Source Code: Your daily look at what matters in tech.

source-codesource codeauthorAdam JanofskyNoneWant your finger on the pulse of everything that's happening in tech? Sign up to get David Pierce's daily newsletter.64fd3cbe9f
×

Get access to Protocol

Your information will be used in accordance with our Privacy Policy

I’m already a subscriber
People

The work-at-home advice cybersecurity firms are giving their employees

"Don't let your kids install anything."

A woman works at a laptop while a child plays nearby

As employees shelter in place and work at home, new security risks — including those imposed by children — are emerging.

Photo: Tom Werner/Getty Images

You and everyone on your team are suddenly working from home for the foreseeable future. That awesome security structure you had in place is now Swiss cheese at best, with employees using all sorts of devices and network setups to access corporate data.

How do you plug the biggest security holes as quickly as possible?

We asked more than a dozen cybersecurity companies to share the memos, emails and other guidance that they have sent to their own employees in the past few weeks to protect their systems. Here's what we found.

They're taking phishing really seriously

Almost every cybersecurity company we contacted has been regularly warning employees about sophisticated phishing attacks that leverage COVID-19 information to get victims to click on malicious files.

Joe Payne, chief executive of Code42, which makes software that detects and responds to insider threats, wrote in an email to all employees on March 24 that their CISO had reported "a huge surge in phishing activity. The bad people (and they really are bad people!) are preying on people's fear during this crisis. Do not click on links!!!"

The scams can take different forms, but workers should be especially suspicious of emails about workplace policy changes, emails that offer health advice, and messages that look like they're from the Centers for Disease Control and Prevention, advised a March 16, all-employee memo from Simon Biddiscombe, chief executive of MobileIron, which helps enterprises secure mobile devices and other endpoints.

"Cybercriminals have targeted employees' workplace email accounts. One phishing email begins, 'All, Due to the coronavirus outbreak, [company name] is actively taking safety precautions by instituting a Communicable Disease Management Policy.' If you click on the fake company policy, you'll download malicious software," Biddiscombe wrote.

Cybersecurity companies including Veracode, Satori Cyber, OneLogin and F5 Networks all circulated ways to identify if an email is malicious — for example, by checking a domain before clicking on a link and verifying that a sender is who they say they are — and reminded employees how to report suspicious emails so that they can be analyzed by security teams.

"Let's make sure we don't get a different kind of virus," OneLogin's security team wrote in a March 17 email to all employees, advising that when they receive an unexpected message, to apply the "S-T-O-P principle": Stop, Take a deep breath, an Opportunity to think, and Put the email into perspective and report it to one of three teams.

They're talking about security constantly

To keep on top of rapidly evolving threats, cybersecurity firms have ramped up their regular communications with employees.

In addition to frequent security-related emails, FireEye chief executive Kevin Mandia has a standing weekly live call — held twice to accommodate all global team members — to reinforce the messages and address questions, a spokesperson said.

SecureLink chief executive Joe Devine holds a similar weekly meeting through Google Hangouts, and Chief Information Security Officer Tony Howlett sends out daily educational emails about the latest attack information and how to stay protected.

"When it comes to communications with our employees, we are now actively over-communicating with them to keep them informed about everything going on. Extreme transparency is always the best policy," Howlett said in an email to Protocol. "Repetition is key when it comes to educating employees on security best practices, so we send out regular bulletins that [recap] the latest attacks from that week and how you can keep yourself safe at home."

Everyone is IT now

Many of the steps that employees can take to protect themselves require some technical know-how, and some cybersecurity firms have created guides and checklists to help employees secure their home workspace without in-person guidance from IT staff.

Twilio, which helps companies manage their cloud communications security, has an internal wiki called "Protect Your Castle" that they've been updating daily since the outbreak began. The wiki has policies, guidelines and FAQs about working from home.

Security resources on the wiki include steps to take to protect your home network (for example, change the name of your Wi-Fi, change your router's username and password, and don't broadcast your SSID), and to protect your laptop and other devices from cyberthreats (turn off Bluetooth, update your software, delete apps that you don't use, use a VPN).

Not everyone on your team knows how to do these things? It's a great time for them to expand their skill set. SecureLink's cybersecurity team also put together a "Work From Home Security Guide" for employees that explains things like how to set up a VPN and multifactor authentication.

They're afraid of children

Even if workers do everything right, one 8-year-old downloading Minecraft modifications on a work computer can sabotage the whole system.

"Sometimes the work PC is now the best computer in the house," said Steve Grobman, chief technology officer at McAfee. "There needs to be a lot of thought before you let your kid do their homework on your work PC and possibly go to a website during a break that can put your company at risk."

Grobman said that many organizations allow employees to use work computers for some level of personal use, but they need to emphasize ways that workers can separate the two during the outbreak, when there may be several family members stuck at home with not enough devices.

Eldad Chai, chief executive of Satori Cyber, emphasized this point to employees at the end of a March 19 email about how to stay secure.

"Also, don't let your kids install anything :)," he said.

