yesLevi SumagaysayNone
×

Get access to Protocol

Will be used in accordance with our Privacy Policy

I’m already a subscriber
People

'The new normal': Cisco security leader on WFH, MFA and the value of Band-Aids

A conversation with Wendy Nather on what companies, and their employees, should be thinking during the coronavirus crisis to protect their newly remote workplaces.

Wendy Nather, head of advisory CISOs at Duo Security, a division of Cisco

People who work from home need to cover their laptop cameras when they aren't using them, says Wendy Nather, who heads head of advisory CISOs at Duo Security, a division of Cisco. "I have used an Angry Birds Band-Aid as a webcam cover on a personal laptop for like three years," she says.

Photo: Courtesy of Cisco

Multitudes of people are telecommuting because of the coronavirus pandemic, with everyone from Facebook, Google and Apple to JPMorgan Chase to the federal government sending employees out of the office and into workstations — often hastily assembled — at their own homes.

Cisco, the computer networking giant and maker of Webex videoconferencing software, says more than 30% of its biggest global enterprise customers have asked the company to help them ramp up remote work, either by increasing access to Webex or bumping up the number of actual meetings. The San Jose company is seeing "unprecedented increases" in time spent in Webex meetings in Japan, Singapore, China and South Korea.


Get what matters in tech, in your inbox every morning. Sign up for Source Code.


But the profound shift comes with challenges, and a critical one is security. Protocol spoke with Wendy Nather, head of advisory CISOs at Duo Security, a division of Cisco, asking what companies should be thinking about to make sure their employees are protecting themselves and their employers. She talked about new normals and MFAs — and a great application for an Angry Birds Band-Aid.

This conversation has been edited for length and clarity.

People are using Webex for meetings. What other ways are they using videoconferencing?

I've seen it used for keeping communication channels open between people who are either in different parts of the same building or in different buildings. During the day they need to be able to exchange a couple of words like, "Oh, do you see that?" They're kind of virtually sitting together working on something, but it's not a short-term meeting with a beginning and an end. It's co-working by telepresence. And then there are a lot of people who are using telepresence to work on something together, like building a diagram or working on a document.

What do you recommend companies watch for with so many employees working from home, especially if the employees have never done this — or if it's been sort of a once-in-a-blue-moon kind of thing?

One of the most important things is a lot of enterprises will think of this as an aberration — you know, a temporary condition and everything will go back to normal afterward. This will just be a couple of weeks, or maybe a month, then everybody will go back into the office. They may be tempted to take shortcuts in setting up remote access for their users and thinking, "Well, we're just going to throw this up there, and it'll be OK because it's only for a month."

For example, going without multifactor authentication. Setting up something like a remote desktop protocol and just relying on usernames and passwords is very dangerous because attackers are always scanning the networks for these types of programs. A username and password is not going to keep them out. And so MFA is very, very important.

The other thing is we have to be realistic in that a lot of users may get used to working this way. Or the pandemic may last longer than we think it will. It may become a cyclical thing. And so it's better for enterprises to plan as though this is going to be the new normal. They should start thinking about wanting to support this long term.

What should employees who are working from home be watching out for?

The first thing they absolutely need, if they are going to be using videoconferencing and they haven't really done this before, is a webcam cover. It can be one of these little plastic covers that vendors give out as swag. Or I will tell you that a Band-Aid works perfectly well. I have used an Angry Birds Band-Aid as a webcam cover on a personal laptop for like three years. It doesn't have to be an expensive solution. The camera can turn on when you don't expect it. Or you may have left the camera cover open from your last meeting. You could have family members walking around behind you in their pajamas. So get a webcam cover and use it all the time.

Another thing — and employees should check with their enterprises — is that working from home, especially in the case of this pandemic, means working from home. It does not mean going to Starbucks and hanging around people who might transmit the virus. And if it is all right for employees to be working from another location, they should make sure not to do sensitive operations from unsecured Wi-Fi.

Once they have their work equipment at home, employees get tempted to start using it for all sorts of personal purposes. I'm sure employers will want me to say you should not be surfing inappropriate sites. Or going to any kind of clickbait sites that you wouldn't be going to from work. That's how you can end up downloading malware.

What about phishing risks?

Phishing risks are going to be very similar to what they would have seen in the office. Of course, if somebody calls them at home and claims to be from the help desk, they should hang up and call the help desk back. In other words, you know, the rules should be that, no matter what's going on and where you are, don't give sensitive information to anyone who calls you first.

Are most companies requiring that people working from home be logged in to VPNs?

