Listen to podcast
View and Download Slides
Remote Staff, Office Staff—Tech Tips For Nonprofits
Many nonprofits are considering or in the process of reintegrating back into their physical offices. With the sudden shift to working from home, many organizations scrambled to put tools and systems in place quickly over the past few months for their remote staff and office staff.
Many of us allowed staff to use personal computers and devices, quickly set up file sharing platforms, and moved to using Zoom for conference calls.
In the rush to be operational it was hard to take the time to compare new tools to existing tools, or consider the security ramifications of any of these sudden changes. In short, even if we did our best to implement thoughtful technology change management, circumstances have made measured approaches quite difficult.
Now, the question is: How to take the benefits from that experience and bring new data, policies, and processes into our official systems of record and cybersecure best practices?
View our CEO Johan Hammerstrom and expert guests Director of IT Consulting Steve Longenecker and COO Johanny Torrico in a discussion of what works about remote working, what could be better, and what we can do to move forward thoughtfully as nonprofit offices reopen.
We address two main aspects of remote staff, office staff reintegration.
Is your nonprofit working all remote, all back to a physical office, or a hybrid blend?
- We touch on technology tips and best practices for several “back to the office” scenarios – we know the nonprofit community is never one-size-fits-all.
- Community IT knows our sector already has considerable experience in many remote working/hybrid scenarios. This conversation covers existing and new best practices.
Does your nonprofit have in place the policies and security you need to support your new reality?
- Update your written technology policies to incorporate new practices
- Budget and plan to support new processes and platforms
- Review your cybersecurity stance and (re)train your users on security best practices. Hackers have a lot of time on their hands at the moment, and are adjusting rapidly to new vulnerabilities. We don’t want a preventable security issue to be your next headache.
We know our nonprofits will be called on over the next few years to provide more support to our communities than ever before. Put your best foot forward with the technology tips you need now for your remote staff and office staff.
As with all our webinars, this presentation is appropriate for an audience of varied IT experience.
Community IT Innovators CEO Johan Hammerstrom has always been interested in using technology as a force for good that can improve our world. In college, he pursued this interest through science, first studying Chemistry, Physics and Biology at Stanford University, graduating with Honors with a BS in Chemistry. He then studied Biophysics at Johns Hopkins University and received a Masters Degree.
The time spent in Baltimore convinced Johan that there were more pressing and immediate problems that technology could and should be used to address. He pursued a career in Information Technology, with the express goal of improving our communities and our world. He started at Community IT in 1999 as a Network Administrator. Since that time, Johan has been a Network Engineer, a Team Lead, the Director of Services, Vice President of Services, Chief Operating Officer, and beginning July 2015 President and CEO. Working directly with over 200 nonprofit organizations, to help them plan around and use technology to accomplish their missions, has been one of the most positive and rewarding experiences of his life.
Johan has a long experience in the nonprofit technology community and is looking forward to helping our colleagues address the uncertainties of our current moment and sharing some tech tips for remote staff and office staff coming back to your nonprofit.
Johanny Torrico is currently Chief Operating Officer, leading the largest team at Community IT. She joined Community IT in December 2006 after serving as Director of Technology for The National Association of People with AIDS (NAPWA) for nearly four years. During her tenure at Community IT, Johanny has mastered every role she took on including network administrator, network engineer, and service manager. She is currently Chief Operating Officer, leading the largest team at Community IT. And she still enjoys providing technical support to our clients, participating in our professional services team, and implementing technical solutions.
Johanny holds a B.S. in Computer Information Systems. She is a VMWare Certified Professional and recently became a Microsoft Certified IT Professional for Office 365.
As Director of IT Consulting, Steve Longenecker divides his time at Community IT between project managing client projects and consulting with clients on IT planning. Steve’s appreciation for working at Community IT Innovators is rooted in respect for the company’s dream and vision, and for the excellent colleagues that the dream and vision attract. Steve is MCSE certified. He has a B.A. in Biology from Earlham College in Richmond, IN and a Masters in the Art of Teaching from Tufts University in Massachusetts.
Johan Hammerstrom: Welcome to the June Community IT Innovators’ Webinar. Thank you for joining us for today’s webinar on working remotely and potentially planning for a return to your office. My name is Johan Hammerstrom, and I am the CEO of Community IT and I’m also the moderator for the webinar series. I’m going to be a co-presenter of today’s webinar. I would like to take a moment to welcome my fellow co-presenters. Good afternoon, Johanny.
Johanny Torrico: Good afternoon Johan, thank you for having me.
Johan Hammerstrom: Yes, thank you for joining us. Johanny is our Chief Operating Officer and I would also like to welcome Steve Longenecker. Hello, Steve.
Steve Longenecker: Hi, Johan, thanks for having me as well.
Johan Hammerstrom: Yeah, thank you for being here. Steve is our Director of IT Consulting. Before we begin, I would like to tell you a little bit more about our company. Community IT is a 100 percent employee owned company and our team of almost 40 staff is dedicated to helping nonprofit organizations advance their missions, with the effective use of technology. We are technology experts and we have been, year after year, named in the top 200 North America managed services providers by Channel Futures and we were a 2019 winner in their Global MSP 501.
So thank you again for joining us today, and I’m going to go through the planned agenda for our webinar today. We’re going to try to cover all these situations. We know that some nonprofit organizations are in the process of returning to their offices in some form, we know that other nonprofits are continuing to work remotely. I think it’s likely that most organizations will be working remotely on some level.
- So we’re going to spend some time talking about best practices for working remotely as an organization.