… and wash your hands

Below, check out some of the emails cybersecurity companies have sent to their employees.

1 / 5

The metaverse is coming, and Robinhood's IPO is here

Plus, what we learned from Big Tech's big quarter.

Image: Roblox

On this episode of the Source Code podcast: First, a few takeaways from another blockbuster quarter in the tech industry. Then, Janko Roettgers joins the show to discuss Big Tech's obsession with the metaverse and the platform war that seems inevitable. Finally, Ben Pimentel talks about Robinhood's IPO, and the company's crazy route to the public markets.

For more on the topics in this episode:

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editor at large. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

After a year and a half of living and working through a pandemic, it's no surprise that employees are sending out stress signals at record rates. According to a 2021 study by Indeed, 52% of employees today say they feel burnt out. Over half of employees report working longer hours, and a quarter say they're unable to unplug from work.

The continued swell of reported burnout is a concerning trend for employers everywhere. Not only does it harm mental health and well-being, but it can also impact absenteeism, employee retention and — between the drain on morale and high turnover — your company culture.

Crisis management is one thing, but how do you permanently lower the temperature so your teams can recover sustainably? Companies around the world are now taking larger steps to curb burnout, with industry leaders like LinkedIn, Hootsuite and Bumble shutting down their offices for a full week to allow all employees extra time off. The CEO of Okta, worried about burnout, asked all employees to email him their vacation plans in 2021.

Keep Reading Show less
Stella Garber
Stella Garber is Trello's Head of Marketing. Stella has led Marketing at Trello for the last seven years from early stage startup all the way through its acquisition by Atlassian in 2017 and beyond. Stella was an early champion of remote work, having led remote teams for the last decade plus.

Facebook wants to be like Snapchat

Facebook is looking to make posts disappear, Google wants to make traffic reports more accurate, and more patents from Big Tech.

Facebook has ephemeral posts on its mind.

Image: Protocol

Welcome to another week of Big Tech patents. Google wants to make traffic reports more accurate, Amazon wants to make voice assistants more intelligent, Microsoft wants to make scheduling meetings more convenient, and a ton more.

As always, remember that the big tech companies file all kinds of crazy patents for things, and though most never amount to anything, some end up defining the future

Keep Reading Show less
Karyne Levy

Karyne Levy ( @karynelevy) is the West Coast editor at Protocol. Before joining Protocol, Karyne was a senior producer at Scribd, helping to create the original content program. Prior to that she was an assigning editor at NerdWallet, a senior tech editor at Business Insider, and the assistant managing editor at CNET, where she also hosted Rumor Has It for CNET TV. She lives outside San Francisco with her wife, son and lots of pets.

Protocol | China

China’s edtech crackdown isn’t what you think. Here’s why.

It's part of an attempt to fix education inequality and address a looming demographic crisis.

In the past decade, China's private tutoring market has expanded rapidly as it's been digitized and bolstered by capital.

Photo: Getty Images

Beijing's strike against the private tutoring and ed tech industry has rattled the market and led observers to try to answer one big question: What is Beijing trying to achieve?

Sweeping policy guidelines issued by the Central Committee of the Chinese Communist Party on July 24 and the State Council now mandate that existing private tutoring companies register as nonprofit organizations. Extracurricular tutoring companies will be banned from going public. Online tutoring agencies will be subject to regulatory approval.

Keep Reading Show less
Shen Lu

Shen Lu is a reporter with Protocol | China. She has spent six years covering China from inside and outside its borders. Previously, she was a fellow at Asia Society's ChinaFile and a Beijing-based producer for CNN. Her writing has appeared in Foreign Policy, The New York Times and POLITICO, among other publications. Shen Lu is a founding member of Chinese Storytellers, a community serving and elevating Chinese professionals in the global media industry.

It’s soul-destroying and it uses DRM, therefore Peloton is tech

"I mean, the pedals go around if you turn off all the tech, but Peloton isn't selling a pedaling product."

Is this tech? Or is it just a bike with a screen?

Image: Peloton and Protocol

One of the breakout hits from the pandemic, besides Taylor Swift's "Folklore," has been Peloton. With upwards of 5.4 million members as of March and nearly $1.3 billion in revenue that quarter, a lot of people are turning in their gym memberships for a bike or a treadmill and a slick-looking app.

But here at Protocol, it's that slick-looking app, plus all the tech that goes into it, that matters. And that's where things got really heated during our chat this week. Is Peloton tech? Or is it just a bike with a giant tablet on it? Can all bikes be tech with a little elbow grease?

Keep Reading Show less
Karyne Levy

Karyne Levy ( @karynelevy) is the West Coast editor at Protocol. Before joining Protocol, Karyne was a senior producer at Scribd, helping to create the original content program. Prior to that she was an assigning editor at NerdWallet, a senior tech editor at Business Insider, and the assistant managing editor at CNET, where she also hosted Rumor Has It for CNET TV. She lives outside San Francisco with her wife, son and lots of pets.

Latest Stories