Community IT CEO Johan Hammerstrom runs through the three highest priorities for nonprofits that want to work remotely and need the IT support to do that.

Listen to Podcast

Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on AppleSpotifyGoogleStitcher, Pandora, and more. Or ask your smart speaker.

Does Your Nonprofit Still Need an Office?

Community IT is seeing a huge increase in inquiries from nonprofits looking to downsize entirely and permanently from the expenses of an office that they no longer need.

But without a physical office, do you need different IT support? The answer is yes, and luckily new tools and IT management processes allow entirely remote work force to be supported entirely remotely, nationally, no matter where you are working from. Our colleagues like to call this “flexible” work, because it can happen from home, from a coffee shop, while you are traveling, even back in a hybrid office at a borrowed desk.

Johan walks through three important areas where IT needs are different for fully remote or hybrid organizations. If you are considering going fully remote, or have gone remote but are worried about the implications of that on your IT, this podcast can help you get started assessing your new needs.

Key Takeaways


Johan Hammerstrom’s focus and expertise are in nonprofit IT leadership, governance practices, and nonprofit IT strategy. In addition to deep experience supporting hundreds of nonprofit clients for over 20 years, Johan has a technical background as a computer engineer and a strong servant-leadership style as the head of an employee-owned small service business. After advising and strategizing with nonprofit clients over the years, he has gained a wealth of insight into the budget and decision-making culture at nonprofits – a culture that enables creative IT management but can place constraints on strategies and implementation.

As CEO, Johan provides high-level direction and leadership in client partnerships. He also guides Community IT’s relationship to its Board and ESOP employee-owners. Johan is also instrumental in building a Community IT value of giving back to the sector by sharing resources and knowledge through free website materials, monthly webinars, and external speaking engagements.

Johan has always been interested in using technology as a force to address pressing and immediate problems through the nonprofit sector. Working directly with nonprofit organizations to help them use technology to accomplish their missions has been one of the most positive and rewarding experiences of his life.

Johan started at Community IT as a Network Administrator. Since that time, he has been a Network Engineer, a Team Lead, the Director of Services, Vice President of Services, Chief Operating Officer, President, and beginning in 2020, CEO.

Johan graduated with Honors and a BS in Chemistry from Stanford University and received a master’s degree in Biophysics from Johns Hopkins University.

Johan Hammerstrom is a frequent speaker at NTEN events and Community IT’s monthly webinar series. He has presented webinars for Your Part Time Controller (YPTC), Nonprofit Hub, and Nonprofit Learning Lab, among other partners. His areas of expertise include nonprofit management, IT budgeting, IT strategic planning for nonprofits, and technology management. He is always thinking does your nonprofit need an office, and if not, how IT can support that.


Johan Hammerstrom:  All right. Hello, everyone. Welcome. My name is Johan Hammerstrom, I’m really happy to have you all here with us today. I’m the CEO of Community IT. Today we’re going to be discussing the rapidly changing IT landscape and how it’s evolved to really support working outside of an independent central office location.

Today’s presentation is really an overview of a lot of topics that we’ve been very interested in and following very closely really for the last two years. And there’s a lot of different threads right now in the world of IT that are really coming together in an interesting way. And that’s really the goal of today’s presentation. But we have a lot of resources that go into much more detail on these topics than what I’m going to be presenting today.

Today, I really want to try to answer this question: Do you still need an office? 

So I’ll just jump to the chase, this first question. Do you still need an office? The answer is, no.

You don’t really need an office, at least not from an IT perspective and for a long time, that wasn’t the case. There were a lot of things that you couldn’t do from an IT standpoint if you didn’t have an office, but that’s really changed pretty dramatically over the last two years or so. And there was a lot going on in IT leading up to that, but there’s a lot that’s changed that, that I want to go over with you today. 

Fundamentally, you no longer need on-premises equipment. And you no longer need onsite support. It’s possible to handle all of your equipment needs, all of the things that on-premises equipment was providing for you can be done in other ways and support can be delivered remotely.

It no longer requires the IT person, if you will, in the IT closet ready to respond to issues. 

