People

The work-at-home advice cybersecurity firms are giving their employees

"Don't let your kids install anything."

A woman works at a laptop while a child plays nearby

As employees shelter in place and work at home, new security risks — including those imposed by children — are emerging.

Photo: Tom Werner/Getty Images

You and everyone on your team are suddenly working from home for the foreseeable future. That awesome security structure you had in place is now Swiss cheese at best, with employees using all sorts of devices and network setups to access corporate data.

How do you plug the biggest security holes as quickly as possible?

We asked more than a dozen cybersecurity companies to share the memos, emails and other guidance that they have sent to their own employees in the past few weeks to protect their systems. Here's what we found.

They're taking phishing really seriously

Almost every cybersecurity company we contacted has been regularly warning employees about sophisticated phishing attacks that leverage COVID-19 information to get victims to click on malicious files.

Joe Payne, chief executive of Code42, which makes software that detects and responds to insider threats, wrote in an email to all employees on March 24 that their CISO had reported "a huge surge in phishing activity. The bad people (and they really are bad people!) are preying on people's fear during this crisis. Do not click on links!!!"

The scams can take different forms, but workers should be especially suspicious of emails about workplace policy changes, emails that offer health advice, and messages that look like they're from the Centers for Disease Control and Prevention, advised a March 16, all-employee memo from Simon Biddiscombe, chief executive of MobileIron, which helps enterprises secure mobile devices and other endpoints.

"Cybercriminals have targeted employees' workplace email accounts. One phishing email begins, 'All, Due to the coronavirus outbreak, [company name] is actively taking safety precautions by instituting a Communicable Disease Management Policy.' If you click on the fake company policy, you'll download malicious software," Biddiscombe wrote.

Cybersecurity companies including Veracode, Satori Cyber, OneLogin and F5 Networks all circulated ways to identify if an email is malicious — for example, by checking a domain before clicking on a link and verifying that a sender is who they say they are — and reminded employees how to report suspicious emails so that they can be analyzed by security teams.

"Let's make sure we don't get a different kind of virus," OneLogin's security team wrote in a March 17 email to all employees, advising that when they receive an unexpected message, to apply the "S-T-O-P principle": Stop, Take a deep breath, an Opportunity to think, and Put the email into perspective and report it to one of three teams.

They're talking about security constantly

To keep on top of rapidly evolving threats, cybersecurity firms have ramped up their regular communications with employees.

In addition to frequent security-related emails, FireEye chief executive Kevin Mandia has a standing weekly live call — held twice to accommodate all global team members — to reinforce the messages and address questions, a spokesperson said.

SecureLink chief executive Joe Devine holds a similar weekly meeting through Google Hangouts, and Chief Information Security Officer Tony Howlett sends out daily educational emails about the latest attack information and how to stay protected.

"When it comes to communications with our employees, we are now actively over-communicating with them to keep them informed about everything going on. Extreme transparency is always the best policy," Howlett said in an email to Protocol. "Repetition is key when it comes to educating employees on security best practices, so we send out regular bulletins that [recap] the latest attacks from that week and how you can keep yourself safe at home."

Everyone is IT now

Many of the steps that employees can take to protect themselves require some technical know-how, and some cybersecurity firms have created guides and checklists to help employees secure their home workspace without in-person guidance from IT staff.

Twilio, which helps companies manage their cloud communications security, has an internal wiki called "Protect Your Castle" that they've been updating daily since the outbreak began. The wiki has policies, guidelines and FAQs about working from home.

Security resources on the wiki include steps to take to protect your home network (for example, change the name of your Wi-Fi, change your router's username and password, and don't broadcast your SSID), and to protect your laptop and other devices from cyberthreats (turn off Bluetooth, update your software, delete apps that you don't use, use a VPN).

Not everyone on your team knows how to do these things? It's a great time for them to expand their skill set. SecureLink's cybersecurity team also put together a "Work From Home Security Guide" for employees that explains things like how to set up a VPN and multifactor authentication.

They're afraid of children

Even if workers do everything right, one 8-year-old downloading Minecraft modifications on a work computer can sabotage the whole system.

"Sometimes the work PC is now the best computer in the house," said Steve Grobman, chief technology officer at McAfee. "There needs to be a lot of thought before you let your kid do their homework on your work PC and possibly go to a website during a break that can put your company at risk."

Grobman said that many organizations allow employees to use work computers for some level of personal use, but they need to emphasize ways that workers can separate the two during the outbreak, when there may be several family members stuck at home with not enough devices.

Eldad Chai, chief executive of Satori Cyber, emphasized this point to employees at the end of a March 19 email about how to stay secure.

"Also, don't let your kids install anything :)," he said.

… and wash your hands

Below, check out some of the emails cybersecurity companies have sent to their employees.

1 / 5
Enterprise

How Broadcom became an enterprise software power broker

Broadcom was once just a colorful chip company. With the acquisition of VMware, it’s trying to become a software powerhouse.

