People

The work-at-home advice cybersecurity firms are giving their employees

"Don't let your kids install anything."

A woman works at a laptop while a child plays nearby

As employees shelter in place and work at home, new security risks — including those imposed by children — are emerging.

Photo: Tom Werner/Getty Images

You and everyone on your team are suddenly working from home for the foreseeable future. That awesome security structure you had in place is now Swiss cheese at best, with employees using all sorts of devices and network setups to access corporate data.

How do you plug the biggest security holes as quickly as possible?

We asked more than a dozen cybersecurity companies to share the memos, emails and other guidance that they have sent to their own employees in the past few weeks to protect their systems. Here's what we found.

They're taking phishing really seriously

Almost every cybersecurity company we contacted has been regularly warning employees about sophisticated phishing attacks that leverage COVID-19 information to get victims to click on malicious files.

Joe Payne, chief executive of Code42, which makes software that detects and responds to insider threats, wrote in an email to all employees on March 24 that their CISO had reported "a huge surge in phishing activity. The bad people (and they really are bad people!) are preying on people's fear during this crisis. Do not click on links!!!"

The scams can take different forms, but workers should be especially suspicious of emails about workplace policy changes, emails that offer health advice, and messages that look like they're from the Centers for Disease Control and Prevention, advised a March 16, all-employee memo from Simon Biddiscombe, chief executive of MobileIron, which helps enterprises secure mobile devices and other endpoints.

"Cybercriminals have targeted employees' workplace email accounts. One phishing email begins, 'All, Due to the coronavirus outbreak, [company name] is actively taking safety precautions by instituting a Communicable Disease Management Policy.' If you click on the fake company policy, you'll download malicious software," Biddiscombe wrote.

Cybersecurity companies including Veracode, Satori Cyber, OneLogin and F5 Networks all circulated ways to identify if an email is malicious — for example, by checking a domain before clicking on a link and verifying that a sender is who they say they are — and reminded employees how to report suspicious emails so that they can be analyzed by security teams.

"Let's make sure we don't get a different kind of virus," OneLogin's security team wrote in a March 17 email to all employees, advising that when they receive an unexpected message, to apply the "S-T-O-P principle": Stop, Take a deep breath, an Opportunity to think, and Put the email into perspective and report it to one of three teams.

They're talking about security constantly

To keep on top of rapidly evolving threats, cybersecurity firms have ramped up their regular communications with employees.

In addition to frequent security-related emails, FireEye chief executive Kevin Mandia has a standing weekly live call — held twice to accommodate all global team members — to reinforce the messages and address questions, a spokesperson said.

SecureLink chief executive Joe Devine holds a similar weekly meeting through Google Hangouts, and Chief Information Security Officer Tony Howlett sends out daily educational emails about the latest attack information and how to stay protected.

"When it comes to communications with our employees, we are now actively over-communicating with them to keep them informed about everything going on. Extreme transparency is always the best policy," Howlett said in an email to Protocol. "Repetition is key when it comes to educating employees on security best practices, so we send out regular bulletins that [recap] the latest attacks from that week and how you can keep yourself safe at home."

Everyone is IT now

Many of the steps that employees can take to protect themselves require some technical know-how, and some cybersecurity firms have created guides and checklists to help employees secure their home workspace without in-person guidance from IT staff.

Twilio, which helps companies manage their cloud communications security, has an internal wiki called "Protect Your Castle" that they've been updating daily since the outbreak began. The wiki has policies, guidelines and FAQs about working from home.

Security resources on the wiki include steps to take to protect your home network (for example, change the name of your Wi-Fi, change your router's username and password, and don't broadcast your SSID), and to protect your laptop and other devices from cyberthreats (turn off Bluetooth, update your software, delete apps that you don't use, use a VPN).

Not everyone on your team knows how to do these things? It's a great time for them to expand their skill set. SecureLink's cybersecurity team also put together a "Work From Home Security Guide" for employees that explains things like how to set up a VPN and multifactor authentication.

They're afraid of children

Even if workers do everything right, one 8-year-old downloading Minecraft modifications on a work computer can sabotage the whole system.

"Sometimes the work PC is now the best computer in the house," said Steve Grobman, chief technology officer at McAfee. "There needs to be a lot of thought before you let your kid do their homework on your work PC and possibly go to a website during a break that can put your company at risk."

Grobman said that many organizations allow employees to use work computers for some level of personal use, but they need to emphasize ways that workers can separate the two during the outbreak, when there may be several family members stuck at home with not enough devices.

Eldad Chai, chief executive of Satori Cyber, emphasized this point to employees at the end of a March 19 email about how to stay secure.

"Also, don't let your kids install anything :)," he said.

… and wash your hands

Below, check out some of the emails cybersecurity companies have sent to their employees.

1 / 5
Entertainment

Niantic’s future hinges on mapping the metaverse

The maker of Pokémon Go is hoping the metaverse will deliver its next big break.