So we feel like it’s something that allows an organization to be more agile and more flexible if they’re designing their IT systems as if they didn’t have an office. Like I said, there are other reasons why an office might be important for an organization. But I think the more you can get into a mindset of not having an office or not tying your IT infrastructure to a physical office, the better positions will be long-term because the uncertainty remains. 

Device Management

Because of that uncertainty, we really feel like organizations are future-proofing themselves. They’re creating greater robustness and reliability by planning an IT infrastructure that exists outside of the office. The place where that really happens first and foremost is around device management. 

So back in the day, think back 10 or 15 years, before the cloud was around. Most organizations had a server or a couple of servers in their closet or if they were a larger organization, maybe they had a dedicated server room. And all of the computers in the office were connecting to that server. And the server had all of your user accounts and passwords were stored there and your shared files were there. And the server was also responsible for making sure that all of the workstations were up to date on their patches and that the antivirus was running.

Everything required physical connection within an office in order for you to effectively manage devices. And that’s changed you no longer need that. And I want to talk a little bit about why that’s changed. All of the things that you used to rely on a server for have all moved out to the cloud. And a lot of that has to do with Microsoft and its cloud-based system. 

Many of you are probably familiar with Microsoft. I’m sure you’re all familiar with Microsoft, but you’re probably familiar with Microsoft Office 365. Many of you probably have your email hosted in Office 365. You may have moved your files to SharePoint or OneDrive. There’s a lot of Microsoft Office services that Microsoft moved out to the cloud. What you may not be aware of is that Microsoft also moved all the other things that were happening on that server in the closet, all of that’s been moved out to the cloud as well. 

Azure Active Directory

So now you don’t need a server to manage usernames and passwords. That’s all happening in what Microsoft calls Azure Active Directory, which is cloud hosted. And actually that’s the system that sits behind Office 365. So when you go to Office, to, to look at your work email and you’re logging in with a username and password, you’re actually logging into Azure Active Directory, and then that’s connecting you to your organization’s email resources.

Azure Active Directory is a very powerful tool, and it doesn’t just manage your user accounts, but you can also use it to register your Windows devices. So if you have Windows workstations that your organization is using, you can connect those also to Azure Active Directory. You can do what’s called, “join them” to the Azure domain. And that’s sort of the cloud-based version of what used to happen when your computers were joined to your on-premises domain. 


And this is very powerful because it enables you to use another tool that Microsoft provides called Microsoft Intune and that enables you to manage those devices remotely. [For further information view Prepare Your Laptops for Takeoff.]

So this is getting a little bit into the weeds, but there used to be this tool called “group policy.” Organizations could define a lot of things. They could automatically install printers. They could automatically add icons to the desktop of any of the computers that were on the local domain, as it was called. They could automate profile setups. You could even automate things like Internet Explorer bookmarks. Oftentimes organizations would set it up so that when you opened the web browser, it would default to the organization’s website. 

That was all being done through this system called group policy, but it required those machines to be on a local network and joined to a local domain. And so if you take your laptop home, then what happens? You’re not connecting to the local domain anymore. 

And for a while, people would use VPNs. Those were not very good. They were clunky, they’re difficult to use. There was another tool called Direct Access. Some of you might’ve heard of and been familiar with; also not great, difficult to use. 

Finally, Microsoft said, we’re not gonna try to facilitate you connecting your Windows laptop to this small office. Let’s just have you connect to the cloud and do all of these things from the cloud. And that’s really what Intune does. It enables organizations to manage all of their laptops through a cloud-based interface. 

If your organization is dispersed right now, and most of your staff are working from home, if you have Microsoft Intune set up, you’ll be able to see all of your organization’s laptops through a cloud-based interface. And those laptops are connecting directly to the Microsoft cloud. And from there, you can do all kinds of things. You can set up Windows configurations, all of the things that you used to be able to do locally, you can now do through the cloud. 

If your organization has certain standard software that needs to be installed on all of the laptops, that can be defined in Intune, and that can be rolled out in Intune, as well. So it’s a very powerful tool for centrally managing an organization’s laptops regardless of where they are. They no longer need to be in an office. And in fact, Microsoft has kind of deprecated group policy. Some of what we call “legacy methods” for managing laptops, they’re no longer really being supported actively by Microsoft. Microsoft really sees this as the future. 