I don't know, but we certainly know that enterprises are using VPNs and secure non-VPN solutions based on need. For example, if you're a privileged user or if you're a system administrator working from home, you may need to use the VPN to get access to all sorts of systems. You can't necessarily predict ahead of time because you might have to fix anything. But if you were a third-party partner or you're an employee who only needs access to one internal application, then it's entirely possible that the enterprise will want to lock it down.

With Duo, we make that possible without a VPN. So the enterprise needs to decide what kind of access they want each employee to have. Not that everybody comes in on a free-for-all on VPN and can get free rein everywhere. That's where breaches can happen. If companies are following the zero-trust model, they're checking even when people are inside the building and on the corporate network.

Related:


Can you explain the zero-trust model?

The idea has been around for a really long time, at least 20 years. It's no longer safe to assume things are secure inside a firewall. Assume enterprise assets are unprotected and you need to protect them appropriately as if they were in the Wild West. Check it early and often. It's not just checking to see IP address, it's checking the user, and it's where MFA comes in. Check security of a device to see if it's been compromised. Use practices like least privilege — don't give anybody access to anything they don't need. Or segmentation: Just because two things are on a network doesn't mean they need to talk with each other. Duo and Cisco's suite of products will help you achieve that. There are lots of vendors out there addressing different parts. Zero trust is a way of thinking, not a single product.

Should employees expect their employers to keep closer tabs on them online when they work from home?

Fundamentally that is a business question, not a security question. When I was a CISO [in finance and in education], I would have to have those discussions with businesses and say, "Look, you know, you're in charge of making sure that the employees are working however you want them to work." We're protecting the enterprise against attacks. So those are very different things.

I understand. Interesting that you put it that way.

The security group is not the good-taste police, either. If HR wants to monitor what users are doing, that's fine and that's their thing, but that is not something the security team generally has time to do or even wants to do, because they don't want to be the arbiters of good taste.

Policy

Arizona bill would reform Google and Apple app stores

HB2005 would allow app developers to use third-party payment systems.

HB2005 could make it through the Arizona House of Representatives as soon as this week.

Photo: James Yarema/Unsplash

Arizona State Rep. Regina Cobb hadn't even formally introduced her app store legislation last month when Apple and Google started storming into the state to lobby against it.

Apple tapped its own lobbyist, Rod Diridon, to begin lobbying in Arizona. It hired Kirk Adams, the former chief of staff to Arizona Gov. Doug Ducey and speaker of the Arizona House of Representatives, to negotiate with Cobb on its behalf. It quickly joined the Arizona Chamber of Commerce, which began lobbying against the bill. And lawyers for both Google and Apple went straight to the Arizona House's lawyers to argue that the bill is unconstitutional.

Keep Reading Show less
Emily Birnbaum

Emily Birnbaum ( @birnbaum_e) is a tech policy reporter with Protocol. Her coverage focuses on the U.S. government's attempts to regulate one of the most powerful industries in the world, with a focus on antitrust, privacy and politics. Previously, she worked as a tech policy reporter with The Hill after spending several months as a breaking news reporter. She is a Bethesda, Maryland native and proud Kenyon College alumna.

Sponsored Content

The future of computing at the edge: an interview with Intel’s Tom Lantzsch

An interview with Tom Lantzsch, SVP and GM, Internet of Things Group at Intel

An interview with Tom Lantzsch

Senior Vice President and General Manager of the Internet of Things Group (IoT) at Intel Corporation

Edge computing had been on the rise in the last 18 months – and accelerated amid the need for new applications to solve challenges created by the Covid-19 pandemic. Tom Lantzsch, Senior Vice President and General Manager of the Internet of Things Group (IoT) at Intel Corp., thinks there are more innovations to come – and wants technology leaders to think equally about data and the algorithms as critical differentiators.

In his role at Intel, Lantzsch leads the worldwide group of solutions architects across IoT market segments, including retail, banking, hospitality, education, industrial, transportation, smart cities and healthcare. And he's seen first-hand how artificial intelligence run at the edge can have a big impact on customers' success.

Protocol sat down with Lantzsch to talk about the challenges faced by companies seeking to move from the cloud to the edge; some of the surprising ways that Intel has found to help customers and the next big breakthrough in this space.

What are the biggest trends you are seeing with edge computing and IoT?

A few years ago, there was a notion that the edge was going to be a simplistic model, where we were going to have everything connected up into the cloud and all the compute was going to happen in the cloud. At Intel, we had a bit of a contrarian view. We thought much of the interesting compute was going to happen closer to where data was created. And we believed, at that time, that camera technology was going to be the driving force – that just the sheer amount of content that was created would be overwhelming to ship to the cloud – so we'd have to do compute at the edge. A few years later – that hypothesis is in action and we're seeing edge compute happen in a big way.

