The Internet of Things (IoT) is an evolution of the internet as we have known it with people being “connected” via personal computers, laptops, tablets and phones. Now, instead of adding people and their personal computing devices to the internet, the IoT is the addition of physical, usually unmanned, devices capable of communicating with other devices or with people. Included among these is a class of devices known as “wearables
Wearables are small, connected, wireless electronic devices worn on the body that enable data collection and analysis in real-time. They might be smart watches, smartglasses, vests with 360º video feed, or bio-sensing clothing. Wearables have a tremendous return on investment potential. They can offer real-time data and decision making, improved worker efficiency and safety, and a better customer experience.
But each wearable device is also a potential entry point for a cyber criminal—and by the year 2020, there will be anywhere from 25 billion to 50 billion connected devices. That's a staggering number.
Cyber criminals don't have to hack your company’s computers. They don't have to get into your network via a phishing exercise or social engineering attempt. If they can get into a vulnerable device that one of your employees is wearing that’s connected to your network—well, that represents another way in for the bad guys.
When you think about implementing wearables into your workplace, think about security right from the beginning—that is right when you are defining your requirements. Think not only about how you want wearables to function and what you want them to do for you, but also about how they will stand up to cyber threats. Consider your ability to perform these five high-level tasks from the National Institute of Standards and Technology (NIST) framework to help address those threats:
Security is not an event. It's a process
- Identify. Have you identified what might be at risk and is really critical to protect (Social Security numbers, bank account numbers, customer and employee data, industrial control systems and business processes) and what could go wrong?
Remember that with wearable devices, company processes and the people using the devices could also need protection.
- Protect. Have you built in technical, process and people-related controls and educated the people who are going to use these devices so that they're protecting themselves and any data or processes that might be involved?
- Detect. Do you have the capability to generate and receive warnings when something might be going wrong and so you can start the process of reacting to it? Are you sharing threat-related information with other users of wearables so that you are constantly informed of the threat landscape?
- Respond. If you're getting an indication that something's amiss, do you have processes and plans in place to address that problem? To contain it? To eradicate it? Resolve it and get back to normal as quickly as possible.
- Recover. If a wearables cyber event involves damage to the network or the need to take down a portion of the network to fix the problem, do you have disaster recovery and business continuity plans that allow you to get back to normal processing as quickly as possible? If an event causes you to take your wearables off-line for a period of time, do you have backup, low-tech processes for your people to revert to? Have your employees been trained to do this?
You're never going to be able to protect your business completely. There will always be new devices connected to the Internet of Things and that means more threat vectors into your network. You should take whatever steps are necessary to secure these devices, but at the same time you should assume that your best defenses will probably be circumvented at some point. When building your security program it is critical to strive for resilience. Remember, prevention is ideal, but detection is a must.