Intune is very powerful. There’s some additional things you can do with Intune. One of the big challenges that we used to have prior to this system that Microsoft developed, is how do you get a laptop set up for new staff? Or, if someone leaves the organization, how do you take their laptop and make it available for their replacement? How does that work?

Back in the day, the laptop had to physically go to the office, to the IT department. They had to manually wipe the laptop. They had to put a new image on, they had to reinstall it. They had to configure it and set it up and it required a lot of that physical touch point. Well, what Microsoft allows you to do is enroll the hardware directly in Azure Active Directory. 

Let’s say you go to order a couple of new laptops from Dell. In the old days, you’d have to order the laptops from Dell, ship them to wherever your IT person was. That person would then get them set up and configured and then have to ship them out to the different staff. Now, when you order the laptops from Dell, you can specify that they are part of your organization and you can have them shipped directly to the staff and when they arrive and they turn them on, they’re basically going to get a welcome message saying welcome to your organization’s name. Please log in with your username and password. 

The laptop would start being configured automatically based on all of the policies that are set up for your organization. So essentially you enroll the hardware in Microsoft Autopilot and that tells Microsoft that this physical device belongs to your organization. Once that happens, then the only way you can access that device is using a username and password that is affiliated with your organization that’s present in Azure Active Directory. And once you log on, then all of the policies that you’ve defined in Intune automatically get applied to the laptop. And then if that person leaves the organization, you can reset the laptop automatically from the cloud and they can ship the laptop directly to another staff person. And it would start the process all over again. So it’s a very powerful tool for managing, configuring and provisioning laptops without having the need for a centralized office.


Another part of being in an office is the phone system. In most offices, well, I think it’s a mixed bag. A lot of organizations still had on-premises phone systems that they were using like a Mitel system. Some organizations had moved to cloud-based VoIP solutions like RingCentral, but they were still using handsets and dedicated hardware that was located in the office. In some cases, people took that hardware home with them. In some cases it won’t work at home. 

The traditional telephone systems really depended on a central office to work effectively. And we’ve now entered a world where any kind of telephone system you can think of, whether it’s a standard telephone system or receptionist system that has call routing rules or hunt groups, or even a call center that’s providing customer service, all of that can now be handled in the cloud and it doesn’t require any on-premises hardware at all. [for more information on going without an office phone, view Microsoft Telephony for Nonprofits. ] 

What we’ve seen a lot of is organizations moving away from a separate telephone system as a communication tool. As you all know, everybody, I think for the most part, has moved to Zoom or Teams or another video conferencing system. And a lot of the communications that have been happening which used to happen via telephone call are now happening via one of those video conferencing solutions. 

Telephones and telephone calling is becoming a subset of this richer form of communication, which could include a video conference, could include a one-to-one video call. It could include real-time chat. And our recommendation is for the most part go with the app that is most familiar to your staff. 

I think that’s one of the things that’s been particularly frustrating or confusing for a nonprofit staff with telephony is they have the software that they know how to use, which might be Zoom, or it might be Teams. And then they have this other telephone software or hardware, and it’s just a completely different user interface. It’s a completely different interaction paradigm and it becomes confusing and it becomes frustrating. Wait, what do you mean if I want to talk to somebody can’t I just push this button? Why do I have to go over to this other system and jump through all these hoops to make a call? So what’s happening is a lot of the most common solutions like Teams and Zoom are incorporating traditional telephony into their solution.

So you can bring together in one app, every method of communication that your organization might use, whether it’s video meetings or chat or phone calls. You can start any of those from your app. And you can collaborate seamlessly across the different software that you have at your organization. 

You may be in Teams all day and you’re going in and out of Teams meetings, you’re calling people in your organization using direct calling in Teams. And then, you have to call somebody outside of your organization. You don’t know how to get them on Teams, but you do have their phone number. You can just call them directly from Teams. 

This really simplifies the communication experience for the organization because instead of having to manage multiple software, everything can be done through Teams and it’s not just Teams. Zoom has a similar set of functionality where from the Zoom app, using the interface that you’re familiar with, you can go in and dial phone numbers and receive calls as well. 

With both Teams and Zoom you can migrate over your existing phone numbers and accept calls as well as make calls. So this is just kind of a quick overview of how all of this works.