- We’re going to specifically focus on some of the cybersecurity issues that we’ve encountered over the last three months since the start of the pandemic and cybersecurity is a real priority for us, at Community IT, so we’re going to spend little bit of dedicated time on that. We’ll talk about some good practices for cybersecurity
- and then finally we’ll go through some tips for potentially reintegrating, going back to the office or moving into more of a hybrid remote and in office work environment.
We put this webinar on our editorial calendar about two months ago so, if you think back to mid April, it was really unclear at that time what was going to happen. I think there was great hope that the Coronavirus pandemic would be more under control and that cities and states would be in the process of reopening, potentially organizations will be going back to work. But we didn’t know, and I think the uncertainty associated with the Coronavirus is something that’s making it challenging to plan. So it’s challenging for us to plan the webinar, also challenging for all of you in terms of what you’re going to be doing with your organizations now and for the rest of the year.
I think we decided intentionally when we scheduled this webinar that we were going to be flexible in terms of what we plan to cover and that in fact that made sense, because flexibility is something that’s being asked of all of us, these days in light of the changing situation.
Let’s talk a little bit about remote work challenges and I think our assumption is that most organizations are going to continue to work remotely either entirely or at least many of their staff will probably continue to work remotely for the foreseeable future. And so I think it’s important to think about, now that we’ve all had three months of remote work behind us, we can talk a little bit about some of the specific challenges that we’ve faced, that our clients have faced, and that any nonprofit organizations are facing.
So one of the challenges has to do with management, just overseeing staff. It makes checking in with people more difficult, particularly if you’re an organization that’s used to working out of a single office, and just being able to check in on people, find out how they’re doing. A lot of the face to face interactions that support management and team work has become more difficult. Basic reporting to supervisors has become more challenging in a remote work environment. So that’s one major area of challenge.
Another is the security holes and we’ll get into this in a lot more detail, but working from home in some ways particularly with regards to IT, creates new security vulnerabilities that maybe weren’t there before.
Specialized applications can be challenging to access particularly if you had a specialized line of business application, with software that you were using from your office, providing staff with the access to that application now can be challenging.
And the last one, I guess this is a challenge, proactive planning pays off, it was very difficult for all of us to be proactive when it came to the Coronavirus, even for those organizations who were sort of ahead of that curve in terms of our response. Here in the United States, I don’t think anyone came into 2020 on January 1st being prepared for what we’ve had to deal with over the last three months. One of the challenges here is, it’s just been hard to be proactive in a situation that would have benefited from some proactive attention. Steve, Johanny anything you want to add?
Steve Longenecker: This is Steve, yeah it’s obviously Steve, I have a different voice than Johanny. I would add a couple things to this slide or to this part of the presentation, definitely some clients were more prepared for this than others. Whether it was proactive planning or a number of our clients were leveraging the Cloud and thinking about remote work as a benefit to their staff, a while ago. It wasn’t because they were preparing for Covid-19, but because it was something they wanted to do anyway and those organizations were definitely in a better place when this started.
Another thing that I think the bigger picture for our clients, which are nonprofits, is the tremendous financial uncertainty that this whole thing has created for our clients. We’re seeing it at Community IT in terms of just a complete freezing up of our project pipeline. Everyone is unsure like, are we going to be able to do our fundraiser or not? If we can’t, what does that do to our budget? Projects often have an onsite component. People aren’t sure how to pull that off. It’s just a lot of things that are beyond remote work that have really been challenging about the situation that we’re in right now.
Johanny Toricco: Yeah, I agree. I think the only thing I would add to that is that a big challenge was that people who were already in the Cloud could actually make the transition easier, right to working from home. Some people were already kind of working from home and the office on some days. But for those who were not prepared, and that goes to planning pays off for sure, then you have to scramble to find a way for them to connect remotely using their computers, their home computers. To put some sort of policy in place, kind of on the fly there, to allow for that and maybe put some guardrails if you even did that. So I think that kind of created additional challenges as well.
Johan Hammerstrom: Yeah, absolutely. So let’s talk a little bit about some of the things you can do to work around these challenges and we’re going to frame it in terms of some IT steps that you can take. Then we’ll talk a little bit about how these things specifically address some of the challenges.
(9:21) First and foremost, you can leverage the Cloud. That sounds pretty obvious, but there’s a lot of ways that you can, we don’t mean use the Cloud. I think most organizations now are using the Cloud. They moved some or all, maybe most of their information into various Cloud platforms. I think what a lot of people have found is that there’s even more you can do in the Cloud that maybe you weren’t doing when you were working out of a central office. So we’ll talk in a little bit more detail about some of the things that you can do to better leverage the Cloud.
Another recommendation we have is to decentralize your equipment. If your equipment, primarily computers, are tied to a central location, if you’ve been buying desktops for your staff, and those are located at the central office, obviously, it’s difficult to do something about that now. But as you think about the future, we strongly recommend getting laptops for everybody. They just tend to be more flexible, the price difference has really come down, and they just give you a lot more ability to work in a decentralized manner. So moving forward, if you have the ability to decentralize equipment that will definitely help with working remotely more effectively.
Related to that though, you want to have ways of centralizing the management of that equipment. At Community IT, we have a whole device management system that we use to manage all of the laptops and desktops and servers of our clients. That enables us to ensure that they have effective antivirus, that it’s blocking access to compromised websites, that it’s downloading and installing the latest patches. And we centrally manage that and it runs and we have visibility into it, regardless of where the computer is located. As long as it’s connected to the internet, we’re able to manage those devices.
