Community IT CFO Matt Eshleman in a new webinar hosted by the CIO Hour.
View Video
MANAGING IT CHALLENGES IN THE REMOTE/HYBRID OFFICE from 501Works on Vimeo.
Managing IT Challenges in the Remote/Hybrid Office
Hosted by the CIO Hour
Community IT Innovators CFO and cybersecurity expert Matt Eshleman was happy to be invited to present our take on cybersecurity fundamentals that provide extra protection to remote and hybrid workers at associations and nonprofits.
The quick scramble to implement remote work in 2020 has given way to an environment where modern offices are called on to support remote workers as a normal part of doing business. This has meant new ways to manage office IT and remote work policies and new IT impacts on staff at every level and department.
This CIO Hour presentation featured a remote workforce expert Rebecca Achurch in addition to Matt, and they shared their experiences and answered questions on how you can better manage staff, avoid risks, and improve security in remote and hybrid work environments, or as Rebecca said “flexible” work. It may be from home, from travel, from a coffee shop, or from the office from a loaner desk.
Matt is available as a speaker on cybersecurity topics affecting nonprofits, including cyber insurance compliance, staff training, and incident response. You can view Matt’s free cybersecurity videos from past webinars here.
You may be interested in downloading our Nonprofit Guide to Remote Work or taking the 10 minute Cybersecurity Self Quiz.
Matt enjoyed talking about managing IT challenges in the remote and hybrid office, particularly the cybersecurity and IT management aspects.
Key Takeaways
- Security best practices you should have in place, including fundamentals like MFA and anti-phishing training. Cybersecurity basics go a long way toward protecting your organization.
- How to get staff and leadership to understand the importance of strong and equitable remote work policies and guidelines.
- Productivity tools across the organization should augment, not replace, good management and communication skills.
- Make it easy for employees to use technology while managing security risks for the organization.
Transcription
James: Welcome to the CIO Hour for March of 2023. This month we’re tackling Managing IT Challenges in a Remote/Hybrid Environment. And so with me this month are two people that know a lot about supporting remote in hybrid environments.
Rebecca Achurch, the Founder of Achurch Consulting who works a lot with organizations to understand their work models and do technology selections and all of that fun stuff. So, hello, Rebecca. Thank you for jumping in with us this month.
Rebecca Achurch: Thank you for having me. Great to be here.
James: And with Community IT Innovators, they are an MSP based here in the Maryland DC area. Matthew Eshleman, who is their Chief Technology Officer, and who is, of course, tasked with keeping us all safe and secure in our remote, hybrid and office environments. So, thank you, Matthew, for jumping in and talking to us this month.
Matthew Eshleman: Yeah, great. Looking forward to it. Lots of good things to cover today.
James: Definitely. So let’s get started. For those of you who are new to the CIO Hour, basically this is a monthly webinar. We’ve been doing it for about two years now where we are trying to tackle problems that you face in the real world.
We feature experts like Rebecca and Matthew every month to give us insights from their years of experience. And these usually occur on the first Thursday of the month. So feel free to look at theciohour.com for upcoming topics.
The ground rules. Basically, no question is off limits if you want to ask a question or engage in the discussion. We are in the webinar format, but we keep the discussion turned on. So you can use the chat function in Zoom, or if you want to remain anonymous for some reason, you actually can use the Q&A function. We’ll monitor both through the course of the webinar and try to get to your questions. We’ll also answer the questions that were submitted as part of registration. Last but not least, we get one CAE credit for this. We will email you out a link tomorrow on our system. You jump in, attest that you were here and file it, and you’ll get your certificate immediately from that link. So feel free to do that.
And just a quick bit on our agenda, we’re going to look at a couple news items that are of interest this month.
We’ll look at some fast facts about our topic, and then we’re really going to jump in with our experts and take maximum advantage of their time for the next hour.
New this year, we’re trying something a little bit different. At the very end of the official program we’ll stick around and just open up the mics. And if you have a question about anything or want to continue the discussion, we’ll do a little CIO after hour for 30 minutes.
In the News
With that let’s look at the news. A couple of things jumped out at me this month in particular, given our topic. This was an article a couple weeks ago on CNBC. Amazon is now telling employees that they need to be in the office at least three days a week. And I know we as panelists have an opinion about this, so we’ll get to that in a bit. But it’s interesting that over the last years, I was looking back over some of our news archives, this has really varied across the board. Groups have said, we’ll stay virtual; we’ll go back to the office every time; three days a week; Monday, Wednesday, Friday; Tuesday, Thursday, it’s all over the board. And so we’re going to talk a little bit about that as we get into the program, but wanted to bring that to you.
And the second thing which is security related this week, in which I know Matthew’s going to reference a little bit later. Our good friends at LastPass had a bit of a breach that resulted in some of their encrypted password vaults being accessible. And so, if you don’t know about this, read about it. A lot of folks use LastPass as their very secure password vault. And it may not be quite as secure as you thought it was. So their recommendation, at least right now, is to actually go in and change your master password. And unfortunately, every password in your vault. So just be aware of that. No system is perfect. You do have to monitor those things. We’ll talk a little bit more about that as we get into the program.
