Source Code: Your daily look at what matters in tech.

source-codesource codeauthorLevi SumagaysayNoneWant your finger on the pulse of everything that's happening in tech? Sign up to get David Pierce's daily newsletter.64fd3cbe9f
×

Get access to Protocol

Your information will be used in accordance with our Privacy Policy

I’m already a subscriber
People

'The new normal': Cisco security leader on WFH, MFA and the value of Band-Aids

A conversation with Wendy Nather on what companies, and their employees, should be thinking during the coronavirus crisis to protect their newly remote workplaces.

Wendy Nather, head of advisory CISOs at Duo Security, a division of Cisco

People who work from home need to cover their laptop cameras when they aren't using them, says Wendy Nather, who heads head of advisory CISOs at Duo Security, a division of Cisco. "I have used an Angry Birds Band-Aid as a webcam cover on a personal laptop for like three years," she says.

Photo: Courtesy of Cisco

Multitudes of people are telecommuting because of the coronavirus pandemic, with everyone from Facebook, Google and Apple to JPMorgan Chase to the federal government sending employees out of the office and into workstations — often hastily assembled — at their own homes.

Cisco, the computer networking giant and maker of Webex videoconferencing software, says more than 30% of its biggest global enterprise customers have asked the company to help them ramp up remote work, either by increasing access to Webex or bumping up the number of actual meetings. The San Jose company is seeing "unprecedented increases" in time spent in Webex meetings in Japan, Singapore, China and South Korea.


Get what matters in tech, in your inbox every morning. Sign up for Source Code.


But the profound shift comes with challenges, and a critical one is security. Protocol spoke with Wendy Nather, head of advisory CISOs at Duo Security, a division of Cisco, asking what companies should be thinking about to make sure their employees are protecting themselves and their employers. She talked about new normals and MFAs — and a great application for an Angry Birds Band-Aid.

This conversation has been edited for length and clarity.

People are using Webex for meetings. What other ways are they using videoconferencing?

I've seen it used for keeping communication channels open between people who are either in different parts of the same building or in different buildings. During the day they need to be able to exchange a couple of words like, "Oh, do you see that?" They're kind of virtually sitting together working on something, but it's not a short-term meeting with a beginning and an end. It's co-working by telepresence. And then there are a lot of people who are using telepresence to work on something together, like building a diagram or working on a document.

What do you recommend companies watch for with so many employees working from home, especially if the employees have never done this — or if it's been sort of a once-in-a-blue-moon kind of thing?

One of the most important things is a lot of enterprises will think of this as an aberration — you know, a temporary condition and everything will go back to normal afterward. This will just be a couple of weeks, or maybe a month, then everybody will go back into the office. They may be tempted to take shortcuts in setting up remote access for their users and thinking, "Well, we're just going to throw this up there, and it'll be OK because it's only for a month."

For example, going without multifactor authentication. Setting up something like a remote desktop protocol and just relying on usernames and passwords is very dangerous because attackers are always scanning the networks for these types of programs. A username and password is not going to keep them out. And so MFA is very, very important.

The other thing is we have to be realistic in that a lot of users may get used to working this way. Or the pandemic may last longer than we think it will. It may become a cyclical thing. And so it's better for enterprises to plan as though this is going to be the new normal. They should start thinking about wanting to support this long term.

What should employees who are working from home be watching out for?

The first thing they absolutely need, if they are going to be using videoconferencing and they haven't really done this before, is a webcam cover. It can be one of these little plastic covers that vendors give out as swag. Or I will tell you that a Band-Aid works perfectly well. I have used an Angry Birds Band-Aid as a webcam cover on a personal laptop for like three years. It doesn't have to be an expensive solution. The camera can turn on when you don't expect it. Or you may have left the camera cover open from your last meeting. You could have family members walking around behind you in their pajamas. So get a webcam cover and use it all the time.

Another thing — and employees should check with their enterprises — is that working from home, especially in the case of this pandemic, means working from home. It does not mean going to Starbucks and hanging around people who might transmit the virus. And if it is all right for employees to be working from another location, they should make sure not to do sensitive operations from unsecured Wi-Fi.