That’s something that we also strongly recommend that organizations either themselves or with a partner, find a way to centrally manage the hardware. That’s something that, until recently, was often done within a central office location. In a pre-Cloud era, the way that Microsoft in particular set up server domains, all that was tied to having all the computers in a single location. It made them easier to manage that way. And the tools now exist to essentially manage hardware from the Cloud. So, in some ways it’s another way of leveraging the Cloud, but it definitely makes it easier to have staff working from a wide variety of locations.
And then, I think something we’ve all gotten familiar with and comfortable with, and we’ll talk about this in a little more detail: using video and chat to stay in touch. It’s a way of really helping with the management challenges, helping to overcome some of the barriers that are there when you’re not physically in the same location with someone. Using chat as a way of just catching someone, using video as a way of checking in with people, can be an effective way of working around that challenge. Johanny, Steve anything to add here?
Johanny Toricco: Yeah, so I think one of the things that you outlined as a challenge was the management and reporting. When I think about Covid-19 I feel like it created an opportunity for us to kind of experiment with remote work. Like I mentioned, some of us were already doing that to a certain extent, but we were pushed to the place to just figure it out and as a result of that, managers needed to orient themselves to leading remote teams. That created some challenges in terms of managing staff remotely.
There are some things that I would like to share in terms of lessons learned for me, managing more people remotely. I think one thing that I found very helpful was increased communication with the team. Not so much as regular check-ins as we used to have in the office, but having more check-ins, more frequent check-ins and some of them informal, just to hear how they’re doing. So, frequent conversations with staff have created more staff engagement, at least from my experience.
I think the other thing that has been very helpful was providing clear expectations for the staff and helping them prioritize their job. Some people really like to work in the office and they realized, once they switched to remote that actually being in the office made them stay on task and so, it was important for me to realize each individual, case by case, and see what were the needs and then help them prioritize their work.
And then the last thing I would say about that is that team huddles have been very, very helpful. We used to have team huddles for certain teams and with the switch to remote and COVID, we actually had everybody, all the teams, on huddles at least three times a week. That was very important for me to realize what staff was working on. If that same thing, the same task, was coming up again and again, that was a red light for me to follow up with staff and help them with a prioritization. Maybe they needed some more frequent communication or maybe some help focusing.
I’m going to stop right there, but I wanted to make sure I emphasize and mention a little bit of the lessons I learned in terms of management for remote work staff.
Johan Hammerstrom: Thank you, Johanny, that’s a great point and a great suggestion. I also think it really emphasizes the fact that while technology can facilitate the solution, technology in and of itself, isn’t necessarily the solution. In that case, the huddles are a management practice that’s been very effective.
Steve Longenecker: I’ll add, I agree, those are great points. I’ll add something that a number of people, thinkers and commentators have said. It’s not a new idea to me that what this whole experience is doing, is sort of accelerating trends that have maybe already been in place.
One thing that is surfacing for me at least is, you were talking about the benefit of company-issued laptops for this Johan, especially at Community IT, but for our clients as well, with centralized management of course.
I think one of the ways that it benefits is that, when you bring your own devices, bring your own laptops or personal computers, when you want to work from home on a time to time basis, that seems like that’s okay. It works alright and you get access to your systems as you need to on your personal computers. But when you’re doing it all the time, every day, it really accelerates, whatever else is going on.
It really does surface all these risks about data leakage to personal computers. How healthy are those personal computers? It’s just really a much stronger position to be in, to have everybody working on a laptop. Like at Community IT, where we have to take security very seriously, because we have a database that has people’s passwords in it. If we don’t keep that secure there’s not just our own corporate health at risk, but our clients’ as well.
So we have policies that you can’t even access that database unless it’s from a company-issued device where we have management on it and know it’s protected by antivirus and well patched and that it’s being monitored by our advanced tools.
So I think that the whole benefit of having company-issued equipment is really surfacing. I’m not talking so much about phones, because phones do have more hooks for protecting the data that’s on them, but definitely for computers.
The other thing that I think I want to surface on this slide or talk about here is that, I’ve realized in my own work, I was at the office and I worked remotely maybe two days a week, but I was at the office a lot as well. When I went for a meeting at the office, I got up from my usual work area, and I walked usually into a meeting room and sat down, I might have brought my laptop with me, usually I did.
But I was moving around. I was talking to people. There was a little bit of chit chat before the meeting started and it kind of broke up the day. Now, when I attend meetings, I’m on the same screen that I’m on when I’m working. I don’t usually move. I’m just sitting here and all of a sudden I stop looking at my email or looking at the server that I’m looking at and I just turn my attention to a video chat, and it’s just not the same thing anymore.
I think it’s creating a need to think, I completely agree with Johanny, that the frequent huddles that our teams are having is really beneficial. For one thing, there’s a social dynamic there that’s really important for workers that might otherwise be isolated.
But I think sometimes the meetings that we were having at the office had this benefit of breaking up the day and being something different in your work day. Now that they’re not, that benefit is gone and we really need to think about: what the purposes are of the meetings that we’re having. I think there’s been a lot of efficiency, business practice people, gurus, who say: more meetings, shorter meetings and all that kind of thing.
And I think particularly when those meetings are virtual and they’re on the screen that you’re sitting at anyway, that might be even more true, if that makes sense. I’ve been noticing that the meetings that I’ve been having, are by not being in person, just have a different dynamic to them. Although I appreciate the video and I don’t want to not have any meetings, I think that there is something going on there.
Johan Hammerstrom: Yeah, thank you Steve, I think that’s also a great point and it’s a little bit beyond the scope of this webinar, but I do think the nature of work efficiency is changing a little bit. I’ve noticed that myself and that my normal routine in a day has changed and I think in some ways it’s become a lot more efficient as a result. So that’s an interesting topic and I think that’s important for leaders in an organization to be mindful of what efficiency looks like in a fully remote environment.