Broadcom's acquisition of VMware is its third major enterprise software deal in the last several years.

Photo: David Paul Morris/Bloomberg via Getty Images

If Wall Street had to invent a company, it would probably look a lot like Broadcom.

Once known primarily for its semiconductors, Broadcom has become something of a technology hedge fund, adding various potentially promising companies to its portfolio of businesses, as part of CEO Hock Tan’s quest to turn it into a software play. Through multiple billion-dollar acquisitions what has emerged is a conglomerate that is beloved by Wall Street analysts but difficult to look at as a coherent operation with a clear, core business.

Keep Reading Show less
Max A. Cherney

Max A. Cherney is a senior reporter at Protocol covering the semiconductor industry. He has worked for Barron's magazine as a Technology Reporter, and its sister site MarketWatch. He is based in San Francisco.

Sponsored Content

Why the digital transformation of industries is creating a more sustainable future

Qualcomm’s chief sustainability officer Angela Baker on how companies can view going “digital” as a way not only toward growth, as laid out in a recent report, but also toward establishing and meeting environmental, social and governance goals.

Three letters dominate business practice at present: ESG, or environmental, social and governance goals. The number of mentions of the environment in financial earnings has doubled in the last five years, according to GlobalData: 600,000 companies mentioned the term in their annual or quarterly results last year.

But meeting those ESG goals can be a challenge — one that businesses can’t and shouldn’t take lightly. Ahead of an exclusive fireside chat at Davos, Angela Baker, chief sustainability officer at Qualcomm, sat down with Protocol to speak about how best to achieve those targets and how Qualcomm thinks about its own sustainability strategy, net zero commitment, other ESG targets and more.

Keep Reading Show less
Chris Stokel-Walker

Chris Stokel-Walker is a freelance technology and culture journalist and author of "YouTubers: How YouTube Shook Up TV and Created a New Generation of Stars." His work has been published in The New York Times, The Guardian and Wired.

Enterprise

Broadcom is buying VMware for $61 billion. Now comes the cost cutting.

VMware executives were excited about its prospects after finally breaking from Dell Technologies. Under Broadcom, it will once again be a cog in a conglomerate.

VMware executives like CEO Raghu Raghuram were excited about its prospects after finally becoming independent six months ago.

Photo: VMware

While Broadcom’s $61 billion acquisition of VMware will further broaden the chipmaker’s growth prospects beyond semiconductors by giving it more enterprise software clout and recurring revenue, the immediate benefits are less apparent for VMware.

However, even while VMware will be getting its third owner since 2004, once the dust settles, the deal could provide stability for VMware and help shore up a business that’s been underperforming.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Enterprise

This new chip design could save Moore’s Law and reshuffle the industry

Intel, Samsung and TSMC are racing to achieve a generational leap in transistor technology. It might reshuffle the industry pecking order.

Photo: Intel Corporation

A once-in-a-decade shift is underway involving one of the most elemental building blocks of computer chips, and it has the potential to reshuffle the pecking order of chip giants for years to come.

Intel, Samsung and TSMC are racing to achieve a generational leap in transistor technology. This leap must occur to realize anything close to the computing requirements demanded by the ideas behind the metaverse, to produce AI that isn’t a joke, to make truly self-driving cars or even make apps load faster.

Keep Reading Show less
Max A. Cherney

Max A. Cherney is a senior reporter at Protocol covering the semiconductor industry. He has worked for Barron's magazine as a Technology Reporter, and its sister site MarketWatch. He is based in San Francisco.

Workplace

Who is doing your 'office housework'?

For marginalized employees, doing “glamour work” as opposed to office housework is the key to succeeding in the workplace.

"Dissecting who gets what work, why, and how both employees and managers can assign work more fairly is essential to making sure everyone has the opportunity to bring their fullest selves to their jobs."

Image: Rodale; Protocol

The following is an excerpt from “Seen, Heard, and Paid: The New Work Rules for the Marginalized” by Alan Henry. The book is available June 7.

RULE 5: Office Housework Will Never Get You Ahead (Getting the glamour work)

Think about your previous jobs. Have you ever had someone who everyone in your organization looked up to as the “office mom”? Was it you? Maybe that person scheduled the meetings, organized the calendars, ordered lunch for those meetings, took notes or minutes, and sent out agendas before and after those gatherings. Maybe they kept the supply closet stocked, kept pain medication on hand in case a coworker needed it, or knew the best place to get the good coffee. Maybe it was this individual’s job to know and do all these things, and the person was an administrative assistant for your team. But maybe — and, sometimes, more likely — they were a team member who just picked up those additional responsibilities on top of the work they were already doing.

Keep Reading Show less
Alan Henry
Alan Henry is a journalist and editor who writes and commissions stories that help readers make better use of their technology and embrace a healthier relationship with it in their lives. He is currently senior editor at Wired. He was previously the Smarter Living editor at The New York Times, and before that the editor in chief of the productivity and lifestyle blog Lifehacker.
Latest Stories
Bulletins