Keep Reading Show less
Saul Hudson
Saul Hudson has a deep knowledge of creating brand voice identity, especially in understanding and targeting messages in cutting-edge technologies. He enjoys commissioning, editing, writing, and business development, in helping companies to build passionate audiences and accelerate their growth. Hudson has reported from more than 30 countries, from war zones to boardrooms to presidential palaces. He has led multinational, multi-lingual teams and managed operations for hundreds of journalists. Hudson is a Managing Partner at Angle42, a strategic communications consultancy.
People

Citizen’s plan to keep people safe (and beat COVID-19) with an app

Citizen CEO Andrew Frame talks privacy, safety, coronavirus and the future of the neighborhood watch.

Citizen added COVID-19 tracking to its app over the summer — but its bigger plans got derailed.

Photo: Citizen

Citizen is an app built on the idea that transparency is a good thing. It's the place users — more than 7 million of them, in 28 cities with many more to come soon — can find out when there's a crime, a protest or an incident of any kind nearby. (Just yesterday, it alerted me, along with 17,900 residents of Washington, D.C., that it was about to get very windy. It did indeed get windy.) Users can stream or upload video of what's going on, locals can chat about the latest incidents and everyone's a little safer at the end of the day knowing what's happening in their city.

At least, that's how CEO Andrew Frame sees it. Critics of Citizen say the app is creating hordes of voyeurs, incentivizing people to run into dangerous situations just to grab a video, and encouraging racial profiling and other problematic behaviors all under the guise of whatever "safety" means. They say the app promotes paranoia, alerting users to things that they don't actually need to know about. (That the app was originally called "Vigilante" doesn't help its case.)

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editor at large. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

Transforming 2021

Blockchain, QR codes and your phone: the race to build vaccine passports

Digital verification systems could give people the freedom to work and travel. Here's how they could actually happen.

One day, you might not need to carry that physical passport around, either.

Photo: CommonPass

There will come a time, hopefully in the near future, when you'll feel comfortable getting on a plane again. You might even stop at the lounge at the airport, head to the regional office when you land and maybe even see a concert that evening. This seemingly distant reality will depend upon vaccine rollouts continuing on schedule, an open-sourced digital verification system and, amazingly, the blockchain.

Several countries around the world have begun to prepare for what comes after vaccinations. Swaths of the population will be vaccinated before others, but that hasn't stopped industries decimated by the pandemic from pioneering ways to get some people back to work and play. One of the most promising efforts is the idea of a "vaccine passport," which would allow individuals to show proof that they've been vaccinated against COVID-19 in a way that could be verified by businesses to allow them to travel, work or relax in public without a great fear of spreading the virus.

Keep Reading Show less
Mike Murphy

Mike Murphy ( @mcwm) is the director of special projects at Protocol, focusing on the industries being rapidly upended by technology and the companies disrupting incumbents. Previously, Mike was the technology editor at Quartz, where he frequently wrote on robotics, artificial intelligence, and consumer electronics.

People

Why the CEO of GoFundMe is calling out Congress on coronavirus

GoFundMe has seen millions of Americans asking for help to put food on the table and pay the bills. Tim Cadogan thinks Congress should help fix that.

"They need help with rent. They need help to get food. They need help with basic bills," GoFundMe CEO Tim Cadogan said. "That's what people need help with to get through this period."

Photo: John Lamparski/Getty Images

Tim Cadogan started his first day as CEO of GoFundMe about two weeks before the pandemic wrecked the world. He knew he was joining a company that tried to help people make extra money. He didn't know his company would become a lifeline for millions of Americans who couldn't pay their bills or put food on the table.

And so after a year in which millions of people have asked for help from strangers on GoFundMe, and at least $600 million has been raised (that number could be as much as $1 billion or more now, but GoFundMe didn't provide fundraising data past August) just for coronavirus-related financial crises, Cadogan has had enough. On Thursday, he wrote an open letter to Congress calling for a massive federal aid package aimed at addressing people's fundamental needs. In an unusual call for federal action from a tech CEO, Cadogan wrote that GoFundMe should not and can never replace generous Congressional aid for people who are truly struggling.

Keep Reading Show less
Anna Kramer

Anna Kramer is a reporter at Protocol (@ anna_c_kramer), where she helps write and produce Source Code, Protocol's daily newsletter. Prior to joining the team, she covered tech and small business for the San Francisco Chronicle and privacy for Bloomberg Law. She is a recent graduate of Brown University, where she studied International Relations and Arabic and wrote her senior thesis about surveillance tools and technological development in the Middle East.

Latest Stories