I did want to get to a question, a great question that came in a few minutes ago. Be sure to use the chat feature if you have any questions for us and we’ll do our best to answer them.
(22:04) So the question is: If staff all have laptops, when they’re working remotely, don’t they also need to have a host computer, at the central office which they can connect remotely to the server? And that is no longer necessarily the case. It might be, now that kind of varies depending on how the organization is set up. And I think in general the reference there is to the Windows domain. You login to your computer and it authenticates you against an active directory, which is a list of everybody in the organization, that’s running on a centralized server.
You’re not in the office, chances are you’re logging with cached credentials. That’s actually fine and most of the information systems that you’re accessing that are in the Cloud don’t require you to login to the server. One of the things that’s changed, over the last five years or so, is the size of the organization that’s required to get a server like that continues to go up. So we used to say well, if you have more than five computers, you’re going to need a server. Then it went up to ten and now it’s like somewhere in the 20 to 25 range. Also, Microsoft is really pushing the envelope on that, and making it’s Azure active directory available so that you can just authenticate directly to the Cloud. We don’t have time to go into that in more detail, but that will be my immediate –
Steve Longenecker: I think the question though also, Johan, is not just about how you authenticate, but how do you access the resources? I think the question does reflect the way organizations were all set up, 5, 10 years ago, where all of the resources were basically in the office on premises, running on a server in the office. So, if you wanted to access files, you had to somehow get to those files on the server – either log into a terminal server or remote desktop server we sometimes call them, or you had to open up a VPN.
If you wanted to access the Raiser’s Edge database, you again had to either go to a terminal server or VPN, because the actual stuff that you needed was in the office. Now, so much of that can be accessed and Johan is right. It depends on the IT that the organization has. But it is possible and not even that expensive to move your files to SharePoint or Box or Dropbox and then you don’t need to connect to an office computer.
The point I was making about the laptops was: do you want your staff accessing those SharePoint files that are your organization’s files, do you want them accessing them from any old computer? Or, do you want to say, No, really we want to make sure that any computers that are accessing the SharePoint files that are in the Cloud need to be managed by us, because we want to have assurance that any computer that connects to our files is healthy and has the latest patches and isn’t going to pose a danger to those files, by bringing some virus to them, that kind of a thing, is what I was making the point as.
But yes, there are still many of Community IT’s client who still have their files on a file server in the office and have other lines of business applications running in the office, but many also don’t and it’s been a transition that’s happened really suddenly and remarkably just in the last, I would say, five years.
(25:50) Johan Hammerstrom: Well that’s a good segue to our next slide, which focuses a little bit more on this idea of leveraging the cloud. What we wanted to emphasize is that you probably already have a lot of cloud resources and I think, one of the things that a lot of organizations have realized in this shift to remote work is they actually had more access to more cloud resources than maybe they realized or certainly were using.
So, most organizations are going to be in one of two ecosystems and you are either going to be in the Microsoft 365 ecosystem or you are going to be in the Google ecosystem G Suite. You might be in both, but chances are you are going to be in one or the other. If you are in Microsoft 365, you look at all those icons there, you may be familiar with Outlook for email or Word for word documents. But you may not have been as familiar with the little cloud, next to the Outlook which is for OneDrive, which is kind of like Microsoft’s version of Dropbox, where you can store files in a cloud and access them remotely. You may have realized, you had access to SharePoint, which is the little S there, but you hadn’t been using it and then, certainly Teams which is the little purple T is one that a lot of people have gotten more familiar and comfortable with.
We will have a link in the next slide, after the next one, which gives you just a little bit more information about Teams. Likewise, if you are in G Suite, you have access to Google Docs, you also have access to Google Meet, which is the little green circle, the quote circle with the video icon. So, there are options within your existing cloud suite for leveraging the cloud and working remotely.
And then, both Microsoft and Google, provide some level of integration with third party providers. Zoom, I think everyone knows what Zoom is these days, Zoom is the most popular third party video conferencing option. It can integrate with both Microsoft and Google. We have another slide talking a little bit more about Zoom in a minute. Slack is a chat feature. Teams has chat functionality but there are certain things that Slack does better than Teams and some organizations have already been using Slack for a while. Dropbox is a cloud based file sharing solution. It works particularly well for smaller organizations. Can also be integrated with both Google and Microsoft. (All of these systems have nonprofit pricing and help at the above links)
So, you may already have more cloud systems at your disposal than you realize and it’s worth taking a look at what’s available to you.
All right, that was my pause for Johanny and Steve, if they have anything to add and I will move on.
Steve Longenecker: You are good.
(29:15) Johan Hammerstrom: Okay great. So, we are talking a little bit about video and chats specifically, because I think this is something that is pretty much mandatory. If you are going to work remotely as an organization as a way of staying in touch, staying connected, having access to video – video meetings and also having access to real-time chat is pretty important.
So, as we mentioned, if you already have Microsoft or Google, you have access to that with Teams and Meet, you can use that. We did want to mention that if you are an organization that has significant privacy or security concerns, there are some third party tools that are available. Signal, I think is one of the most common, it’s a secure end-to-end encrypted messaging app. It’s actually built by a foundation in the Bay Area and is an open source solution.
Jitsi, is an open source video conferencing solution that also, I believe offers end-to-end encryption. So, there is going to be a trade-off. If you need more advanced security, it’s going to require more work on your part and that’s really kind of the trade-off between significant security controls over a solution and using something like Teams or Meet, which have security, but you are dependent upon Microsoft and Google to implement that security.
And then, if you are using Zoom, we got another slide actually, with some more best practices about Zoom. So, let’s – I am going to save the Zoom comments for that slide.
