Endpoint

8/26/2016
10:00 AM
Kon Leong
Kon Leong
Commentary
50%
50%

The Hidden Dangers Of 'Bring Your Own Body'

The use of biometric data is on the rise, causing new security risks that must be assessed and addressed.

The term “BYOB” might have more interpretations than you think. Increasingly, in the area of enterprise security and data, it could mean “bring your own body.”

The use of biometric data, in both consumer and enterprise technology, is on the rise. The average worker in a business environment now generates more types of data more quickly than ever, and at higher volumes. Increasingly, some of that data might be biometric.

To understand the sensitive role of biometric data in enterprise information governance, you first have to understand its basic nature -- mainly, that it is very difficult to alter and often inextricable from the individual that it came from. You can easily change your debit card number if it has been stolen, right? But doing the same for your fingerprints or iris is impossible. Biometric information doesn’t simply provide a code or number permanently assigned to a person, it provides a measure of that person. Biometric systems provide data on the fundamental physical identity of the self -- a self that has the right to change jobs, move on from an organization, and still have the reasonable expectation that his or her identity and data will remain protected.

So, for professionals who work in information governance, this brings up two critical questions:

1. Who, exactly, has ownership of this data?

2. How should the business manage this data?

The first, unfortunately, is nearly impossible to answer now. Privacy laws for nonmedical biometric data are still nascent in the US, and determining data ownership between the enterprise and the individual can be difficult and is influenced by many variables.

Many businesses harbor some sort of biometric data originating from employees. So, while the first question may remain unanswered now, it’s clear that data management itself must be considered before biometric data becomes more commonplace. Failure to think about governance and security practices today could mean beginning too late to prevent a breach or misappropriation tomorrow.

There may not be that much biometric data currently in the average enterprise, but its use is on the rise. Both the private and public sectors probably (and legally) have some of your biometric data right now. If you’ve ever worked for a government-affiliated organization and achieved any type of security clearance, it has your fingerprint data. If you have a US driver’s license  -- even if you have no criminal record -- there’s a good chance that the FBI is already analyzing your photo for a facial-recognition database. The information that HR departments handle on a regular basis -- Social Security numbers, home addresses, health insurance details, tax information, etc. -- all pose threats to privacy and security that are practically incomparable to traditionally stolen data types such as credit card numbers.

These hypothetical threats may seem nebulous given today’s relatively low use of biometrics in the average business, but they’re still a concern. If a regular breach of business documents is a disaster, one with inherently personal data is a legal, monetary, and PR disaster.

As of 2016, the average three-year cost of a breach in the US is $4 million over three years, and the average cost of an individual breached business record is $158. Because most of these breaches until now have been of more traditional data types such as business records, emails, and financial data, the enterprise should expect increasing costs with the availability of increasingly granular data belonging to individuals. The most-prized data types currently are those that the individual can’t change; medical records have far surpassed credit card numbers in their value on the black market. It’s not unlikely that personal biometric data -- especially types that are unalterable -- will have similar value.

The most logical first step for today’s information governance professionals would be to simply identify what biometric data may exist within the enterprise. This can include (but isn’t limited to) the following:

  • Fingerprints
  • Iris scans/images
  • Close-up facial photos
  • EEGs (used in neuromarketing research)
  • Fitness tracker and heartrate data
  • Personal handwriting and signatures

Once that’s done, mapping the potential locations where that data exists is necessary to determine where the most likely risks exist.

Possible places that biometric data reside within the enterprise can include:

  • File-sharing environments
  • Archives and information governance platforms
  • Building entry and physical security systems
  • Third-party password management software
  • Productivity platforms (such as Evernote)
  • Scanned and photographed note repositories
  • Enterprise social media accounts
  • Software-as-a-service products

The key objective for the immediate future is to determine what’s within the realm of control, and how security can be strengthened for the locations where there is most likely to be sensitive items. This relatively simple task today will be important for the future, regardless of how common biometric data becomes in business.

So “bring your own body” isn’t quite the HR policy violation it sounds like. It’s a call to action for information governance and security. It’s time to identify sources of employee biometric data, and to ensure that it is properly governed and secured within enterprise systems. 

Related Content:

Kon Leong is CEO/Co-founder of ZL Technologies. For two decades, he has been immersed in large-scale information technologies to solve "big data" issues for enterprises. His focus for the last 14+ years has been on massively scalable archiving technology to solve records ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
8/31/2016 | 2:39:10 PM
Think about the OPM breach is far more worse for individuals
I agree, we have only one body but can have many passwords.  I reminds me of the OPM breach in which sensistive data about former gov't employees and their family was stolen, information that you cannot erase and replace, information that can identity an individual solely.  But yet still information, not a finger, a pupil, a heart...i am staying away for biometrics until we have a better answer on how to keep that data safe...i am sure it will be a while.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/30/2016 | 9:43:53 PM
Re: what will happen after a breach?
@Whoopty: The methodology might be the trick to it, but these types of biometrics -- fingerprints, heart rhythms, etc. -- are pretty replicable.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/30/2016 | 9:40:24 PM
Re: what will happen after a breach?
"The aftermath of that data breach cost me an arm and a leg!"
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/30/2016 | 9:39:40 PM
Re: Security
Multiple InfoSec experts I know put it this way: You have ten fingers and ten toes -- and that's it.  But the number of possible passwords you can have is nearly infinite.

Besides: biometrics aren't generally protected under the 4th Amendment, whereas passwords (sometimes) are.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
8/30/2016 | 7:28:23 AM
Re: what will happen after a breach?
Try a heart transplant! Biometric data can use internal metrics like your own unique heart rhythm, so I don't think plastic surgery would cut it. 
hykerfred
50%
50%
hykerfred,
User Rank: Apprentice
8/29/2016 | 10:13:16 AM
what will happen after a breach?
What will happen when your biometrical data has been breached? Will you be fired or forced to take a long vacation since you are the vulnerability? Or will the company just provide you with some plastic surgery? :)
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
8/29/2016 | 6:58:53 AM
Security
I definitely want real safeguards in place before I hand over any biometric data to any companies. As you point out, while biometric data is more unique than passwords and other forms of security, it's still only as useful as the security in place protecting that data.

I'm also concerned that the NSA and other intelligence agencies would love to get their hands on that sort of data. I'd want guarantees that it would only be sent over in the case of a warranted, criminal investigation, not just scooped up randomly when I use it for a login.
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.