Rarely a day goes by without a new wearable device bursting onto the market, offering exciting uses for hands-free workers wanting to enhance their communication efforts, improve their workflow or reducing decision time frames.
And just as the rise of end-user computing and bring-your-own-device trends disrupted the security practices f many enterprises, so too will wearables and the ‘Internet of Things’.
The enormous amount of data wearable technology amasses – from clocking travel patterns and location data to recording intensely personal health data – is of enormous value to today’s hackers. To get at this data malicious actors use socially-engineered cyber-attacks and sophisticated phishing campaigns designed to trick you into clicking their spoofed emails.
Think about it: if an email lands in your inbox from a brand you recognise and relates to something you’ve been looking at, then you’ll be more likely to open it – right?
Equally, smart watches or fitness trackers that clock your every step and report on how many calories you’re burning and then send you a daily email notification present a specific kind of risk. Because more devices you have pinging you, fighting for attention in your email inbox with notifications or updates, the more susceptible you are to clicking on a fraudulent or phished message and exposing highly personal or corporate data.
With today’s cybercriminals amplifying their use of email to spread malware and steal personal data, the threat posed by wearables must be addressed.
The infamous Target data breach, for example – where the payment data of 40 million customers was exposed to a malware attack on the POS system in almost 1,800 stores – clearly illustrates how cybercriminals are capitalising on email before, during and after attacks to steal credentials, infecting machines or getting enough information to continue the next step of their malicious campaign.
Fundamental flaw
Of course, email is ingrained into our everyday lives and is often a business’s primary communication tool. The unfortunate truth is that email was created with a fundamental flaw – anyone can send an email using someone else’s identity – and perpetrators of cybercrime are exploiting this.
Hackers use many tricks, but one of their favourites is to take advantage of design weaknesses in the internet’s basic architecture to send email from what appears a legitimate domain – usually a .com return address that appears identical to those used by reputable businesses.
Their success hinges on the fact that unsuspecting users will be unable to spot a poisoned email when, for all intents and purposes, a phished message with the right branding and style of messaging looks like the real deal.
While the probability of an attack changes depending on where the wearable device is being used – like financial or healthcare organisations – when it comes to data security, one can never be too careful.
The focus of any cyber attack is to compromise the user and steal the data, so to keep personal information secure and combat the security risks involved, best practice calls for enterprises to emulate BYOD solutions.
Solutions include limiting the number of employees that use their personal devices to access business information or setting policies that determine what data the wearable device is authorised to access (and retain) from the corporate network.
Equally, automating log-off functions and assigning access based on rules further ensure employees can access only the information they legitimately need in order to get their job done. This is especially important for organisations responsible for handling personally identifiable or sensitive data (like healthcare records), or complying with regulatory standards.
Proactive approach
However, to combat the onset of an email-spawned cyber-attack, and eliminate the risk of human error or misadventure, a proactive approach is essential.
Ownership for defending customers from cyber-attacks stays with the enterprise, as, ultimately, that is where the accountability lies. Businesses who secure the email channel appropriately not only have greater consumer trust, but also fewer fraud losses, less operational overhead and a significantly reduced chance of hitting headline news for all the wrong reasons.
Adhering to email technology standards like DMARC, which give complete visibility into who is sending email on a business’s behalf, is key.
What’s more, technologies like DMARC give companies the ability to control what happens when a fraudulent email is sent and allows companies to prevent malicious mail from ever reaching a consumer’s inbox. Indeed, many companies are surprised to learn exactly how many domains and sub-domains within their organisation and their authorised third party senders are delivering customer messages.
By taking a preventative approach to email security in the context of wearables, businesses will be able to remove the risk of an infected email even reaching a recipient. In doing so, businesses can not only play a real role in breaking the vicious cycle of data breaches we are caught up in and stop malware attacks across the internet, but also ensure the promise of wearables and the IoT is realised.
How Safe is Your Business? Take the Cyber Security Assessment
Listen to the IFSEC Insider podcast!
Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.
Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.
