What business owners need to know about cyber risk from wearable devices
When you think of “wearable technology,” activity trackers are generally the first item to come to mind.
But there are many more types of wearable technology that all organizations, especially smaller ones, are starting to integrate into their daily operations, explains Kirstin Simonson, CPCU, ARM, AU, ASLI, second vice president for Travelers Global Technology, based in Minneapolis.
Wearable technology and the Internet of Things are poised to redefine mobility, Simonson says. SNS Research estimates that wearable device shipments accounted for nearly $20 billion of revenue in 2015 with projections for market growth at a compound annual growth rate of 40 percent until 2021. Another research firm, Soreon, predicts that the health care wearables market alone will top $40 billion by 2020.
A small business looking to integrate new technology into existing its workflows can be hindered by the finite amount of resources available, such as time, capital and labor. “Every type of emerging technology requires an impact assessment to understand nuances such as personal vs. enterprise device discrepancies, and compliance with national and industry-specific regulations,” notes Simonson.
Another concern, she points out, is whether technology might cause a driver to become distracted, with accidents potentially translating into third-party, auto and worker’s compensation liability.
Business owners need to establish safeguards when developing a risk mitigation program for the use of wearables. Simonson advises. “Conduct a risk assessment that analyzes the business’s ability to adopt new technology, engaging all stakeholders who will be affected, including IT, board members, human resources, legal, vendors and customers.”
Companies can also minimize their exposure to cyber risk by requesting security features in their wearable devices, she notes. Examples include:
- Remote erase: Wearable users can erase or disable their device if it is ever lost or stolen.
- Bluetooth encryption: Bluetooth technology offers an encrypted application program interface when exchanging data between a device and a data store, but few companies take advantage of this standard because it decreases battery life.
- Cloud security: Because data is often transmitted from a wearable device to a cloud data-store, it is vital to ensure the cloud is protected by assessing vulnerability and limiting access to select personnel.
Wearable technology downsides
The few downsides to wearable technology include patent litigation as new technology comes to market and the occasional allergic reaction to wearable materials, Simonson observes.
It’s still too early to see trends. But here are some examples of potential pitfalls that business owners should be aware of:
- Signal interception: An employee’s smart glasses are synced to his smartphone, which connects to a company network where sensitive customer data is stored. A thief intercepts the Bluetooth feed between the smart glasses and the cloud data store, stealing customers’ credit card details.
- Malware infection: A smart watch user connects her device to a phone to book travel on a company credit card. The watch is infected with malware that detects and records financial activity. Because her password is transferred from the smart watch as plain text, the malware captures and sends the information to a hacker group that runs up huge credit card charges at the company’s expense.
- E-commerce site shutdown: An employee connects his personal wearable device to a company network. Outdated software and unauthorized website browsing infect the device with a virus that executes a distributed denial of service attack on the corporation’s network, shutting down the company’s e-commerce system for two business days.
Wearables and cyberattacks
Companies should deal with a cyberattack that occurs through a wearable device the same way as one that comes through any other means, says Simonson.
- Communicate promptly: Notify stakeholders who are affected by the breach. Internal parties include tech specialists, client service managers, public relations department members and C-level executives. External parties include clients, customers and vendors.
- Use forensic analysis: Engineers can use traffic analysis to determine a breach’s cause in real time, capturing traffic data, reviewing archived access records for anomalies and logging investigation results, including network vulnerabilities.
Bring your own wearable device issues
In many cases, employees are bringing their own wearable devices to work and accessing the employer’s network or data, raising several issues. Simonson notes that these risks may include:
- Cyber risk: The risk of financial loss, business interruption or reputational damage may be because of an organization’s failure to secure data held within its information systems. This can result from a cyber criminal’s attack, ineffective IT governance, security software failure or even a disgruntled employee.
- Technology errors and omission risk: A company can be held liable for economic loss if its device fails to work as intended because of an error, omission or negligence. Wearable device failures can affect business continuity and reputation.
- Bodily injury risk: For wearable devices to deliver on quality-of-life benefits, they must be used as intended and function properly at all times. Should the device fail, the vendor and manufacturer could be liable for damages from bodily injury, illness or the death of a user.
Check the fine print
A company’s contract practices impact its exposure to risk and liability in the event of an incident, Simonson says. To manage exposure, companies should evaluate the following provisions:
- Limitation of liability: The policy should disclaim liability for certain types of damages arising from incorrect wearable use or negligent activity, which can provide a defense in the event of litigation.
- Damage caps: Agree on a threshold for covering damage expenses with the wearables provider or users of a device to protect a business’ bottom line. This ceiling can be limited by a specific dollar amount, or based on factors defined in the contract.
- Contractual risk transfer: Shift risk to other parties outright through appropriate contract language. This is an attractive option for companies that hire independent contractors or lease equipment from other businesses.
Simonson said she believes that implementation will become more widespread as governance programs are established, training resources evolve and the insurance industry develops coverage policies for the diverse risks that each device can bring about. With some careful planning, businesses can manage the risk while taking advantage of the benefits that wearable technology can offer.