It’s important to look at your current phone system, find out how long your contract term is for. And when, when the contract is up, maybe five or six months ahead of that would be a good time for you to start potentially looking at other options. 

Now, there are plenty of use cases where it still makes sense to have a traditional phone system, but if you’re no longer inhabiting an office, you can move towards a system like this. In general, it’s going to handle most of your telephony needs. 

Can you move phone numbers from another VoIP service to Teams? Looking to keep phone numbers from another service. 

The answer is, yes. To enable this in Teams really means setting it up in Microsoft 365. So you have to purchase additional licenses, assign those to user accounts and then they get provisioned in Microsoft Business Voice. And then as part of that process, you can port phone numbers over from your existing provider into Microsoft Business Voice. So it is possible to move the phone numbers over. 

I think if you’re a small organization with maybe, 10, 15, 20 staff, and your staff are not making or taking a lot of phone calls, that’s probably a relatively straightforward process that you could do on your own if you’re savvy with Microsoft’s licensing and administration on the backend of Microsoft 365. If you’re a large organization where you use your phone system in a more robust way, then it’d probably be worth getting some assistance with that and making sure that you do a really thorough job of vetting, whether or not this is going to be the right solution for the organization. The same holds for Zoom’s phone as well. You can port the phone numbers over from Zoom. 


So let me go on to the next topic, which is cybersecurity. So this is partly motivated by this concept of beyond the office and working outside of an office. And it’s partly motivated by just an explosion of cybersecurity incidents. You’ve probably seen them in the news. We’ve certainly seen it firsthand with the organizations that we support, organizations that are coming to us to help them post incident. So there’s a lot going on. 

It continues to grow, unfortunately, as a problem that plagues most small businesses and nonprofit organizations and large, I mean, everybody, we’re all subject to cybersecurity problems and challenges.

So it’s really important. The theme here is when you move outside of your office, it used to be like a walled garden behind a firewall where you controlled and protected all of the machines and information in your office. Now that everything is in the cloud and distributed and dispersed it really changes the mentality that you need for thinking about cybersecurity. 

It’s a large problem. It’s a growing problem. And we really try to emphasize it as much as we can to the organizations that we support. It’s really something you can’t take too seriously. We found, if you can improve your cyber security posture in any way, you really should. 

What are some of the best [cybersecurity] practices?

These are what we consider minimal acceptable standards. 

Policy review is not… there may be some people who live for it, but in most organizations, everyone’s kind of relieved when the policy has been written or reviewed and can be safely stored in a secure place in the file system. 

The fact is, if you’re not reviewing it on a regular basis, it’s going to get out of date very quickly. And it’s not just about having the written policy, but about the thought process you have to go through in order to write the policy. 

We see IT acceptable use policies that still refer to tools and technology that haven’t been used in years. Social, like MySpace, I’ve seen in some IT acceptable use policy documents. I think MySpace might still be around, but if it’s being referred to in your acceptable use policy, it probably means no one’s looked at it in a while. There are a lot of new threats and working from home that should really be incorporated into that. So if you haven’t looked at it in a while, I would encourage you to take a look at it and to update it. 

Microsoft has a pretty good update rhythm and the updates are coming out regularly. You can manage that to a certain extent through Intune, which I talked about earlier. The update is released because basically there’s a vulnerability that is known and has been published. And there are plenty of hackers. We often hear about the “zero day vulnerabilities” and that’s very scary because it means there’s hackers that are using weaknesses in our computers that no one’s aware of and are using those to infiltrate our systems and to steal information and wreak havoc. But the reality is those are very expensive and those are generally being used by nation state actors, or for very high profile, organized cybercrime activity.

Most hackers, most cyber criminals out there, they’re not bothering with those because they know there are plenty of people that don’t keep their computers up to date. They can use last year’s exploits or the year before’s exploits to hack computers. So you really have to keep your computers up to date. You have to make sure that all of the computers that are being managed by your organization and that your staff are using to do work, have their patches and their security systems up to date. 

It’s not a cure-all. Antivirus doesn’t save you from all problems, but if you don’t have it, you’re almost guaranteed to experience issues. So that’s important. 