Niantic's new standalone messaging and social app, Campfire, is a way to get players organizing and meeting up in the real world. It launches today for select Pokémon Go players.

Image: Niantic

Pokémon Go sent Niantic to the moon. But now the San Francisco-based augmented reality developer has returned to earth, and it’s been trying to chart its way back to the stars ever since. The company yesterday announced layoffs of about 8% of its workforce (about 85 to 90 people) and canceled four projects, Bloomberg reported, signaling another disappointment for the studio that still generates about $1 billion in revenue per year from Pokémon Go.

Finding its next big hit has been Niantic’s priority for years, and the company has been coming up short. For much of the past year or so, Niantic has turned its attention to the metaverse, with hopes that its location-based mobile games, AR tech and company philosophy around fostering physical connection and outdoor exploration can help it build what it now calls the “real world metaverse.”

Keep Reading Show less
Nick Statt

Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.

Every day, millions of us press the “order” button on our favorite coffee store's mobile application: Our chosen brew will be on the counter when we arrive. It’s a personalized, seamless experience that we have all come to expect. What we don’t know is what’s happening behind the scenes. The mobile application is sourcing data from a database that stores information about each customer and what their favorite coffee drinks are. It is also leveraging event-streaming data in real time to ensure the ingredients for your personal coffee are in supply at your local store.

Applications like this power our daily lives, and if they can’t access massive amounts of data stored in a database as well as stream data “in motion” instantaneously, you — and millions of customers — won’t have these in-the-moment experiences.

Keep Reading Show less
Jennifer Goforth Gregory
Jennifer Goforth Gregory has worked in the B2B technology industry for over 20 years. As a freelance writer she writes for top technology brands, including IBM, HPE, Adobe, AT&T, Verizon, Epson, Oracle, Intel and Square. She specializes in a wide range of technology, such as AI, IoT, cloud, cybersecurity, and CX. Jennifer also wrote a bestselling book The Freelance Content Marketing Writer to help other writers launch a high earning freelance business.
Climate

Supreme Court takes a sledgehammer to greenhouse gas regulations

The court ruled 6-3 that the EPA cannot use the Clean Air Act to regulate power plant greenhouse gas emissions. That leaves a patchwork of policies from states, utilities and, increasingly, tech companies to pick up the slack.

The Supreme Court struck a major blow to the federal government's ability to regulate greenhouse gases.

Eric Lee/Bloomberg via Getty Images

Striking down the right to abortion may be the Supreme Court's highest-profile decision this term. But on Thursday, the court handed down an equally massive verdict on the federal government's ability to regulate greenhouse gas emissions. In the case of West Virginia v. EPA, the court decided that the agency has no ability to regulate greenhouse gas pollution under the Clean Air Act. Weakening the federal government's powers leaves a patchwork of states, utilities and, increasingly, tech companies to pick up the slack in reducing carbon pollution.

Keep Reading Show less
Brian Kahn

Brian ( @blkahn) is Protocol's climate editor. Previously, he was the managing editor and founding senior writer at Earther, Gizmodo's climate site, where he covered everything from the weather to Big Oil's influence on politics. He also reported for Climate Central and the Wall Street Journal. In the even more distant past, he led sleigh rides to visit a herd of 7,000 elk and boat tours on the deepest lake in the U.S.

Fintech

Can crypto regulate itself? The Lummis-Gillibrand bill hopes so.

Creating the equivalent of the stock markets’ FINRA for crypto is the ideal, but experts doubt that it will be easy.

The idea of creating a government-sanctioned private regulatory association has been drawing more attention in the debate over how to rein in a fast-growing industry whose technological quirks have baffled policymakers.

Illustration: Christopher T. Fong/Protocol

Regulating crypto is complicated. That’s why Sens. Cynthia Lummis and Kirsten Gillibrand want to explore the creation of a private sector group to help federal regulators do their job.

The bipartisan bill introduced by Lummis and Gillibrand would require the CFTC and the SEC to work with the crypto industry to look into setting up a self-regulatory organization to “facilitate innovative, efficient and orderly markets for digital assets.”

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.

Enterprise

Alperovitch: Cybersecurity defenders can’t be on high alert every day

With the continued threat of Russian cyber escalation, cybersecurity and geopolitics expert Dmitri Alperovitch says it’s not ideal for the U.S. to oscillate between moments of high alert and lesser states of cyber readiness.

Dmitri Alperovitch (the co-founder and former CTO of CrowdStrike) speaks at RSA Conference 2022.

Photo: RSA Conference

When it comes to cybersecurity vigilance, Dmitri Alperovitch wants to see more focus on resiliency of IT systems — and less on doing "surges" around particular dates or events.

For instance, whatever Russia is doing at the moment.

Keep Reading Show less
Kyle Alspach

Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at kalspach@protocol.com.

Latest Stories
Bulletins