real concern enterprises should take into account. These apps are different than the typical mobile apps found on smartphones, yet pose a similar level of risk.
One has only to look at the ‘traditional’ mobile app problem to begin to see the challenge wearables will pose. Veracode’s recent research into the mobile security landscape of the average global enterprise found approximately 2,400 unsafe apps installed in actual mobile environments. Of these unsafe apps, 85% were found to expose sensitive device data, and 35% retrieved or shared personal information about the user, such as browser history or calendars.
While some commentators have scoffed at security fears surrounding data that could be collected from wearables on a large scale, this is only part of the problem. Apps not only store data locally – such as our whereabouts using GPS, contacts, etc. – they also provide an entry point to a much more valuable target, the cloud services that drive most apps.
The app is the new perimeter and it really doesn’t matter if that app resides on a mobile phone, laptop, smart TV or smart watch. What does matter is the level of importance they are given in terms of overall risk reduction for the enterprise.
Watch out
Wearables are in their infancy and developers are largely responsible for setting the reputation of these devices. Security should remain at the forefront of this sector’s development and not be addressed as an afterthought.
It will serve the industry well to pay attention to lessons learned from other smart devices such as the Internet of Things (IoT). Verocode’s recent research into IoT devices showed that many consumer-connected devices are not being designed with security in mind, with companies instead pursuing rapid version releases to speed the rate of early adopters. Wearables can’t fall into this same trap, or risk being cut off from the enterprise market altogether.
Developers should implement best practices for security when writing their apps. For example, the use of frameworks, libraries and components without known vulnerabilities is a good start. Using encryption for communications as well as data storage and enforcing strong passwords are two more fundamental best practices that will improve the security posture quickly.
>See also: Wearable technology: a cyber risk on your wrist?
Remember, it isn’t just vulnerabilities in software running the wearable that can put user and enterprise data at risk but the whole ecosystem of mobile apps, web apps and web service back ends that the wearable communicates with. Vet the mobile apps with a reputation service that can detect risky mobile app behaviour and consider using a cloud access broker to limit communications from the enterprise network to back end web services of unknown risk.
Ensuring the future of wearables in the corporate environment is no one group’s responsibility. Both the developers and businesses consuming the devices must do their part to make sure the apps on these devices are not putting corporate data at risk.
Businesses should look at their MDM policy and check to make sure it can be applied – and enforced – across wearables. That said, the success of wearables in the workplace is at a pivotal point in its development. Investment today will pay off tomorrow – for all those involved.
Sourced from Chris Wysopal, Veracode