And then the last thing is just a shout out. I gave the same shout out last month, but next Wednesday, March 8th, if anybody is interested, Microsoft is doing a free ability summit. It is an online virtual event about basically enabling access to communities that may have difficulty getting to our web-based systems and using our technology. That can be anything from helping people with low vision to other folks that have access issues with some of the tools we put online. And we’ve been getting more and more questions about this from folks about how we make our websites and things and services more accessible. So this is a great free summit, if anybody in the association industry wants to check it out, it’s always a good thing to be more inclusive.
With that, let’s dive right in, because we’ve got a lot to talk about today. As we were rehearsing this, we could have talked for hours.
Managing IT Challenges in a Remote/Hybrid Environment
Going to set the stage with this. This is Gartner, who’s a fairly reputable research organization. They study this type of thing frequently, especially with respect to technology.
In the pre-pandemic world, about 30% of total employees had some sort of remote work. That has ballooned to almost 50% post pandemic. And as you can see from this graph, they expect that to continue to go up to as high as 60% in the U.S.
The U.S. is sort of leading the way on this, as you can see, based on their surveys across the world.
So I think that’s a really good place to start this discussion. It is the fact that remote work is really, I think in the association industry, probably even a heavier percentage than may be reflected across the general economy. But when we think of this, we frequently think of work from home. And I know, Rebecca, you have some opinions about what this really means.
How do you define this new work environment as somebody that does a lot of consulting and helping organizations tackle these new challenges?
Rebecca Achurch: Thanks again for having us. I love the change that you’ve shown in Gartner from 30% to 40%. It’s amazing. I understand that Amazon says, Hey, come back in to work. Come back into the office a couple times a week.
But really what we’re getting to here is creating flexible work frameworks. That’s really what’s changing. You couldn’t go to a conference 10 years ago without hearing that we’re not going to have enough people to fill the knowledge work or talent pool that we have today.
And so if we want the best and the brightest, which we talk about all the time in the association industry, what it really boils down to is if we’re going to compete, we have to become more flexible, if we want to have the top talent out there.
So we don’t talk about it in terms of remote work or hybrid work. I mean, yes, we use those terms because those are the terms that people are comfortable with, but it really is about flexibility. And it really is about digital first being supported by interactions and connectivity.
We need to really stop thinking about this as I’m working from home or I’m working hybrid. We need to think about this as a flexible digital environment within which we work. And that’s really our whole philosophy about things. How do you enable the digital framework? What does that look like? And in understanding that it’s not just going to be in someone’s home. It could be in a shared workspace. It could be in a variety of places. So it really is that flexible framework.
James: Definitely. Matt, are you guys seeing?
How are you seeing this as the front lines of managing people’s networks and IT plans?
Matthew Eshleman: We have seen this transformation happen throughout our managed client base from organizations that had to adapt and have their staff work remotely, to taking on organizations that are 100% virtual or have no physical office presence at all. So they’re a digitally native organization that started with staff working from all over the place and having a virtual presence.
This is a trend we’ve seen really accelerate. And yeah, as somebody who’s been able to take advantage of hiring really talented staff, no matter where they are, instead of having them tied to our DC office, it has really been a great benefit for us as a service provider. We’re able to attract and recruit staff regardless of physical location.
James: Well, and we did have a question that came in during registration. And this is probably as good a time as any to actually bring it up, which is:
As we think about these hybrid workplaces and folks really hiring from “anywhere”, there are some challenges, not necessarily with the technology with that, but the business side of that.
And I know Rebecca, we were talking about this. How have you guys handled it, or what do you guys recommend in terms of the fact that you’ve got to be registered in states and that sort of thing?
Rebecca Achurch: That’s a great question, because it definitely does influence it. My organization is a completely remote organization. We do not have a physical office, so we use a PEO (Professional Employer Organization) to handle those items. That works for some with the legalities of it. Every single state has different policies for sick leave, for medical, there’s all sorts of workers’ compensation, liability insurance, all sorts of stuff that go around it.
What is a PEO? Great question. A professional employer organization. So essentially it’s an organization; they have several different types of arrangements. It could be what they call a co-employment, which basically means that they’re doing all of the paperwork and they’re sending the paychecks, but they’re employed by you. So you’re able to take advantage of group insurance, better benefits for an organization.
Think about it kind of like a consortium, that they’re out there representing multiple organizations. That allows them to increase their buying power and they manage all of the human resources, payroll, time entry, tracking, everything else that comes along with that.
Two that I know that I love are both for small organizations, one called Justworks and another group called Insperity. Those are two that I found really accommodating for smaller organizations. But, you’ve got to do your due diligence.
What you can do in this remote and hybrid environment is set some boundaries. So, for example, you can say, we are comfortable operating in a certain mile radius or in certain states. That is going to be all of the policies that you want to think about when you’re thinking about your remote work policy or your hybrid work arrangements and approach.
