People

'The new normal': Cisco security leader on WFH, MFA and the value of Band-Aids

A conversation with Wendy Nather on what companies, and their employees, should be thinking during the coronavirus crisis to protect their newly remote workplaces.

Wendy Nather, head of advisory CISOs at Duo Security, a division of Cisco

People who work from home need to cover their laptop cameras when they aren't using them, says Wendy Nather, who heads head of advisory CISOs at Duo Security, a division of Cisco. "I have used an Angry Birds Band-Aid as a webcam cover on a personal laptop for like three years," she says.

Photo: Courtesy of Cisco

Multitudes of people are telecommuting because of the coronavirus pandemic, with everyone from Facebook, Google and Apple to JPMorgan Chase to the federal government sending employees out of the office and into workstations — often hastily assembled — at their own homes.

Cisco, the computer networking giant and maker of Webex videoconferencing software, says more than 30% of its biggest global enterprise customers have asked the company to help them ramp up remote work, either by increasing access to Webex or bumping up the number of actual meetings. The San Jose company is seeing "unprecedented increases" in time spent in Webex meetings in Japan, Singapore, China and South Korea.


Get what matters in tech, in your inbox every morning. Sign up for Source Code.


But the profound shift comes with challenges, and a critical one is security. Protocol spoke with Wendy Nather, head of advisory CISOs at Duo Security, a division of Cisco, asking what companies should be thinking about to make sure their employees are protecting themselves and their employers. She talked about new normals and MFAs — and a great application for an Angry Birds Band-Aid.

This conversation has been edited for length and clarity.

People are using Webex for meetings. What other ways are they using videoconferencing?

I've seen it used for keeping communication channels open between people who are either in different parts of the same building or in different buildings. During the day they need to be able to exchange a couple of words like, "Oh, do you see that?" They're kind of virtually sitting together working on something, but it's not a short-term meeting with a beginning and an end. It's co-working by telepresence. And then there are a lot of people who are using telepresence to work on something together, like building a diagram or working on a document.

What do you recommend companies watch for with so many employees working from home, especially if the employees have never done this — or if it's been sort of a once-in-a-blue-moon kind of thing?

One of the most important things is a lot of enterprises will think of this as an aberration — you know, a temporary condition and everything will go back to normal afterward. This will just be a couple of weeks, or maybe a month, then everybody will go back into the office. They may be tempted to take shortcuts in setting up remote access for their users and thinking, "Well, we're just going to throw this up there, and it'll be OK because it's only for a month."

For example, going without multifactor authentication. Setting up something like a remote desktop protocol and just relying on usernames and passwords is very dangerous because attackers are always scanning the networks for these types of programs. A username and password is not going to keep them out. And so MFA is very, very important.

The other thing is we have to be realistic in that a lot of users may get used to working this way. Or the pandemic may last longer than we think it will. It may become a cyclical thing. And so it's better for enterprises to plan as though this is going to be the new normal. They should start thinking about wanting to support this long term.

What should employees who are working from home be watching out for?

The first thing they absolutely need, if they are going to be using videoconferencing and they haven't really done this before, is a webcam cover. It can be one of these little plastic covers that vendors give out as swag. Or I will tell you that a Band-Aid works perfectly well. I have used an Angry Birds Band-Aid as a webcam cover on a personal laptop for like three years. It doesn't have to be an expensive solution. The camera can turn on when you don't expect it. Or you may have left the camera cover open from your last meeting. You could have family members walking around behind you in their pajamas. So get a webcam cover and use it all the time.

Another thing — and employees should check with their enterprises — is that working from home, especially in the case of this pandemic, means working from home. It does not mean going to Starbucks and hanging around people who might transmit the virus. And if it is all right for employees to be working from another location, they should make sure not to do sensitive operations from unsecured Wi-Fi.

Once they have their work equipment at home, employees get tempted to start using it for all sorts of personal purposes. I'm sure employers will want me to say you should not be surfing inappropriate sites. Or going to any kind of clickbait sites that you wouldn't be going to from work. That's how you can end up downloading malware.

What about phishing risks?

Phishing risks are going to be very similar to what they would have seen in the office. Of course, if somebody calls them at home and claims to be from the help desk, they should hang up and call the help desk back. In other words, you know, the rules should be that, no matter what's going on and where you are, don't give sensitive information to anyone who calls you first.

Are most companies requiring that people working from home be logged in to VPNs?

I don't know, but we certainly know that enterprises are using VPNs and secure non-VPN solutions based on need. For example, if you're a privileged user or if you're a system administrator working from home, you may need to use the VPN to get access to all sorts of systems. You can't necessarily predict ahead of time because you might have to fix anything. But if you were a third-party partner or you're an employee who only needs access to one internal application, then it's entirely possible that the enterprise will want to lock it down.

With Duo, we make that possible without a VPN. So the enterprise needs to decide what kind of access they want each employee to have. Not that everybody comes in on a free-for-all on VPN and can get free rein everywhere. That's where breaches can happen. If companies are following the zero-trust model, they're checking even when people are inside the building and on the corporate network.

Related:


Can you explain the zero-trust model?

The idea has been around for a really long time, at least 20 years. It's no longer safe to assume things are secure inside a firewall. Assume enterprise assets are unprotected and you need to protect them appropriately as if they were in the Wild West. Check it early and often. It's not just checking to see IP address, it's checking the user, and it's where MFA comes in. Check security of a device to see if it's been compromised. Use practices like least privilege — don't give anybody access to anything they don't need. Or segmentation: Just because two things are on a network doesn't mean they need to talk with each other. Duo and Cisco's suite of products will help you achieve that. There are lots of vendors out there addressing different parts. Zero trust is a way of thinking, not a single product.

Should employees expect their employers to keep closer tabs on them online when they work from home?

Fundamentally that is a business question, not a security question. When I was a CISO [in finance and in education], I would have to have those discussions with businesses and say, "Look, you know, you're in charge of making sure that the employees are working however you want them to work." We're protecting the enterprise against attacks. So those are very different things.

I understand. Interesting that you put it that way.

The security group is not the good-taste police, either. If HR wants to monitor what users are doing, that's fine and that's their thing, but that is not something the security team generally has time to do or even wants to do, because they don't want to be the arbiters of good taste.

Fintech

Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep Reading Show less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep Reading Show less
FTA
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.
Enterprise

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep Reading Show less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.

Enterprise

Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep Reading Show less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories
Bulletins