Are wearables popping up at your office? Although boring legalese involved in IoT security guidelines can induce eye-glazing in some intrepid IT managers out there—especially when compared to the cool tech it governs (we get it, we really do)—it’s important to make sure you’re using the right IoT practices to keep your business secure and healthy.
Fortunately, we have a checklist to help you get started. Here are four IoT security guidelines that will help your business make the most of what wearables can offer while protecting everyone from potentially costly and damaging data breaches.
1. When collecting employee data, be transparent and get consent
Employees may casually joke about Big Brother when discussing wearables at the office, but they have real concerns about data privacy. Some businesses are already collecting data on their employees for employee wellness programs. Known as the “quantified self,” human sleep patterns, heart rate, stress levels, insulin levels, and more is analyzed and quantified, resulting in data that can be used to track employee health or ensure safety on the job. Employers might have good intentions, but employees may have legitimate fears about where their information will end up.
If you’re using wearables to collect data on your employees, you need to be open with them about exactly what you’re collecting and how that information will be used. From a legal perspective, depending on where your business is located, you may or may not be required to obtain employee consent to collect such data. But to maintain a good relationship between your staff and the company, it’s in everyone’s best interest to be transparent. You can take care of this with a written, signed agreement that spells out how the data will be handled while securing the employee’s consent to collect it. If you’ve already got something similar in place for BYOD, you may want to consider updating your BYOD policy and documents to incorporate the use of wearables as well.
2. Pay close attention to how your vendors handle employee data
Part of what makes IoT so nimble and powerful is that it plays well with the cloud. As many IT managers know, it’s not enough to simply assume your cloud vendors or any third party services handling IoT data have the right security and data protection practices in place. Review any relevant contract documentation, and determine where your employees’ data will be stored. Make sure the legal protections in that jurisdiction regarding the storing, securing, and management of that data are acceptable to your company from a security and risk management perspective. Also make sure there are strong, legally binding requirements in place for the provider to safeguard your data against accidental or unauthorized data breaches or disclosures. This is critical if your vendors are off-shoring their cloud data to remote locations overseas.
3. Have clear security procedures in place for wearables
Wearables might look cute and nonthreatening, but they’re just as vulnerable to hacks and exploits as any other type of connected device. If you’re not managing the security of your IoT environment, you’re leaving your business open to potentially damaging data breaches. For starters, make sure your threat identification and prevention tools are IoT-ready. They should be equipped to analyze and quarantine any malware or viruses that may be hitching a ride on that fitness tracker Jake from accounting wore to the office today.
If you have an information security policy in place, make sure it’s updated to include wearables, and that it clearly spells out who will have access to this data and how your team will respond to a network security incident involving these devices. And make sure your employees know what’s expected of them. If you don’t want them connecting to unsecured Wi-Fi networks with their wearables, for example, make that clear in policy documents and in your security awareness training sessions.
4. Know your regulatory or legal requirements
Legal and regulatory requirements governing business use of employee data are not a one-size-fits-all affair. Although there are best practices that all businesses should keep in mind, your company may be bound by constraints that need a closer look. Consider your business model and how employee data collection could potentially become a legal issue.
If your business or the vendors you rely on suffers a data breach, you could face serious legal and reputational consequences if employee data is compromised. It’s important to know now what your requirements would be in terms of notifying legal authorities, your employees, and your customers so you can spring into action if the worst case scenario becomes a reality.
Wearables in the workplace can help support your employees’ health and well-being while ensuring better productivity and workforce optimization. Although the legal considerations of securing your connected environment may seem like a buzzkill, it’s worth taking the time to get them right now rather than later.