So those are things that we want to think about. But there, you’re getting into legalities and taxes and all sorts of things like that. You would definitely want to consult attorneys and proper individuals and organizations to make sure that you’re staying on the right side of the law on that front.
James: And we’re a small business, too. We operate virtually as when we first started and we’re investigating a PEO now. Right now we’re in a limited number of states, but want to have that broader reach and it definitely can be a challenge. I threw in the chat a link to napeo.org. We’re all association folk here for the most part. The association of PEOs have some great resources up there, if you want more information about that.
Rebecca Achurch: The bottom line is you need to know what you’re getting into before you just allow someone to move to another state. That’s really the bottom line.
James: Absolutely.
Rebecca Achurch: And you heard that a lot of people have said, oh, it’s not a big deal. But really you need to be paying attention to those rules and regulations.
James: Yeah, 100%. So with that, in these new hybrid environments, I think as you called it Rebecca, you no longer just walk around managing work, because we’re not able to necessarily walk around and see our employees face-to-face.
So how should we, or should we measure their productivity as we think about these environments?
Let’s start with how we do it or should we do it? You’ve got the tool set, because you know these bigger tool sets. And then we’ll talk about the more managerial implications.
Rebecca Achurch: So the fact of the matter is, as you said, James, when we were all in the office, I asked people a couple times: Who had a perfect work environment, having worked in an office building for 7 years? The answer is nobody, right? We were still iterating, right?
So I don’t know why we think three years into this or with most people doing this, we’re going to have it all figured out. And really what we’re having to do is change the way we manage. And yes, there are tools, but it really is beginning to be a mindset shift where we’ve talked about managing outcomes and not accountability, but when we were physically in the office, we would fall back on what we knew, what was comfortable, which was management by walking around.
The non-verbal signals are very clear to us. Someone’s door is shut, someone’s door is open. They’re on the phone, you can physically see things like that. So when it comes to productivity in a hybrid work environment, you really have to think about putting practices in place that help you understand how they’re driving to the outcomes that you’ve set for them to achieve.
Oh my goodness. Our managers actually have to manage. I mean, you actually have to pay attention to what people are doing. And I think that that’s the big shift. Poor management hid in plain sight when we were in a building.
I think what the hybrid remote and remote environments do is really bring it to the forefront and help us understand that, wait a minute, Johnny may have been in the office 12 hours a day, but really he wasn’t getting a lot done, nor was he a really great manager or communicator with his people.
So it really is about shifting to managing to outcomes. And there’s some tools that we’ll talk about a little bit later, but that’s the big shift. At the end of the day, if you don’t have trust with your people and you’re not managing the outcomes, this idea of, I’m going to be monitoring it, we are asked that all the time. How could I monitor my employees? You monitor by measuring outcomes.
James: Definitely.
Matthew Eshleman: Yeah, that’s a really great point to make, because as a managed service provider, we have our tools on the client computers that we’re managing and supporting, and that will be a question that comes up. Is there a productivity monitoring tool and can you tell us, what’s the best one to have? Can you tell us, is our employee opening up Word or what files are they accessing? Or how many words are they typing? And the short answer is that no, the tools that your managed service provider has deployed in your endpoint are not really designed for that.
If you’re asking those kinds of questions, to Rebecca’s point, you’re really missing the outcome. Sitting in front of a computer, making sure everybody’s cameras are turned on, or having nanny programs on the systems to say how many hours the Office application was open, or how many words they typed is a really poor substitute for good and effective management.
Managing staff who are in different physical locations is different. And that’s a transition that we’ve had to make as an organization that pre-COVID had virtual teams, but then on-premises folks. It is a challenge for organizations that they need to adapt to. But, you’re going to be much more effective managing to those outcomes as opposed to putting monitoring tools in place that are supposedly going to report on keywords per minute or percentage of time Office was open, for example.
James: Well, and frankly, there’s been some legal things that have shown up. There was a group in Europe, for example, that wanted their employees to all have their webcams on during the day, pointed at their faces. And of course, the employees rebelled, took it to court, and the court sided with the employees that that was a complete invasion. Europe may be a little more stringent than the United States, but it still holds. If you wouldn’t want it done in an office, you’re not going to want it done remotely.
Rebecca Achurch: I would add on to say, what kind of signal does that actually send to your employees? What kind of culture are you creating if those are the boundaries within which you’re working. I want to be micromanaged, said no one ever, right?
And if they don’t have adult-like behaviors, then you have a performance issue that needs to be addressed in a different way so you’re managing the outcomes. And you’re going to get higher engagement. If I hear one more, “we want a highly engaged organization.” Well, you don’t get a highly engaged organization by putting them under a thumb, right?
James: Absolutely. That brings me to my next question, which is a perfect segue. It sounds like we need some good policies in place.
Policies
So what do you recommend in terms of remote work policies, and what should those include, and how deep should they go?
Acceptable Use Policy
Rebecca Achurch: On the IT side, without a doubt, you’ve got to have an acceptable use policy. The laptop is going back and forth from a variety of locations wherever they choose to be working from. So the tools that they’re using, having clear definition around what acceptable use is, is really important.