(31:01) Oh! Here it is. All right so, with Zoom – so, why would you use Zoom, instead of Teams or instead of Google Meet? I think, number one, it’s very easy to use, it’s – nowadays an application that most people are familiar and comfortable with and it’s particularly good to use if you are wanting to meet with people outside of your organization.
It’s possible that everyone in your organization is comfortable now with Teams or Meet and they are used to using that to talk to each other, but then you go to schedule a meeting with someone else outside of the organization and if they are not familiar with those solutions, it might be difficult for them to use.
So, Zoom is good because it’s kind of got a universal quality to it, great for peer to peer collaboration. The interface of Zoom itself is pretty strong. Now the downsides of using Zoom are that at least initially, when everybody shifted to working remotely, the security left a little bit to be desired, in some cases left a lot to be desired. We have an article on our website, I will chat the link out in a moment, if you are interested in learning more about tips for using Zoom securely.
They have done things to improve the security of Zoom, but their record on privacy and security is a little bit mixed. They sort of have a reputation of moving quickly and sometimes not paying as much attention to security as they should. That security is sort of an afterthought for them and that their focus is really on distribution and ease of use.
And that’s a trade-off. If you want something that’s easy to use, that everybody uses, you might end up having to sacrifice some security for that tool. If you are an organization that works on National Security issues, I would strongly recommend, taking a very close look at some of the growing security concerns about Zoom. There was an incident just last week, where they shut down a Zoom meeting, which occurred with a Chinese dissident, located in the United States, on the anniversary of the Tiananmen Square event.
And there are some concerns that Zoom would do that, that they would shut down the meeting that was happening with someone in the United States seemingly at the request of the Chinese government. So, there are some National Security concerns, with regards to Zoom, that I think organizations who are involved in National Security issues want to be aware of.
Johanny Torrico: One thing that I had recently learned about Zoom is that one of our clients asked about HIPAA Compliance and it was new to me that they have a HIPAA Compliance license. You have to buy a 10 license minimum and I think it’s $200 or something like that, but that was new to me and maybe that’s kind of their answer to some of their compliance issues that people are raising. Have you heard of that license, Steve on the HIPAA – Zoom, HIPAA compliance?
Steve Longenecker: I hadn’t heard about that, no. That’s new to me.
Johanny Torrico: That’s new. Yeah, yeah.
Steve Longenecker: The greatest benefit is, I think, their technology is the strongest, in the likelihood that you are going to have stuttering and choppiness. That depends obviously on the quality of the bandwidth of the people that are participating to some extent, but I think Zoom does a better job of using what it has, as effectively as it can.
And then, the fact that it’s the standard that all the consumer people are used to. People are used to it from their non-corporate life. They use it when they talk to their families, or whatever. It’s the one that you have the least amount of explaining to do if you are going to do a meeting with people that are outside of your organization and invite them, if we can invite them to a Zoom meeting, they are more likely to know how to do it and not have to figure it out.
Now, those are really significant advantages. But, we use Teams primarily, internally and even when we invite our clients to things and it’s partly because we are in the Microsoft ecosystem that Johan mentioned and it’s just convenient to have everything in one place. When I record a meeting that I am doing in Teams, I don’t even have to worry about what happens to that recording. It’s automatically uploaded into the Microsoft cloud and anybody that’s in that team can just access it easily, without me doing anything.
And those kinds of things are really beneficial. I’m not as familiar with Google Meet product, but I would assume that there are similar things going on, on the Google side of the ecosystem too.
So, going out to a third party has a little bit of a cost in that regard.
The world is so different than it was four months ago! When you would have a meeting with someone, a video meeting with someone, if it was the first time for them, you might spend the first 10 minutes of the meeting just trying to get them to figure out how to turn their camera on or get the audio to work. And now, it’s just – everyone has gotten through that and all the jokes that were on Saturday night live in March are stale jokes now. People get it and that’s changed everything. Now, when you get a link to a video conference, you know what to do with it and it’s amazing.
Johan Hammerstrom: So, real quick – Any tips on how to be more engaging in using Zoom? That’s a question from the audience. I think you – that’s a good point Steve that certain things just got stale, I know. In my experience, the backgrounds were a lot of fun at first, like having funny backgrounds and then, that sort of got old. So, any tips?
Steve Longenecker: I do think that nobody should be using the microphone on their laptop’s webcam or their webcam on their desktop’s webcam. They should have some other microphone. I prefer – over the head, a headset, and then it’s just sitting there in front of my mouth and doesn’t look so great on camera but it’s very easy to hear my voice.
So, yeah having a good microphone makes a big difference and is worth the investment. Those things cost $30, $40 depending on how expensive you get for that. And then, I don’t know if you want to make it a policy, but I really appreciate when people turn their cameras on. There is a time we don’t want to have our camera on and I guess, I am conscious in fact that we don’t have our cameras on, right now, in this webinar. Maybe we should, but when I am having meetings with my colleagues, I like to be able to see them. When I am talking to clients, I appreciate being able to see them. So, those are two things to keep in mind.
Johanny Torrico: Don’t give Johan new ideas for the webinar, Steve!
Steve Longenecker: The other thing I didn’t mention how Zoom probably does the best job of making the best use of bandwidth, when it’s not plentiful or when it’s inconsistent, and I know that some of our colleagues at Community IT live in places where their internet isn’t super duper consistent and that’s just a challenge and that’s a place where you do turn off your video because the video does require extra bandwidth, So, sometimes you sacrifice that in order to make the audio as good as it can be.