Once they have their work equipment at home, employees get tempted to start using it for all sorts of personal purposes. I'm sure employers will want me to say you should not be surfing inappropriate sites. Or going to any kind of clickbait sites that you wouldn't be going to from work. That's how you can end up downloading malware.

What about phishing risks?

Phishing risks are going to be very similar to what they would have seen in the office. Of course, if somebody calls them at home and claims to be from the help desk, they should hang up and call the help desk back. In other words, you know, the rules should be that, no matter what's going on and where you are, don't give sensitive information to anyone who calls you first.

Are most companies requiring that people working from home be logged in to VPNs?

I don't know, but we certainly know that enterprises are using VPNs and secure non-VPN solutions based on need. For example, if you're a privileged user or if you're a system administrator working from home, you may need to use the VPN to get access to all sorts of systems. You can't necessarily predict ahead of time because you might have to fix anything. But if you were a third-party partner or you're an employee who only needs access to one internal application, then it's entirely possible that the enterprise will want to lock it down.

With Duo, we make that possible without a VPN. So the enterprise needs to decide what kind of access they want each employee to have. Not that everybody comes in on a free-for-all on VPN and can get free rein everywhere. That's where breaches can happen. If companies are following the zero-trust model, they're checking even when people are inside the building and on the corporate network.

Related:


Can you explain the zero-trust model?

The idea has been around for a really long time, at least 20 years. It's no longer safe to assume things are secure inside a firewall. Assume enterprise assets are unprotected and you need to protect them appropriately as if they were in the Wild West. Check it early and often. It's not just checking to see IP address, it's checking the user, and it's where MFA comes in. Check security of a device to see if it's been compromised. Use practices like least privilege — don't give anybody access to anything they don't need. Or segmentation: Just because two things are on a network doesn't mean they need to talk with each other. Duo and Cisco's suite of products will help you achieve that. There are lots of vendors out there addressing different parts. Zero trust is a way of thinking, not a single product.

Should employees expect their employers to keep closer tabs on them online when they work from home?

Fundamentally that is a business question, not a security question. When I was a CISO [in finance and in education], I would have to have those discussions with businesses and say, "Look, you know, you're in charge of making sure that the employees are working however you want them to work." We're protecting the enterprise against attacks. So those are very different things.

I understand. Interesting that you put it that way.

The security group is not the good-taste police, either. If HR wants to monitor what users are doing, that's fine and that's their thing, but that is not something the security team generally has time to do or even wants to do, because they don't want to be the arbiters of good taste.

Protocol | Workplace

In Silicon Valley, it’s February 2020 all over again

"We'll reopen when it's right, but right now the world is changing too much."

Tech companies are handling the delta variant in differing ways.

Photo: alvarez/Getty Images

It's still 2021, right? Because frankly, it's starting to feel like March 2020 all over again.

Google, Apple, Uber and Lyft have now all told employees they won't have to come back to the office before October as COVID-19 case counts continue to tick back up. Facebook, Google and Uber are now requiring workers to get vaccinated before coming to the office, and Twitter — also requiring vaccines — went so far as to shut down its reopened offices on Wednesday, and put future office reopenings on hold.

Keep Reading Show less
Allison Levitsky
Allison Levitsky is a reporter at Protocol covering workplace issues in tech. She previously covered big tech companies and the tech workforce for the Silicon Valley Business Journal. Allison grew up in the Bay Area and graduated from UC Berkeley.

After a year and a half of living and working through a pandemic, it's no surprise that employees are sending out stress signals at record rates. According to a 2021 study by Indeed, 52% of employees today say they feel burnt out. Over half of employees report working longer hours, and a quarter say they're unable to unplug from work.

The continued swell of reported burnout is a concerning trend for employers everywhere. Not only does it harm mental health and well-being, but it can also impact absenteeism, employee retention and — between the drain on morale and high turnover — your company culture.

Crisis management is one thing, but how do you permanently lower the temperature so your teams can recover sustainably? Companies around the world are now taking larger steps to curb burnout, with industry leaders like LinkedIn, Hootsuite and Bumble shutting down their offices for a full week to allow all employees extra time off. The CEO of Okta, worried about burnout, asked all employees to email him their vacation plans in 2021.