Also what I’m going to call a documentation or policy around access storage and record retention. Here’s what we expect of how you use the tools, and here’s how we expect you to interact with these tools. So that becomes clear to us. Some larger organizations will have mobile device management in there as well. So that may be there. A lot of times we are just putting in policies that are saying things like, there’s an expectation that you use a personal device potentially for MFA, multifactor authentication.
We’re trying to put some frameworks around how they’re going to use the tools and what that looks like, and some things around documents and communication. So that’s where we start on the IT side. So you could call that kind of information systems policies.
From a hundred thousand feet there are several other things you’ve got to have.
You need to really look at worker classifications again and classify those. So the policies around worker classifications.
I’m going to put a broad bucket in terms of organizational health, safety, and wellness.
So you need to think about the policies that go along with that in terms of setting boundaries, expectations about work hours being clear.
An internal communication and whistleblower policy. You need to talk a little bit about that as well.
We had really good standards about how we communicated, like a bullying policy or something like that. We had really good standards about what that looked like in the office. We now need to think about what that looks like outside of the office.
What is appropriate? You can’t potentially eat edibles during work hours while you’re at home. You may not think you have to say that, but you kind of do.
Again, at 100,000 feet, we need to have a true remote hybrid policy that kind of frames this. And then those are some specific things underneath that we absolutely have to cover.
James: I think this is a good place for some coaching, because I don’t want to do it, but I’m guessing if we Google “epic Zoom fails,” there’s probably way too many where somebody’s doing things that they shouldn’t be doing or walking through the background, or whatnot.
Which brings us to the tech side of this,
Matt, what do you see for an acceptable use policy or things like that? What are you looking for when you come in and onboard clients and help bring them up to a good standard?
Matthew Eshleman: Yeah. I’m really glad that you started with policy, because I think that helps the decision making framework whenever the questions do come up.
I would say, clarifying whether a work computer is going to be provided or is there a BYOD policy in place? I think those are really key elements to get out of the way.
The same thing as it relates to the use of mobile devices. It’s great everybody has a smartphone. It’s great that you can get your work email on your phone, but what does the organization need to do to ensure the integrity of data on those devices?
And then what happens whenever somebody leaves the organization? Are you creating a situation where all this data is accessible, can be synchronized, but then there’s no way to retrieve that?
And so whenever an employee leaves, they can take an organization’s contacts or files or whatever it is away from them.
So starting with a policy to clearly articulate what’s expected and what’s the norm of the organization is great.
I would say I prefer organizational provided devices. It just makes it a lot cleaner, because then your IT team and your MSP partner can put the appropriate security controls in place, make sure the devices are updated, and have all of those policies in place.
And kind of coming back to the news article, the LastPass breach, it turns out that that was a breach of a senior developer’s home computer.
One of four people who had access to the decryption keys of all those client secrets was accessing work resources from a personal computer. And that personal computer didn’t have, I’m assuming the same security controls that the work computer did. It creates this enormous vulnerability whenever you have uncontrolled systems accessing your organization’s data.
I’m assuming most people aren’t in the same line of business as LastPass, and you probably don’t have the same security model. But it is worth going through those thought exercises to understand, what data do we have? Where does it live? Who can access it?
What controls do we need to put in place to make sure we have good confidence in those systems so we’re not going to be surprised whenever there’s a network compromise or a security issue?
Equipment
James: Well, one of the pre-questions was about this:
An association’s providing a good, high quality laptop, but certain employees want to use their own as opposed to the organization supplied one.
And I know I certainly have an opinion about that. As a CIO, I’m guessing you do too, Matthew. I’ll let you go first and then I’ll tag on behind.
Matthew Eshleman: Yeah, I think it’s really important for the company to provide top of the line, high quality devices, so people can be as productive as they possibly can. And that does mean that you need to accommodate users’ preferences.
I think today’s knowledge work is very individual-centric and if you’re more comfortable with a PC, you should have a PC. If you’re more comfortable and productive with a Mac, you should have a Mac. And that also means the organization needs to have an IT support capacity internally, or a partner that can provide appropriate support to whatever platform people happen to be on.
Even if you don’t give people the tools that they need to succeed, whether that’s the hardware or the applications, people want to get their work done. They’ll find the most expedient way to do that.
And so you want to be able to provide some flexibility in what tools people have, but also some tight controls in terms of how that’s accessed.
James: Yeah. It’s an unfortunate thing I think. My thought on this, having sat in the CIO chair, you’ve got hundreds of users running around with laptops, sometimes thousands of users depending on the size of the organization, or you may only have five. The reality is, I couldn’t agree more.
Provide a good hardy machine that’s upscaled enough to actually do the job that the person is doing. That’s number one. And number two, unfortunately I think this is an area where you do need the policy and you do need to be a bit more heavy with it to say, we’re giving you this computer, because we need to control access to our environment. And that’s really part of employment. I mean, that’s really part of working with us, is that you have to use our equipment so that we safeguard the organization.