(40:00) Johan Hammerstrom: Yep, all right. Well let’s move on to talk a little bit about cybersecurity, this slide detailing the overall cybersecurity landscape was valid before the pandemic and before remote working, but I think all of these challenges are even more pronounced now. So, the four main challenges that we have seen, with regards to cybersecurity are:
- Persistent and ongoing brute-force attacks on identities and that just means if your accounts are all out in the cloud, hackers are trying to identify your credentials to hack into your cloud based systems on an ongoing basis. So, that’s happening a lot, something to be aware of.
- Spear phishing has become a lot more sophisticated and I think especially early on – the end of March and early April, there was – we saw an uptick in spear phishing attacks that were leveraging things related to COVID. Emails that had COVID in the subject line or in the body were getting people’s attention and so it became easier, it kind of breakthrough as a spear phisher, so that was something to look out for.
- Organizations that have enemies because of the nature of the work that they do are targeted and are continuing to be targeted now and there are also attacks targeting your vendors. So, that’s another thing to look out for – now classic example of that is the hack on Target – sorry, this is bad time or bad coincidence of verbiage but Target the retailer they had that famous attack, back in 2013, I think, 2012 and famously the hack came through their HVAC vendor so, they basically had access to all Target’s information systems, their HVAC vendor did, and the hackers, hacked into the HVAC vendor, because what do they care? Who’s going to hack them, they just do HVAC work? Well they got to the HVAC Vendor and then used that to get to Target’s systems and ended up stealing all of their credit card information. So, and you got to look out for your vendors.
(42:30) Some of the specific security risks, related to working remotely Single factor authentication, this is something that we have been preaching constantly and will continue to do so. Using single factor, just a username and password, to access information is just nowadays inherently very risky and whenever possible, we encourage using multi-factor authentication.
This is particularly true with remote desktop servers so this goes back to that challenge that people have with line of business applications that they may be running from their office. They have now opened those up either through VPN or remote desktop server. That’s risky, because it’s single factor and the brute-force attacks could eventually determine what the factor is.
So, that’s one security risk.
Work devices being used by families. Our Chief Technology Officer had a great example that escapes me now, but this is from a Fortune 500 company who – some executive allowed his son to use his laptop and ended up getting hacked because the son was going to gaming websites or hacker websites or whatever the case maybe.
So, it’s tough, it’s really hard right now, because kids need computers throughout the day or at least they did when school was in session. They might need them now, for virtual summer camps, everything is now being done virtually on the computers. So, family members using work computers – there is an increased likelihood that that’s going to happen, but it might be worth giving your staff heads up that they shouldn’t be doing it, but if they do to monitor, chaperone the usage of that computer.
On the flip side, people using their personal devices for work, particularly home computers that are out of your control. It’s not clear how secure they are. Are they free from viruses; are they free from hackers? People using their home computers to access work information introduces new risks.
I had mentioned the targeting – targeted phishing and the apps like Zoom, which introduce their own security risks.
So, I will be quiet now. Johanny, Steve, what have you seen in terms of security – new security risks that come from this remote working?
Johanny Torrico: I think on the home use, staff education came to mind with the security awareness training that I think will come a long way. Educating your users on accessing company better from home, especially.
So, things like is your wireless network at home secure? I think that’s something that probably used to be an afterthought before this thing, but that’s something to emphasize and that’s something that things like security awareness training of all cases will educate users on that.
I think what – Oh! Like going to a café, which now, these days, I guess it seems they are starting to reopen. That’s something to also keep in mind, those Wi-Fi’s at the cafes are open and a potential risk when you access company data from there too.
Steve Longenecker: I don’t know if it’s particularly associated with the pandemic and having to work from home at all, though it maybe, but I am continuing to be struck by just the never ceasing increase in attempts made to compromise accounts and IT systems.
And I think it was reasonable at one time to think you had this safety in numbers. There are lions out there, but you’re in a herd of a thousand wildebeests, or whatever, and what are the chances? It just doesn’t seem very likely, but your terminal server, if it’s not secured properly, is being attacked right now, today.
I can virtually guarantee it and if you have an Office 365 account, if you have ever used that account for any other service, like you signed up for Netflix and you used your work email address and I shouldn’t say Netflix, because I don’t think Netflix has ever been hacked. But, you used it in Target and Target got hacked. That password has been tried to see if that same password will work to open up your Office 365 mailbox. That has been tried already. I can almost guarantee it. There is just so much stuff happening like that, that it’s a scary world and this stuff needs to be taken extremely seriously.
(48:18) Johan Hammerstrom: So, what are some things that you can do to take it seriously? We have alluded some of those already.
- Updating your computers is very important, if you have an RMM, a Remote Monitoring and Management System or a device management system in place, just double check on it and make sure that it’s working and then it’s applying updates to the computers. If you don’t, it probably is a good idea to reach out to your staff and recommend that they update their computers, particularly if they are using their personal computers.
- We recommend rebooting weekly, at least. That doesn’t always happen. People just use their computer, then they put it to sleep or they hibernate it when they’re done at the end of the day. And their updates will never get applied if the computer isn’t rebooted, so it’s important to just reboot.
- Make sure the data is backed up. This helps you recover from attacks or like crypto wall type attacks, so it’s important to have good data backup in place, particularly true now, because people are working from home and might be saving important files and information to their desktops, their local machines
- you mentioned multifactor authentication already.
- I’m strongly encouraging using a password manager to manage passwords, so that you’re not — your staff aren’t using simple passwords or putting them on a sticky note that their children could grab. So password managers are really useful tools.
- As Johanny mentioned, train your staff on security awareness. I think now, especially, it’s a great time to draw people’s attention to the risks that they face through Cybersecurity and
- wherever possible use systems that are provided by the organization.
