Centrify, a leader in securing enterprise identities against cyber threats, has released a survey warning that the presence of wearables in the enterprise should be a growing concern for IT security.
It polled more than 100 randomly-chosen attendees at last month’s RSA security conference in San Francisco. It found that:
- 69% of wearable owners use no login protection – PINs, fingerprint, passwords, voice recognition – to access their devices.
- Disturbingly 56% their devices to access business data via apps such as Box, Slack, Trello, Dropbox, Salesforce, Google Docs, Microsoft Office or a combination of those.
- 42% ranked identity theft as the top security concern
- 34% said lack of IT management and device control by their employer was a concern
- 22% felt that wearables could lead to a breach of sensitive work data
“As wearables become more common in the enterprise, IT departments must take serious steps to protect them as carefully as they do laptops and smartphones,” said David McNeely, VP of Product Strategy for Centrify, who is visiting Australia next week for the Connect Expo event in Melbourne.
“Wearables are deceptively private. Owners may feel that due to their ongoing proximity to the body, they’re less likely to fall into the wrong hands. However, hackers don’t need to take physical possession of a device to exploit a hole in security. The best news is that solutions already exist that can easily wrap wearables into the identity management picture.”
Centrify’s concerns are timely as it has been revealed hackers are already exploiting them. The popular term is ‘mobile devices at the edge’ and it’s a new opportunity for cybercriminals to exploit.
Let’s face it – wearables like the Apple Watch or Microsoft Band 2 are worn almost around the clock. Some are just a watch with smart benefits like notifications, and some are full blown fitness trackers with GPS and some smart benefits. Whatever information they gather is stored in the cloud - an enormous amount of personal, and often business information, that is a target for cyber criminals.
As wearable devices make their way into the workplace and by inference corporate networks, they bring a host of security and privacy challenges for IT departments and increase the amount of data that data brokers have to sell about an individual. Not the least is the potential to receive corporate emails on the device that also go to the cloud. In other words, all data on the wearable is at risk.
Gary Davis, chief consumer security evangelist at Intel Security, said, "The information that's contained on your wearable that's stored either on your smartphone or downstream on a cloud is worth ten times that of a credit card on a black market ... [manufacturers] are basically putting out these devices that are extremely vulnerable to attack.”
"The challenge for security people is it's hard enough to get consumers to update their apps on their smartphones or update their operating system and making sure they're applying the right security patches, which is pretty straightforward by updating in the app store. Doing it on a wearable device is significantly more complex. It will be harder once you get these devices out in mass to apply security patches. Users won't go to the time or effort to make these devices more secure," Davis said.
Enterprise needs to be aware that wearables offer access to the corporate network, initially via Bluetooth via a smartphone but increasingly via Wi-Fi sans smartphone. That data is frequently unencrypted. There is no security checking for wearables and the devices onboard memory can be used to take data out of the enterprise.
Third party apps can also hide spyware payloads Already custom malware has been found on a wearable that executed an internal DDoS network attack shutting down the company’s servers. In another case custom apps reported positive results when the results were otherwise.
Already app writers are looking at things like using your watch to gain access to a building – now a hacker could do that remotely. Another app can activate inbuilt cameras – fortunately, there are not many of those, but many have a microphone and could record conversations. And cyber criminals now have exploits on their agenda.
Cisco predicts there will be 600 million wearables in the enterprise space by 2020. At present no MDM (mobile device management) software system covers these. Because wearables work differently from smartphones, there are many unforeseen circumstances where they pose new security risks. Banning or restricting features is not a sound long-term strategy, so companies need to rethink policies, draft new plans and employ new services to deal with mobile device management.
At a minimum MDM needs to cover:
- Custom security levels – from executives to staff
- Remote find and erase of corporate data
- Keeping them off corporate Wi-Fi networks
- Data leakage protection
- Identity authentication