Because at the end of the day, if you’re in a managerial role or executive role or whatever in an organization, it’s your responsibility to make sure that organization is safeguarded. That’s part of the mission.
Rebecca Achurch: What’s interesting to me, James, about this particular topic are two things: one; just because you can, doesn’t mean you should. Truly, I agree with everything that Matthew said in terms of, we should provide a high quality machine, but I can’t tell you how many battles I have to have internally from a budget as a fractional CIO about buying high quality machines. And it is one of the most penny wise, pound foolish decisions I think organizations can make.
The reason why the machine is less expensive is because the internal parts that you don’t see are not as high quality as the more expensive machine. Maybe not all the time, but most of the time. We talk about high quality machines and we hadn’t really hit on this, but it is an internal conversation that we have all the time. It is the number one tool that people are spending five, six, seven, eight hours on a day, and we want it to be performant. I know it’s a huge expense for an organization, but it is a common challenge to get the budget dollars needed for a high quality machine, especially in the day of MS Teams, I’m just saying, right?
James: Yeah. What I find fascinating about that, purely from the CIO and the human perspective, is if we project about a four year life cycle in our equipment, that’s where we want to be. And so of course, we know how much technology moves in those four years. So what’s state-of-the-art today is going to be mid-market three or four years from now.
The thing that I find fascinating is, let’s just take a common job. Let’s say you’re paying a marketing person $60,000 to $70,000 a year that you’re invested. Let’s call it $280,000 over that four year period. You want them to be as productive as possible, but you’re worried about spending the extra $500 on a laptop; the difference between $1,500 and $2,000 once in that four year period of time to make them productive. So it is to your point of being penny wise, pound foolish.
The one other thing I did want to touch on also, that you brought up Matthew, is you really need professional management of this stuff. And this is where I’m going to give Matthew and the other high quality MSPs that are out there, a shout out.
Whether you’re a two person organization or a 100 person organization, having a good, professional managed service provider, which is what MSP stands for, that can give you coverage on PCs and Macs and your networks and all of the stuff that you need to do to be productive from a networking and IT standpoint is money well spent.
Because at the size that most associations are, you can’t duplicate all of the power that they bring with their experience and the knowledge that they bring into it. Go focus on your mission and let a group that focuses on IT focus on IT. You’ll sleep better at night for it.
So with that next up, let’s talk about the guidelines because we were just actually talking about this, Rebecca.
So what do we provide, Matthew?
What are you seeing your clients provide their remote workers to keep them productive?
Matthew Eshleman: I would say the standard offering that we see most organizations go with is still issuing a laptop. That was a tidal shift, as part of the COVID work from home, right? Everybody basically went from desktops to laptops almost overnight.
In addition to that, they’re typically also providing a second monitor. That’s kind of the core piece, right?
Employees are expected to have high quality home internet. And so that’s another requirement. And then beyond that, I think there’s a lot of flexibility in terms of what organizations will provide and how they pay for it.
At Community IT, we provide that core computer, monitor, stuff to hook it all up. And then we also provide a technology stipend to help pay for the other stuff. Because, if we buy the computer and we buy the laptop, that’s great, but I don’t want to have to deal with managing inventory of people’s ring lights and external monitors and cameras and whatever else that they might need to be productive.
James: Yeah. Mice are a surprisingly personal choice and not the kind of thing you want floating back and forth between your offices. If somebody leaves, take your $9 mouse and we wish you well.
Rebecca Achurch: No, thank you. I do not want that crusty keyboard back. Thank you very much. Have a great day.
James: I was going to say even the $120 monitor, I mean, the peripheral side of what we do now is so relatively cheap compared to everything else.
Rebecca Achurch: I’m a big proponent of the stipend as well. When somebody joins, allow them to set up their secondary or primary work environment in a way that’s conducive to them. We do need to worry about equitable items. Your stipend needs to be equal within the organization. So I always have a lens on equitable solutions.
I love the idea of a base plus. Here’s what everybody gets. It’s a laptop, it’s a monitor. As I stated earlier, I have my ideal set up, but it’s ideal for me. And it’s two monitors, a dock, a laptop, keyboard, mouse, and external camera. That’s what I’ve worked off literally for 18 years. And it’s really made a difference in my life.
When you think about hybrid, I do think two monitors is almost a must, and I almost always recommend that. So it either needs to be the laptop plus or potentially two external. I’m old, so my eyes have problems shifting on the sizes. So I wanted my monitors to be the same so that my eyes could adjust a little bit better. But those are things that are really important in terms of standard equipment.
James: A couple questions have come in.
With remote folks, how do you handle the security side of it, Matthew?
And then Barbara asked about suggestions dealing with the equity issues of quality internet at home, in some cases, that being a real problem.
We were talking about that a little bit yesterday with some of your remote workers that are a little further away from high quality internet connections.
Matthew Eshleman: I’ll start with some process issues around how we handle distribution and setup of devices. We have invested a lot in building up our capacity around using Autopilot Intune on the Windows side and then Apple Business Manager for the Macs.