(50:36) Now that we’ve been doing that for three months and we have a little bit more time to plan our return to the office, what are things that we can do to effectively reintegrate?
So, in terms of data, make sure you have your systems of record, rein in data sprawl. People may have been storing all their information locally, they may have gone out and found their own information systems, just out of necessity.
How can you move all that information from all these different individual systems back to organizational systems?
So that’s something to start thinking about. You should do that regardless of whether or not you’re going back to the physical office. But now is a good time to start getting an evaluation of where all your data is.
And then if there are new systems, I mean, one of the great things that’s happened over the last three months, is all the experimentation and the improvisation and adaptation to this new working environment. You may have teams, (actual teams not Microsoft teams) but like groups, departments in the organization, they found a new way of working. Well, don’t let that be shadow IT forever. How can that IT system be brought into the official set of IT systems that the organization is using?
(51:49) And then you want to reintegrate your devices. Make sure, particularly if you have a large in-house network, you have a lot of staff coming back, in the same way that you may be having your staff take their temperature before they come into the office, make sure that their systems are up to date with patches. The last thing you want is an unpatched compromised system coming back within the firewall of your office and bringing a data breach in house.
So, make sure that your systems are up-to-date, that they are fully patched. Make sure that they’re clean, that they’re virus-free and haven’t been compromised. If you varied any controls related to shared use, you want to update those. You should probably have people update their credentials and also your local administrator credentials on those machines.
(52:55) And then finally your policy, so you may not have realized it that 2020 was going to be a year where your Business Continuity Plan was put to the test. But now, you can look back and say, “Well, we didn’t have one.” Well, you’ve got a lot of experience now to be able to write one. And if you did have one, now is a great time to go back and review it and see what worked. Same thing with your IT policy. Chances are, my guess, is that 90% to 95% of organizations out there did not include pandemic response on their IT policy or full remote work on their IT policy, so now it’s a great time. You got that experience under your belt to add that to your IT policy.
And as you start to think about IT planning for the next fiscal year, all of the experiences that we’ve had can help inform your future planning. Moving to a more mobile workforce, investing in tools to do that central management we had talked about earlier. And finding ways to continue leveraging the cloud.
(54:18) All right. Wow! I warned Steve and Johanny that I’m terrible at managing time and we are going to have to rush through the slides at the end and I said, “This time I’m not going to do that!” But, here we are rushing through the slides at the end.
We are going to stay on even though the webinar officially concludes at 04:00. We’ll stay on for any questions and I definitely want to give Steve and Johanny some additional time to share their thoughts on reintegrating into a new office environment.
So, if you can stay after 04:00 please do, but before we move on to Q&A, just wanted to remind everybody that we’re going to have a
Webinar in July. It’s going to be July 15th, from 3 to 4 o’clock and we’re going to be talking about a framework for nonprofit cybersecurity risk assessment. So, we’re going to look at the NIST framework and help you apply that to assessing your own cybersecurity risk.
So, before we get to the Q&A, Steve? Johanny? Anything to add in that last section there?
Steve Longenecker: I think you covered it, yeah. I don’t have anything that came to mind as you were going through that.
Johanny Torrico: Yeah, I think, you covered a lot of the stuff. One thing that came to mind as you were talking, Johan, was that I read somewhere that, if you have an IT tech or IT department, one of the things they were going to have to do was grab all of those computers, the home computers, to kind of digitally sanitize them. That you were talking about in terms of patching the computers, moving the data or at least providing some sort of guidance to the users to move the local data to SharePoint, if they have the files in the cloud or the file server. But, digitally sanitize equipment is something that I have read in many articles. It’s going to be the responsibility of the IT team to make sure that happens as we reintegrate back to the office.
Johan Hammerstrom: Great. So we do have a few questions, so let’s get to those,
(56:35) What do you recommend in terms of protection from ad pop-up’s? If someone’s been using their company laptop for whatever use but they’ve been online, they’ve been browsing, they have ad pop-up’s any suggestions there?
Steve Longenecker: I admit that’s something that I haven’t dealt with for a while, so I don’t have a recommendation, sorry. I know that the Chrome browser has some plug-ins that help with that.
Johanny Torrico: Yeah, that’s what I was going to say, too.
Steve Longenecker: Yeah, it’s a great question. I don’t get a lot of ads, except I do try to figure out sometimes on my work computer, personal questions like, what movie I should try to pitch to my family to watch on a Friday night and then I’m Googling movie names and then I suddenly start seeing ads. But when I’m doing my work, for whatever reason, IT sites don’t pop up tons of ads.
Johan Hammerstrom: Yes. I think we’ve seen a decline in the persistent ads they’re constantly popping up even after you’ve stopped visiting the sites. But certainly some of the general recommendations that we’ve made about keeping computers patched and up-to-date certainly help with that. And making sure the browser is up-to-date, I think that’s another key one. I know that Chrome now, and certainly Safari, for a while have put a lot of ad blocking software in. They’ve kind of built it into their browsers.
Steve Longenecker: Maybe clearing out the browser cache and everything like that might be beneficial in that regard, too.
Johan Hammerstrom: Yes, yeah.
Steve Longenecker: Doing all of the cookies and stuff.
(58:50) Johan Hammerstrom: Do we suggest changing passwords once we go back to the office? Well, what’s your recommendation on that?
Steve Longenecker: What we really keep coming back to is to just get them a decent password and then put multifactor authentication on it.
