A customer recently asked how to manage the security risks posed by wearables, particularly in the context of visitors, and it's a great question. Every time a shiny new technology comes along, it's natural to wonder if we need to rethink our entire security playbook. 

The good news is, we usually don't. Well-written security policies are designed to be evergreen. They focus on lasting goals and timeless principles, regardless of today's tools or tomorrow's trends. 

What is a wearable?

Wearables are devices you can wear on your body that connect to the internet or to other devices. Most people know smartwatches, but the market keeps growing. There are now smart rings, smart clothing, and the device that has security teams on high alert: smart glasses.

What is the security risk of smart glasses?

Smart glasses are being marketed as the next big leap in technology. They can recognize faces, take photos, record videos, and capture information more discreetly than a smartphone ever could. This makes them powerful, but also risky when it comes to information security. 

However, at their core, smart glasses don't really introduce new types of risk. They just make familiar ones less visible. (Ironic, isn't it?) Whether your concern is a smartphone or smart glasses, the potential for recording or data compromise is the same. It's just harder to spot.

How can I control the risk of wearables?

That brings us to the good news: 

If the risks are the same, the controls should largely be the same, too. 

As one of my colleagues wisely put it: 

"The real issue is less about the devices themselves, and more about whether the organization's physical and information security controls are strong enough to withstand unauthorized recording, in general." – Steven Culp, CoNetrix Security 

In short, don't reinvent the wheel. Instead, strengthen your core controls. 

If you're looking for some practical steps, here are a few places to start.

Physical Security

Your physical security policy should clearly explain how your organization protects its facilities, systems, and data. For example: 

  • Restricting visitor access in sensitive areas and ensuring visitors are always escorted. 
  • Verifying identity before granting access to critical spaces, like server rooms. 
  • Requiring employees to keep desks clear, secure paper documents, and protect screens. 
  • Posting signs that prohibit recording in certain areas. 

Acceptable Use Policy (AUP)

Make sure your Acceptable Use Policy (AUP) prohibits employees from taking photos, videos, or screenshots: 

  • Of proprietary or confidential information. 
  • Inside your organization's facilities without permission. 
  • At remote work locations where sensitive data might be visible. 

It's important for your AUP to be broad enough to cover any device, old or new. The point isn't yesterday's digital camera, today's smart glasses, or tomorrow's smart contact lens. It's about preventing unauthorized disclosure of sensitive information via any technology. 

Security Awareness Training

Your security awareness training program should empower employees to recognize and respond to potential risks. Make sure your policy and training courses cover things like: 

  • Protecting proprietary or confidential information. 
  • Identifying and avoiding social engineering. 
  • Recognizing unusual behavior (including unauthorized recording). 
  • Being aware of various types of recording devices (e.g., smartphones, smart glasses, hidden cameras). 
  • Reporting suspicious activity or visitors immediately. 

Mobile Device Management (MDM)

If wearables are allowed in your workplace, they should be treated like any other connected device. This means: 

  • Enforcing your MDM policy for wearables the same way you do for smartphones. 
  • Prohibiting personal wearables from connecting to your corporate network. 
  • Ensuring devices are securely configured (e.g., authentication, patches, encryption). 
  • Training employees on the secure use and proper disposal of wearables. 

Conclusion

You can't control what employees, customers, or visitors wear into your building, but you can take steps to control what they're able to see. (Pun only slightly intended.) 

Instead of rewriting your policies every time a new gadget hits the market, focus on reinforcing awareness and applying your existing security controls consistently. Technology will change, but good security never goes out of style.

If you need help writing policies that last, check out Tandem Policies. Our product features more than 40 customizable information security policy templates, designed for organizations with strong security and compliance requirements. With Tandem, you can easily manage access to your policies, track changes over time, and create custom documents to share with your stakeholders. 

See how Tandem Policies can help you at Tandem.App/Policies-Management-Software.