That means we can automate the deployment and then ship new computers to staff directly from the manufacturer, directly from the vendor. Staff will get their device, they’re able to log in with their organizational email, and then through the automated processes that we’ve set up, all the required software gets deployed, the devices encrypted, the backup keys are all stored. And so we’re able to deploy all of that stuff straight from the vendor.
That’s been a tremendous efficiency gain for us because instead of shipping a device to an office or your MSP and setting it up, packing it up and shipping it out again, we’re able to just deliver brand new devices straight from the manufacturer, whether that’s Dell or Apple or HP or whoever you’re using. There are similar processes that get configured for both platforms. And that includes a standard security set.
And again, as organizations have really shifted from a primarily on-premises environment to remote or hybrid, having tools that allow that are really important. We still run into organizations that rely on the on-premises network to do updates or computer management or VPN. Making that shift to the cloud so people can be productive regardless of their location, I think is absolutely critical for this feature work style.
James: Absolutely.
Rebecca, as you go in and help organizations figure out their remote and hybrid environments, what are some of the productivity tools that need to be in place, not necessarily at the machine level, but across the organization, that help folks handle this new world that we live in?
Rebecca Achurch: I’m just going to build on some of the answers that Matthew gave. One of the questions was,
What about getting laptops back?
What does that look like? I’ve seen two things. I’ve seen one ship a label in a box, have them put it in, send it back. By the time you terminate someone remotely, you are able to make sure that they are no longer able to get on the network. You ship them a prepaid label and a box and have them send it back. That’s one way you can go about it. If you’re local, one organization that we work with actually sends a courier, so that’s another option depending on the locale.
So some of it is prepaid shipping. And then you send it back to a provider. Matthew hit on this about using Intune and some other things. I am a huge proponent in a hybrid work environment. I agree. You need a really good MSP absolutely positively, because you want to have spares available that you can ship out that are preformed and ready, so that someone isn’t spending three quarters of their day dealing with the repair that’s going to happen.
So having that environment set up really matters. So that is what happens when we get stuff to you to ship it back. So you make a decision at that point to say, here’s the core equipment we want, which is primarily the laptop. Some organizations say it’s the laptop and a monitor if the organization has paid for that.
But if you’ve given them a stipend, basically you’ve taken it out of inventory and you no longer own it, it’s theirs to own. So that’s the philosophy. The thing that’s the asset is really the computer and that’s what you really want back. That’s really where your big dollars are, so that’s what you want back.
James: When people ask me what brand of laptop, it’s not so much about the brand. It’s about finding a provider. And you get this with Lenovo, with Dell, HP, Mac or Apple that has remote service capability nationwide so that they can actually send somebody to that worker’s house if something breaks. Put it under warranty for four years and you’re going to pay more for that. Again, you’re going to pay more for that, but put it under onsite warranty for four years so that you’re not having to ship it around and they have to get out there the next day.
Rebecca Achurch: 100% agree with all of that. And I actually prefer a three, your rotation to a four, because of the reasons that you said.
James: We can thumb wrestle over that at some point.
Rebecca Achurch: I digress. So getting to the
Productivity Tools
You really need to have a couple of things in place. You need to think about what is your synchronous communication tool that you’re going to have. So that’s going to be Zoom, it’s going to be a phone, a really good telephony. So what are you using for your softphone solution? And then it’s going to be some sort of chat solution. Primarily we’re seeing Zoom, Teams and Slack. James, you mentioned another one that you like.
So, it just kind of depends. You’ve got to have a really good phone, really good asynchronous and synchronous communication. And you’ve got to have task management or project management, because that’s what creates that transparency and accountability that we talked about.
You’re able to have visibility into what people are doing and what they’re not doing. I think in a hybrid environment, you get to also document management and something that looks a little intranet-ish. It could be SharePoint, it could be Confluence, it could be whatever you want.
But when you’re talking about a distributed workforce that you’re not managing through the telephone game in an office, what are the documents? What are the things that people need to get to most frequently? That could be a directory, that could be an organizational chart. It could be documents, it could be a link to the HR portal. Having a central location that everybody knows about when they’re onboarded, that becomes the repository that is not just typical document management, but it’s something that is well thought out and designed so that people know where to go. Those are what we really think are the keys and what have to be in place for people to have high productivity within a distributed workforce.
James: Matthew, anything that you’re seeing? As we were talking about this yesterday, we used something called Rocket Chat as our asynchronous communication. And the reason we do that is because it can sit on a more secure server that we control, and then those conversations frankly, aren’t out in the cloud in a Slack channel or with a third-party like a Microsoft or a Google or something. But that really is situational. It accomplishes the same thing regardless. It is easy. You want to make it as easy as possible. Just like you could stand up in a cubicle and shout over to your next person. You want that sort of virtual feel, right? So that you can do that across 500 miles or a 1000 miles, or whatever it happens to be.
Matthew Eshleman: Yeah. I agree. Every organization has their own unique set of technology requirements that they’re using.