That’s way more effective than even changing passwords. In fact, I was actually logging into the admin portal of an Office 365 tenant of a client this morning and noticed there was a recommendation from Microsoft saying it’s actually more effective not to require people to change their passwords. Because what they do when you ask them to change their passwords they just end up choosing bad passwords or writing them down. It’s a different bad behavior happening when you keep asking the people to change their password. But, of course, that advice is predicated on having multifactor authentication, because basically, the multifactor part is what gives you the additional layer of protection that changing the password frequently would have done otherwise.
So, I sort of side-stepped the question. I don’t think it’s a problem to ask people to change their password when they get back to the office. But, I think if you are doing that thinking that’s what’s going to help, not multifactor, then I think you’re missing the advice which is to implement multifactor.
Johan: Well, and I think it’s important, typically it’s good to think of security issues within the larger context. So, if your staff has been using their home computers to log in to check their email, then it might be a good precaution to have them change their passwords. But, as Steve you mentioned, that provides a little bit more protection. But what really helps is implementing multifactor. So, I think if they’ve had their laptops at home, their work-issued laptops, and they’ve generally just been using those for work, and you have multifactor in place, then you probably don’t need to worry about changing passwords at all. So, just kind of a range, a sort of continuum of scenarios to think about, that depend on your specific situation.
(1:01:38) Johan Hammerstrom: What type of risks are involved in moving all company records on to a cloud base system? Are there risks to be considered?
I’ll be happy to take a stab at this — It really depends. The Consultants Canard, right? It depends on the nature of the records, I think. Generally if you’re talking about typical files that don’t have privacy regulations associated with them, then the risk is generally pretty low and in some ways it’s probably less risky to put those files in a cloud based system where they’re being backed up than it is to have them on someone’s local machine.
Once you start to get into files that are regulated in some way, then it’s really important that you include that consideration as part of your evaluation of a cloud based system. So, I think for example, one of the ones that we do with regularly is HIPAA and personally identifiable information, particularly medical information, is very tightly regulated and you’re generally in those situations wanting to use a system that is designed to protect that information and that is built to be HIPAA compliant. And you want to be very clear with staff that they should not be storing any of that information in files that aren’t encrypted and that are just being stored in SharePoint or in One Drive or in email for that matter.
So, I think it’s the nature of the files. Legal files: if there is regulated information, you want to make sure that it’s being stored in a system that is compliant with whatever regulations might be involved. If it’s unregulated information, if it’s just information that has some sensitivity to the organization, then I think at that point you need to evaluate the level of risk associated with the information getting out.
If we have information, some of which is incredibly confidential, and if it were to get out would be incredibly damaging, that information is not stored in One Drive or Sharepoint, it’s stored in a very secured system. We have other information that’s more confidential but not as risky and that’s in a system that’s a little bit easier to have access. And then, for example: proposals. We send out sales proposals to potential customers. It’s a little bit confidential in the sense that we have a little blurb about them and we include our pricing which we don’t want to just make publicly available. But, in general if that information were to get compromised, the impact would be relatively low. So, in those cases having it in Sharepoint which is secured in a variety of ways using multifactor authentication, et cetera, we feel pretty comfortable with that system.
That’s my longer version of, “it depends.” I think to really answer your question, I think it’s great that you’re asking the question. And it’s important to think about all of your information from a security perspective and not just say, “Well, we’re going to move it all out to the cloud.” I do think there are a lot of organizations getting nervous about putting information in the cloud, because they feel like it’s going to be more at risk of being compromised. I think the reality is that files that are being stored on a staff person’s local machine or on a local server are probably as much, or more at risk as files that are being stored in a secured cloud location like SharePoint or Dropbox.
Steve Longenecker: I don’t disagree with that. But, I will add some nuance perhaps. You are describing SharePoint as the place you might put the stuff that you’re less concerned about. SharePoint itself is a very secure system, but out of the box it doesn’t have a lot of the controls on it that can be added to it. SharePoint itself is designed for HIPAA compliant use and can be used in a HIPAA compliant way because it’s encrypted in transit, all the things that are required. But out of the box may not have all of the controls on it that you would want for HIPAA compliant data. You can add those controls, but it might be easier, if you’re dealing with legal records, to use a system designed for legal records, because those have those controls purpose built right from the get go. Someone else has done that work for you rather than using a general purpose system like SharePoint and then trying to build it yourself.
The other thing I would say is that one of the benefits, in terms of security, of having things on an on premises server is that by and large, you have to be on premises to access those records, Now, as soon as you add a VPN or an RDP access, you’ve given up that security. Your on premises server, if you’re one of those organizations Johan mentioned that works on national security issues, a state actor wants to get to your server on premises, they can probably get into your office. It’s not that difficult, probably, to gain access to most of our offices unless we happen to work in a Department of Defense facility or something which has armed guards and all that kind of a thing.
But, normally when it’s on premises you think you can’t just access it. When it’s in the cloud, you can probably pretty much access it from anywhere and so, you have to think more about data leakage. I don’t think in terms of security. If you have it protected by multifactor authentication and the systems are used properly, it’s already pretty good. I think there’s a lot more insecurity in the old systems where a staff person needs this file at home to work on so they email it to themselves and the email itself is not necessarily a secure method of getting a file. They go to their home computer, they login their email, they download it to their personal computer and they are working away on it. You might as well be in the cloud at that point. You didn’t get a lot from staying on premises. That’s a story to illustrate the risks.
Johan Hammerstrom: Yes, that makes sense. Alright, I think we’ve reached the end of the questions. Any final thoughts, Johanny or Steve?
Johanny Torrico: No, I think we covered a lot and thank you for having me.
Johan Hammerstrom: All right, thank you both for joining, thank you to everyone and the audience for joining us today and we certainly wish you all the best and hope you continue to be safe and we will see you next month, take care.