The work-at-home advice cybersecurity firms are giving their employees
"Don't let your kids install anything."
You and everyone on your team are suddenly working from home for the foreseeable future. That awesome security structure you had in place is now Swiss cheese at best, with employees using all sorts of devices and network setups to access corporate data.
How do you plug the biggest security holes as quickly as possible?
We asked more than a dozen cybersecurity companies to share the memos, emails and other guidance that they have sent to their own employees in the past few weeks to protect their systems. Here's what we found.
They're taking phishing really seriously
Almost every cybersecurity company we contacted has been regularly warning employees about sophisticated phishing attacks that leverage COVID-19 information to get victims to click on malicious files.
Joe Payne, chief executive of Code42, which makes software that detects and responds to insider threats, wrote in an email to all employees on March 24 that their CISO had reported "a huge surge in phishing activity. The bad people (and they really are bad people!) are preying on people's fear during this crisis. Do not click on links!!!"
The scams can take different forms, but workers should be especially suspicious of emails about workplace policy changes, emails that offer health advice, and messages that look like they're from the Centers for Disease Control and Prevention, advised a March 16, all-employee memo from Simon Biddiscombe, chief executive of MobileIron, which helps enterprises secure mobile devices and other endpoints.
"Cybercriminals have targeted employees' workplace email accounts. One phishing email begins, 'All, Due to the coronavirus outbreak, [company name] is actively taking safety precautions by instituting a Communicable Disease Management Policy.' If you click on the fake company policy, you'll download malicious software," Biddiscombe wrote.
Cybersecurity companies including Veracode, Satori Cyber, OneLogin and F5 Networks all circulated ways to identify if an email is malicious — for example, by checking a domain before clicking on a link and verifying that a sender is who they say they are — and reminded employees how to report suspicious emails so that they can be analyzed by security teams.
"Let's make sure we don't get a different kind of virus," OneLogin's security team wrote in a March 17 email to all employees, advising that when they receive an unexpected message, to apply the "S-T-O-P principle": Stop, Take a deep breath, an Opportunity to think, and Put the email into perspective and report it to one of three teams.
They're talking about security constantly
To keep on top of rapidly evolving threats, cybersecurity firms have ramped up their regular communications with employees.
In addition to frequent security-related emails, FireEye chief executive Kevin Mandia has a standing weekly live call — held twice to accommodate all global team members — to reinforce the messages and address questions, a spokesperson said.
SecureLink chief executive Joe Devine holds a similar weekly meeting through Google Hangouts, and Chief Information Security Officer Tony Howlett sends out daily educational emails about the latest attack information and how to stay protected.
"When it comes to communications with our employees, we are now actively over-communicating with them to keep them informed about everything going on. Extreme transparency is always the best policy," Howlett said in an email to Protocol. "Repetition is key when it comes to educating employees on security best practices, so we send out regular bulletins that [recap] the latest attacks from that week and how you can keep yourself safe at home."
Everyone is IT now
Many of the steps that employees can take to protect themselves require some technical know-how, and some cybersecurity firms have created guides and checklists to help employees secure their home workspace without in-person guidance from IT staff.
Twilio, which helps companies manage their cloud communications security, has an internal wiki called "Protect Your Castle" that they've been updating daily since the outbreak began. The wiki has policies, guidelines and FAQs about working from home.
Security resources on the wiki include steps to take to protect your home network (for example, change the name of your Wi-Fi, change your router's username and password, and don't broadcast your SSID), and to protect your laptop and other devices from cyberthreats (turn off Bluetooth, update your software, delete apps that you don't use, use a VPN).
Not everyone on your team knows how to do these things? It's a great time for them to expand their skill set. SecureLink's cybersecurity team also put together a "Work From Home Security Guide" for employees that explains things like how to set up a VPN and multifactor authentication.
They're afraid of children
Even if workers do everything right, one 8-year-old downloading Minecraft modifications on a work computer can sabotage the whole system.
"Sometimes the work PC is now the best computer in the house," said Steve Grobman, chief technology officer at McAfee. "There needs to be a lot of thought before you let your kid do their homework on your work PC and possibly go to a website during a break that can put your company at risk."
Grobman said that many organizations allow employees to use work computers for some level of personal use, but they need to emphasize ways that workers can separate the two during the outbreak, when there may be several family members stuck at home with not enough devices.
Eldad Chai, chief executive of Satori Cyber, emphasized this point to employees at the end of a March 19 email about how to stay secure.
"Also, don't let your kids install anything :)," he said.
… and wash your hands
Below, check out some of the emails cybersecurity companies have sent to their employees.