I saw a number of people in the chat talking about the transition to phones, and I think that’s been a really interesting thing to see, because pre-COVID, everybody really loved their desk phone. That was a big requirement. I need my phone, I want to pick it up. And they could not be convinced to do softphones, but then all of a sudden everybody went to work from home. Oh, my soft phone’s great. Or we look at organizations well, nobody actually uses the desk phones in the organization.
We’re going to get a solution that maybe there’s a couple of numbers, but not everybody needs phones, because meetings internally are happening on platforms like Zoom and Teams. And if you’re meeting with somebody outside your organization, that’s often a prescheduled meeting too. You’re very rarely just picking up the phone anymore to make a call. And I know if you’re like me, the only people that call me are sales vendors. And so I just ignore all my calls. I have a number, but I rarely answer it.
James: Well, what’s fascinating; I like Zoom really. Think about what we’re doing here today. We’ve got people from probably six different time zones and even we’re 100s of miles apart, and it is seamless, better communication than you can get by picking up a cell phone, frankly.
I think we’re sort of in a golden age, the leap forward in these productivity tools that are out there. At least something good came out of the pandemic.
So with that, of course, we still have to think about security. And I know there was a question about the folks working from coffee shops or grandma’s couch or airports, hotels, as we get back to travel.
What are some of the things, Matthew, that you look for toward making sure that we are secure as we’re endeavoring to work in these hybrid structures?
Matthew Eshleman: All of this is really predicated on having access to strong and reliable internet. I think most folks at this point do have the ability to have good internet at home, and then they likely also have a backup option in a hotspot on their phone, so if something happens, they have options.
But I would say, make sure that the internet connection you use is trusted. And so if you’re working from home and you have Comcast or Verizon or one of those players, you’re in good shape. I don’t think you have to worry about security or privacy issues there. The issue does really come up if you are working in that coffee shop environment where you’re in a public place with a lot of other people.
And so that’s why if you can, use that phone hotspot. It’s a feature or capability you likely already have. And I would say it’s much better to connect on that device that you own and manage and control as opposed to needing to route your traffic through that Starbucks public Wi-Fi or the airport or the hotel, because who knows what all is going on. And I think you just have a lot more confidence in a solution that you are managing yourself.
James: Educate, educate, educate, make sure people are.
Which brings us to our next question.
What to take into account to navigate the tension between convenience and security?
When we’re in these environments, there’s an inherent tension between making it easy for the humans and making the organization as secure as possible. You’re on that teeter-totter of one direction or the other. So what are some of the things, Rebecca, that you take into account as you’re trying to design these and help people manage this?
Rebecca Achurch: This is the most difficult question of all that you’ve asked, because when it comes to hardening a network, there are very technical, specific steps we can take.
One of the things that hasn’t been mentioned yet is BitLocker. I know people that still deploy computers without BitLocker. I genuinely don’t understand it. There’s some fundamentals that are sitting there; that I know. But this is an ongoing tension, because it is a more dangerous world out there every single day. People are getting information. It’s not a matter of if, it’s typically a matter of when. So we try to manage through policy and education first through really good items of ongoing patching and communication around there.
But we have to make sure that what we’re not doing is setting up too many obstacles for our organization for our people to be able to do their work. We also strongly recommend really well thought out business continuity plans. Most of us are working in the cloud. Most of us don’t have on-prem sorts of things. So guess what? Our data is already out there in places. They’re sitting in Salesforce, it’s sitting in a public IBM, it’s sitting in Azure, it’s sitting in AWS.
There’s inherent risk to everything we are doing now. So it’s about managing that. And that’s really what we’re trying to balance all the time. There’s no simple interaction.
The fundamentals I think have to be there are
- device management,
- MFA on everything
- and a solid disaster recovery, business continuity plan.
I think we can have those three things.
I’ll give you an example: admin access to people’s computers. This is always an ongoing conversation between CIOs, right? “No, lock them down! No access.” Now they’re in their home and they want to be able to print something and they can’t without making a call to IT, which takes them an hour, and then they get frustrated and annoyed.
It is just this constant balance. And I think those are the things that we need to think through. And you need to talk about, what are the needs of your workforce? What are the profiles of the staff that you work with? How do they need to work? And then design processes around that. Are your people on the road all the time? Are they primarily in a single location? Then you work with an MSP to design a framework that best meets the needs and balances security with convenience.
James: Right. Legitimately, somebody that’s traveling 90% of the time, you might want to get that person a dedicated hotspot that they just travel with. And that way it makes it easy for them.
One thing that we talked about yesterday that I think it’s very worth mentioning is the fact that we’ve moved much of our data into these SaaS models. Makes them way more accessible, but it also makes us vulnerable to outages. If Salesforce or Azure or AWS goes down, and they do go down for a variety of reasons, I know you had some advice about essentially taking snapshots of that data, even with metadata and moving it out of Salesforce, moving it off of Azure to make sure you had it in case of continuity issues.