In fact, this year many of the organizations that we support have basically been given notice by their insurance companies that if you don’t have multi-factor authentication enabled across your organization, we are going to cancel your cyber liability policy or your premiums are going to go up drastically. The insurance industry has really been rocked by cyber incidents over the last year. A lot of money is being lost. And so the insurance companies are getting very serious about cybersecurity. Multifactor authentication is one of the best ways to protect your accounts from being hacked. 

Ransomware is the cybercriminal activity where malicious software gets deployed to your computers, encrypts all of the files on the computer and you can’t get any of your data unless you pay a ransom to get the decryption key. Don’t pay the ransom, have a backup of your files instead and then you can just ignore the ransom request, delete all the encrypted files and restore from your backup. So backups are generally speaking the best way to protect yourself against ransomware attacks.

But a lot of cybercrime happens through phishing, through emails. If you’ve got your spam filtering set up, it can help a lot. It can’t protect you against everything, though. 

We use a solution called KnowBe4, which basically sends out fake phishing campaigns. So it’s pretending to be a hacker sending out emails. And then if someone clicks on one of those fake phishing attempts, it takes them to a website that says, “Well, it turns out this was a fake phishing attempt. If this had been a real phishing attempt, your computer would be compromised at this point.” And then it takes them to a little training video where they can learn more about hacking attempts and all that. We found it to be very effective. Just a little bit of training goes a long way. And none of these other tools are going to be effective if your staff are not trained, as well. So training is very important.

Action Steps for Cybersecurity

It’s really important to prioritize cyber security. Here are some action steps that you can take. If you want to make cybersecurity a more central part of your organization, review your existing controls and have a clear understanding of your risk profile

Really think about who might be targeting you. Most organizations probably don’t have enemies that are actively targeting them. They’re just subject to the same kind of cybercrime that we’re all experiencing, but some organizations do have adversaries that are going after them. And you want to understand who they are and what their motives are. It’s really important to know your adversary when you’re developing a security posture. 

And then finally you want to make sure that it’s budgeted and cybersecurity has to be included in your budget.

I would say that of all of the things, you need to budget enough to make sure the computers are being updated, all of the minimum acceptable standards that I reviewed. Make sure you have enough in your budget to ensure that the computers are being updated.

And it’s important to note that that is not a software solution, it’s an IT management solution. So there is software involved in it, but it needs to be an IT management process in the sense that someone is reviewing it, making sure that it’s running and making sure that the updates are happening. 

Identifying someone in the organization or outsourcing to your IT support provider to take that on. Making sure that antivirus is included. I know a lot of organizations have started to use Microsoft’s Windows Defender for their antivirus. It’s a good solution. And in some ways, antivirus is one of the most commoditized IT solutions out there. They’re basically all using the same definitions, the same type of engine, the same sort of scanning to see if you have any viruses on your machine.

There’s not a great difference between different virus solutions on the computer software standpoint, the difference comes in with the management. It’s the same sort of thing. 

If the engine stops running, the definition stops being updated, you need to make sure that you have a way of figuring that out quickly and addressing it quickly. So that’s our only concern with Windows Defender. We’re not entirely sure that the management interface is as good as some of the dedicated anti-virus tools. 

So you want to make sure that you have that and pay for the additional licenses. If you have a Microsoft 365, multi-factor is important, paying for backups is important. I would do a bottom up budgeting exercise where you’re figuring out how much it is going to cost to do all of these things effectively, security awareness training. And those costs will depend on the specific solutions that you go with. 

How do I select a remote support person? 

Depending on the size of your organization, you’d want to think about if you’re a smaller organization that’s relatively independent. Your staff generally know what they’re doing, but you just need to call someone every once in a while when you have issues arise that are beyond the technical ability of your existing staff. In those cases, I feel like independent consultants can be very effective. 

If you’re interested in having someone take ownership of managing technology for the organization and your staff need a help desk to call regularly, then I would recommend looking at going with a managed services provider. We actually have a guide on our website that you can download “12 Questions You Should Ask a Managed Services Provider” that you’re considering working with. 

Obviously, we’d love to be considered. Usually, what happens in the nonprofit sector is people go to their peers, they ask around and find out, “Well, who are you working with? Who do you like?” And I would definitely talk to at least three or four different managed services providers before making a decision on who to work with.

All right. Well, thank you all so much for joining us today and I hope you have a great afternoon.