Endpoint

8/26/2016
10:00 AM
Kon Leong
Kon Leong
Commentary
50%
50%

The Hidden Dangers Of 'Bring Your Own Body'

The use of biometric data is on the rise, causing new security risks that must be assessed and addressed.

The term “BYOB” might have more interpretations than you think. Increasingly, in the area of enterprise security and data, it could mean “bring your own body.”

The use of biometric data, in both consumer and enterprise technology, is on the rise. The average worker in a business environment now generates more types of data more quickly than ever, and at higher volumes. Increasingly, some of that data might be biometric.

To understand the sensitive role of biometric data in enterprise information governance, you first have to understand its basic nature -- mainly, that it is very difficult to alter and often inextricable from the individual that it came from. You can easily change your debit card number if it has been stolen, right? But doing the same for your fingerprints or iris is impossible. Biometric information doesn’t simply provide a code or number permanently assigned to a person, it provides a measure of that person. Biometric systems provide data on the fundamental physical identity of the self -- a self that has the right to change jobs, move on from an organization, and still have the reasonable expectation that his or her identity and data will remain protected.

So, for professionals who work in information governance, this brings up two critical questions:

1. Who, exactly, has ownership of this data?

2. How should the business manage this data?

The first, unfortunately, is nearly impossible to answer now. Privacy laws for nonmedical biometric data are still nascent in the US, and determining data ownership between the enterprise and the individual can be difficult and is influenced by many variables.

Many businesses harbor some sort of biometric data originating from employees. So, while the first question may remain unanswered now, it’s clear that data management itself must be considered before biometric data becomes more commonplace. Failure to think about governance and security practices today could mean beginning too late to prevent a breach or misappropriation tomorrow.

There may not be that much biometric data currently in the average enterprise, but its use is on the rise. Both the private and public sectors probably (and legally) have some of your biometric data right now. If you’ve ever worked for a government-affiliated organization and achieved any type of security clearance, it has your fingerprint data. If you have a US driver’s license  -- even if you have no criminal record -- there’s a good chance that the FBI is already analyzing your photo for a facial-recognition database. The information that HR departments handle on a regular basis -- Social Security numbers, home addresses, health insurance details, tax information, etc. -- all pose threats to privacy and security that are practically incomparable to traditionally stolen data types such as credit card numbers.

These hypothetical threats may seem nebulous given today’s relatively low use of biometrics in the average business, but they’re still a concern. If a regular breach of business documents is a disaster, one with inherently personal data is a legal, monetary, and PR disaster.

As of 2016, the average three-year cost of a breach in the US is $4 million over three years, and the average cost of an individual breached business record is $158. Because most of these breaches until now have been of more traditional data types such as business records, emails, and financial data, the enterprise should expect increasing costs with the availability of increasingly granular data belonging to individuals. The most-prized data types currently are those that the individual can’t change; medical records have far surpassed credit card numbers in their value on the black market. It’s not unlikely that personal biometric data -- especially types that are unalterable -- will have similar value.

The most logical first step for today’s information governance professionals would be to simply identify what biometric data may exist within the enterprise. This can include (but isn’t limited to) the following:

  • Fingerprints
  • Iris scans/images
  • Close-up facial photos
  • EEGs (used in neuromarketing research)
  • Fitness tracker and heartrate data
  • Personal handwriting and signatures

Once that’s done, mapping the potential locations where that data exists is necessary to determine where the most likely risks exist.

Possible places that biometric data reside within the enterprise can include:

  • File-sharing environments
  • Archives and information governance platforms
  • Building entry and physical security systems
  • Third-party password management software
  • Productivity platforms (such as Evernote)
  • Scanned and photographed note repositories
  • Enterprise social media accounts
  • Software-as-a-service products

The key objective for the immediate future is to determine what’s within the realm of control, and how security can be strengthened for the locations where there is most likely to be sensitive items. This relatively simple task today will be important for the future, regardless of how common biometric data becomes in business.

So “bring your own body” isn’t quite the HR policy violation it sounds like. It’s a call to action for information governance and security. It’s time to identify sources of employee biometric data, and to ensure that it is properly governed and secured within enterprise systems. 

Related Content:

Kon Leong is CEO/Co-founder of ZL Technologies. For two decades, he has been immersed in large-scale information technologies to solve "big data" issues for enterprises. His focus for the last 14+ years has been on massively scalable archiving technology to solve records ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
8/31/2016 | 2:39:10 PM
Think about the OPM breach is far more worse for individuals
I agree, we have only one body but can have many passwords.  I reminds me of the OPM breach in which sensistive data about former gov't employees and their family was stolen, information that you cannot erase and replace, information that can identity an individual solely.  But yet still information, not a finger, a pupil, a heart...i am staying away for biometrics until we have a better answer on how to keep that data safe...i am sure it will be a while.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/30/2016 | 9:43:53 PM
Re: what will happen after a breach?
@Whoopty: The methodology might be the trick to it, but these types of biometrics -- fingerprints, heart rhythms, etc. -- are pretty replicable.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/30/2016 | 9:40:24 PM
Re: what will happen after a breach?
"The aftermath of that data breach cost me an arm and a leg!"
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/30/2016 | 9:39:40 PM
Re: Security
Multiple InfoSec experts I know put it this way: You have ten fingers and ten toes -- and that's it.  But the number of possible passwords you can have is nearly infinite.

Besides: biometrics aren't generally protected under the 4th Amendment, whereas passwords (sometimes) are.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
8/30/2016 | 7:28:23 AM
Re: what will happen after a breach?
Try a heart transplant! Biometric data can use internal metrics like your own unique heart rhythm, so I don't think plastic surgery would cut it. 
hykerfred
50%
50%
hykerfred,
User Rank: Apprentice
8/29/2016 | 10:13:16 AM
what will happen after a breach?
What will happen when your biometrical data has been breached? Will you be fired or forced to take a long vacation since you are the vulnerability? Or will the company just provide you with some plastic surgery? :)
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
8/29/2016 | 6:58:53 AM
Security
I definitely want real safeguards in place before I hand over any biometric data to any companies. As you point out, while biometric data is more unique than passwords and other forms of security, it's still only as useful as the security in place protecting that data.

I'm also concerned that the NSA and other intelligence agencies would love to get their hands on that sort of data. I'd want guarantees that it would only be sent over in the case of a warranted, criminal investigation, not just scooped up randomly when I use it for a login.
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
NC Water Utility Fights Post-Hurricane Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.