Rebecca Achurch: It really gets to business continuity. I think we take some of those cloud-based systems, SaaS-based systems, for granted. People don’t think about, do I need a backup? Office 365, especially smaller organizations, they’re not thinking about that. But if Microsoft goes down or Salesforce, you can’t change the MSA in a Salesforce agreement or in a Microsoft agreement. If you’re using it, you’re using it. Their terms and conditions are their terms and conditions. You’re not going to be able to change those. So you are going to be at their mercy if you go down. You need to think about your true backup options. One of the things that I recommended for Salesforce is a platform called OwnBackup. Love it. It copies everything at the metadata level.
And I can restore within a matter of hours. If Salesforce had another outage, that would corrupt my data, it could take me days to get back up. So you really need to think about those SaaS platforms that are business critical for you, and what is your business continuity plan? How do you have them backed up so that you can restore the business critical items?
Does it matter if you’re using Slack that you’ve lost your Slack messages? Maybe not because you only use it for informal communication, but if you’re putting anything there into Teams, if you’re putting anything in there that’s critical, then you may need to think about what that looks like from a business continuity standpoint.
Matthew Eshleman: Yeah, it’s definitely true that these cloud solutions can go down, and I think many folks in that transition from the on-prem environment into the cloud have just assumed that the cloud provider is doing all the stuff that they used to do when the server was in the office in terms of backups and taking offsite and all that retention. And that’s not necessarily true.
Microsoft will do some protection, but what we’ve seen among the organizations that we work with, the biggest issue is somebody who knows they’re leaving the organization purges their email, and then after they leave, then they’re like, oh, what happened to all that email that they were interacting with this organization, this customer?
It’s gone because Microsoft says, we’re keeping data for 30 days and that’s it. And so it is helpful to test all of those assumptions you have about what your cloud provider is actually going to do and make sure that matches up with your organization’s policies. If you need to keep data for a year, you will likely need a third-party backup solution to meet that requirement because the cloud vendor is not going to do that. Having those protections in place and thinking about it like it was an on-premises system is still helpful. Just because it’s in the cloud doesn’t mean, everything is hunky dory. You really need to have intentional planning and review the terms and conditions to understand what they’re doing and what those time frames are.
James: Yeah. Tony in the chat suggested geo-redundant storage and I totally agree. We actually take it a step further. We go network-to-network. Stuff that we have in our Azure, we have an AWS S3 bucket that we back up to across, so that if Azure goes down and we really need to get back to something and it looks like it’s going to be a while, we can actually go into a completely different provider and pull those back-ups down. So not just geography, but also cross vendor capability.
We’re almost at the top of the hour. Any parting advice?
Crystal has a question about what amounts to snow days.
What about policies for internet outages at work and expectations?
Unfortunately, all this new technology is sort of the slayer of the snow day. But with ice storms, and whatnot we certainly have seen some outages. I’ll say my two cents on it is we have to be prepared for folks to go down sometimes. I mean, it happens and we all need a little grace when that does happen. Because if you think about it, we used to think about snow days where the whole office is down, you may only have one person or two people down. That’s just reality. I mean, life gets in the way, kind of like a sick day. What are your guys’ thoughts on that? And any last parting advice before we sign off?
Rebecca Achurch: So my parting advice is that a lot of what we’ve talked about isn’t just good for hybrids, it’s just good for whatever. This is the new digital age, and it’s not even new. It really is the new way we work and we need to shift the way we’re thinking and shift our practices and our policies to really adapt to the new modern way we work. That would be my parting advice whether you’re hybrid or not. If you have any ability to work from home at any point in time, you are in a hybrid work environment.
So to keep that in mind, that would be my parting advice. And then when it comes to snow days, it really depends on your policies, and I’m happy to talk about that offline, but I do have some suggestions. I want to make sure that Matthew has some time.
Matthew Eshleman: Yeah, I would say, building on the policy as a foundation is really important.
And then in device security, we’ve talked about a lot of different things, and I would just reiterate some of the things that have been said before.
- The most effective security is having a computer that is up-to-date with patches that has good antivirus installed.
- And then I would say from the user control perspective, we absolutely need to make sure that multifactor authentication is enabled on as many accounts as possible. Those accounts should tie to individuals and no shared accounts.
- And then finally, I think it’s really good to invest in your staff in terms of security awareness training.
We’re putting together our 2023 Nonprofit Cybersecurity Incident Report. We support about 7,000 staff at across 200 non-profit organizations, so we get a lot of that security incident data.
What we see is that it’s largely driven by email-based attacks and attacks on your digital identity.
Giving staff the tools and the capacity to learn and understand what those threats look like and feel comfortable to reach out to IT. That’s really effective at preventing the most likely attacks that non-profit organizations are going to face.
James: Definitely. Well, thank you guys.
Rebecca, who owns and runs Achurch Consulting, thank you so much.
Matthew Eshelman, CTO of Community IT Innovators, a MSP here in the DC area. If you need an MSP, I would strongly suggest checking them out. We have a number of clients that use them and are incredibly happy with them.
So with that, thank you both. I think this was a very engaging hour of discussion.