Ready for wearables? 5 ways to stay connected and protected
June 7, 2016
Don’t let wearable devices be another way for the bad guys to get in.
Wearables are small, connected, wireless electronic devices worn on the body that enable data collection and analysis in real-time. They might be smart watches, smartglasses, vests with 360º video feed, or bio-sensing clothing. Wearables have a tremendous return on investment potential. They can offer real-time data and decision making, improved worker efficiency and safety, and a better customer experience.
But each wearable device is also a potential entry point for a cyber criminal—and by the year 2020, there will be anywhere from 25 billion to 50 billion connected devices. That's a staggering number.
Cyber criminals don't have to hack your company’s computers. They don't have to get into your network via a phishing exercise or social engineering attempt. If they can get into a vulnerable device that one of your employees is wearing that’s connected to your network—well, that represents another way in for the bad guys.
When you think about implementing wearables into your workplace, think about security right from the beginning—that is right when you are defining your requirements. Think not only about how you want wearables to function and what you want them to do for you, but also about how they will stand up to cyber threats. Consider your ability to perform these five high-level tasks from the National Institute of Standards and Technology (NIST) framework to help address those threats:
- Identify. Have you identified what might be at risk and is really critical to protect (Social Security numbers, bank account numbers, customer and employee data, industrial control systems and business processes) and what could go wrong?
Remember that with wearable devices, company processes and the people using the devices could also need protection.
- Protect. Have you built in technical, process and people-related controls and educated the people who are going to use these devices so that they're protecting themselves and any data or processes that might be involved?
- Detect. Do you have the capability to generate and receive warnings when something might be going wrong and so you can start the process of reacting to it? Are you sharing threat-related information with other users of wearables so that you are constantly informed of the threat landscape?
- Respond. If you're getting an indication that something's amiss, do you have processes and plans in place to address that problem? To contain it? To eradicate it? Resolve it and get back to normal as quickly as possible.
- Recover. If a wearables cyber event involves damage to the network or the need to take down a portion of the network to fix the problem, do you have disaster recovery and business continuity plans that allow you to get back to normal processing as quickly as possible? If an event causes you to take your wearables off-line for a period of time, do you have backup, low-tech processes for your people to revert to? Have your employees been trained to do this?
You're never going to be able to protect your business completely. There will always be new devices connected to the Internet of Things and that means more threat vectors into your network. You should take whatever steps are necessary to secure these devices, but at the same time you should assume that your best defenses will probably be circumvented at some point. When building your security program it is critical to strive for resilience. Remember, prevention is ideal, but detection is a must.
The information in this publication was compiled from sources believed to be reliable for informational purposes only. All information herein should serve as a guideline, which you can use to create your own policies and procedures. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult with independent advisers when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with the publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy. Risk engineering services are provided by The Zurich Services Corporation.