Keep Reading Show less
Stella Garber
Stella Garber is Trello's Head of Marketing. Stella has led Marketing at Trello for the last seven years from early stage startup all the way through its acquisition by Atlassian in 2017 and beyond. Stella was an early champion of remote work, having led remote teams for the last decade plus.
Protocol | China

Livestreaming ecommerce next battleground for China’s nationalists

Vendors for Nike and even Chinese brands were harassed for not donating enough to Henan.

Nationalists were trolling in the comment sections of livestream sessions selling products by Li-Ning, Adidas and other brands.

Collage: Weibo, Bilibili

The No. 1 rule of sales: Don't praise your competitor's product. Rule No. 2: When you are put to a loyalty test by nationalist trolls, forget the first rule.

While China continues to respond to the catastrophic flooding that has killed 99 and displaced 1.4 million people in the central province of Henan, a large group of trolls was busy doing something else: harassing ordinary sportswear sellers on China's livestream ecommerce platforms. Why? Because they determined that the brands being sold had donated too little, or too late, to the people impacted by floods.

Keep Reading Show less
Zeyi Yang
Zeyi Yang is a reporter with Protocol | China. Previously, he worked as a reporting fellow for the digital magazine Rest of World, covering the intersection of technology and culture in China and neighboring countries. He has also contributed to the South China Morning Post, Nikkei Asia, Columbia Journalism Review, among other publications. In his spare time, Zeyi co-founded a Mandarin podcast that tells LGBTQ stories in China. He has been playing Pokemon for 14 years and has a weird favorite pick.
Power

The video game industry is bracing for its Netflix and Spotify moment

Subscription gaming promises to upend gaming. The jury's out on whether that's a good thing.

It's not clear what might fall through the cracks if most of the biggest game studios transition away from selling individual games and instead embrace a mix of free-to-play and subscription bundling.

Image: Christopher T. Fong/Protocol

Subscription services are coming for the game industry, and the shift could shake up the largest and most lucrative entertainment sector in the world. These services started as small, closed offerings typically available on only a handful of hardware platforms. Now, they're expanding to mobile phones and smart TVs, and promising to radically change the economics of how games are funded, developed and distributed.

Of the biggest companies in gaming today, Amazon, Apple, Electronic Arts, Google, Microsoft, Nintendo, Nvidia, Sony and Ubisoft all operate some form of game subscription. Far and away the most ambitious of them is Microsoft's Xbox Game Pass, featuring more than 100 games for $9.99 a month and including even brand-new titles the day they release. As of January, Game Pass had more than 18 million subscribers, and Microsoft's aggressive investment in a subscription future has become a catalyst for an industrywide reckoning on the likelihood and viability of such a model becoming standard.

Keep Reading Show less
Nick Statt
Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.
Protocol | Policy

Lina Khan wants to hear from you

The new FTC chair is trying to get herself, and the sometimes timid tech-regulating agency she oversees, up to speed while she still can.

Lina Khan is trying to push the FTC to corral tech companies

Photo: Graeme Jennings/AFP via Getty Images

"When you're in D.C., it's very easy to lose connection with the very real issues that people are facing," said Lina Khan, the FTC's new chair.

Khan made her debut as chair before the press on Wednesday, showing up to a media event carrying an old maroon book from the agency's library and calling herself a "huge nerd" on FTC history. She launched into explaining how much she enjoys the open commission meetings she's pioneered since taking over in June. That's especially true of the marathon public comment sessions that have wrapped up each of the two meetings so far.

Keep Reading Show less
Ben Brody

Ben Brody (@ BenBrodyDC) is a senior reporter at Protocol focusing on how Congress, courts and agencies affect the online world we live in. He formerly covered tech policy and lobbying (including antitrust, Section 230 and privacy) at Bloomberg News, where he previously reported on the influence industry, government ethics and the 2016 presidential election. Before that, Ben covered business news at CNNMoney and AdAge, and all manner of stories in and around New York. He still loves appearing on the New York news radio he grew up with.

Latest Stories