Transcript below
View Video
Subscribe to our Youtube Channel here
Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Nonprofit IT Expert Round Table
Three Community IT Innovators executives held an “ask the experts” discussion and Q&A. Our executives, with decades of nonprofit IT experience between them discuss the nonprofit technology trends we expect to continue to impact our sector this year. You’ll learn how to ensure your nonprofit is up to date on the essentials in a changing landscape.
This is always one of our most popular webinars as we take audience questions on nonprofit tech.
CEO Johan Hammerstrom shares his experience and observations on the top technology trends that nonprofits are using right now. Whether you have outsourced or in-house IT support, if you are back in the office or working remotely for the foreseeable future, Johan has some insights for you on the best practices of your peers and forward-thinking nonprofits.
We expect cloud-based tech to continue to be the ongoing story of the modern office, for nonprofits as well as everyone else. Are you migrating to the cloud? Are you in the cloud but wondering if your team is utilizing all the tools you have, or has all the tools you need? Director of IT Consulting Steve Longenecker discusses his experience with cloud computing platforms, migrations, and implementations, and gives his educated guess on where cloud tech will be in 3-5 years and how to get ready for that future.
The need for Cybersecurity is not going away. Ever. In fact, cybersecurity safeguards and training are evolving as nonprofits suffer increasing hacks, wire fraud, and ransomware. Community IT Innovators’ CTO and cybersecurity expert Matt Eshleman answers your questions on emerging threats, prevention, and staff cybersecurity training. Does your organization need a cybersecurity assessment or cybersecurity insurance? Have you taken our free self-quiz to see where you stand in cybersecurity readiness?
As with all our webinars, this presentation is appropriate for an audience of varied IT experience.
Community IT is proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.
Presenters:
Johan Hammerstrom’s focus and expertise are in nonprofit IT leadership, governance practices, and nonprofit IT strategy. In addition to deep experience supporting hundreds of nonprofit clients for over 20 years, Johan has a technical background as a computer engineer and a strong servant-leadership style as the head of an employee-owned small service business. After advising and strategizing with nonprofit clients over the years, he has gained a wealth of insight into the budget and decision-making culture at nonprofits – a culture that enables creative IT management but can place constraints on strategies and implementation.
As CEO, Johan provides high-level direction and leadership in client partnerships. He also guides Community IT’s relationship to its Board and ESOP employee-owners. Johan is also instrumental in building a Community IT value of giving back to the sector by sharing resources and knowledge through free website materials, monthly webinars, and external speaking engagements.
Johan graduated with Honors and a BS in Chemistry from Stanford University and received a master’s degree in Biophysics from Johns Hopkins University.
Johan enjoys talking with webinar attendees about all aspects of nonprofit technology. He is excited to share insights in this nonprofit IT expert round table.
As the Chief Technology Officer at Community IT, Matthew Eshleman is responsible for shaping Community IT’s strategy in assessing and recommending technology solutions to clients. With a deep background in network infrastructure technology he fundamentally understands how secure technology works and interoperates both in the office and in the cloud.
Matt has dual degrees in Computer Science and Computer Information Systems at Eastern Mennonite University and received his MBA from the Carey School of Business at Johns Hopkins University.
Matt is a frequent speaker at NTEN events and has presented at the Inside NGO conference and Non-Profit Risk Management Summit
As Director of IT Consulting, Steve Longenecker divides his time at Community IT between project managing client projects and consulting with clients on IT planning. Steve’s appreciation for working at Community IT Innovators is rooted in respect for the company’s dream and vision, and for the excellent colleagues that the dream and vision attract. Steve is MCSE certified. He has a B.A. in Biology from Earlham College in Richmond, IN and a Masters in the Art of Teaching from Tufts University in Massachusetts.
Sharing expertise in the nonprofit IT expert round table in 2023 –as every January–is always something he looks forward to.
Carolyn Woodard (moderator) is currently head of Marketing at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College. She was happy to moderate this nonprofit IT expert round table webinar.
Transcription
Carolyn Woodard: Welcome, everyone to the Community IT Innovators’ webinar, Nonprofit IT Expert Round Table.
This is always one of our most popular webinars every year. We have a panel of our senior staff here today to talk about essential trends in nonprofit tech and what that means for nonprofits.
They’re going to talk about
- office IT management,
- cybersecurity and
- cloud computing.
My name is Carolyn Woodard. I’m the outreach director for Community IT, and I’m the moderator today. I’m very happy to hear from our experts. Johan, would you like to introduce yourself?
Johan Hammerstrom: Yeah, thank you Carolyn. Very happy to be here this afternoon and my thanks to everyone who’s joining us. My name’s Johann Hammerstrom, I’m the CEO at Community IT. I’ve been here for over 20 years and have enjoyed working with nonprofit organizations and helping them use technology. And one of the exciting things about technology is that it’s always changing and I’m really looking forward to today’s discussion to talk about some of the trends that we’re anticipating in the coming year.
Matthew Eshleman: Great. It’s nice to join everyone here today. My name is Matthew Eshleman and I’m the Chief Technology Officer at Community IT. I’m actually coming up on my 21st anniversary being an employee owner here at Community IT and enjoying the range of organizations that I get to interact with and the insight that I gained from getting to work with so many different organizations. And some of that I think will get reflected back as we talk a little bit about the cybersecurity trends that we saw last year and what we anticipate coming into 2023.
Steve Longenecker: And I’m Steve Longenecker. I’m the director of IT Consulting at Community IT. I’m the rookie of the crowd. I’ve been here for only 18 years. I love this annual webinar. I enjoy arguing with Johan and Matt anyways, so we might as well do it for our audience’s benefit. It’s a pleasure to be with you today.
Carolyn Woodard: Before we begin, if you’re not familiar with Community IT, a little bit about us. We are 100% employee-owned, managed services provider and we provide outsourced IT support. We work exclusively with nonprofit organizations and our mission is to help nonprofits accomplish their missions through the effective use of technology.
We are big fans of what well-managed IT can do for your nonprofit. We serve nonprofits across the United States. We’ve been doing this for over 20 years and we are technology experts. We are consistently given the MSP501 recognition for being a top MSP.
Learning Objectives
All right, so we have some learning objectives for today. We are going to hope by the end of the webinar today, you’ll have some understanding around essential IT trends for nonprofit management in terms of
- office trends,
- cybersecurity and
- technology.
So we’re going to look at these trends through these three lenses with the different experts in those areas leading conversations for 10 to 15 minutes slots.
- We also are going to have a little time to learn about the IT that’s needed at different sizes and stages of growth.
And that will just come up naturally through our conversations. This today is part one of our tech trends panel discussion, focusing on essential trends that every office and every nonprofit needs to be doing now and planning to do for the next three to five years as part of well-managed IT.
In February, we are going to have part two with a panel of experts addressing more forward looking trends and opportunities that tech savvy nonprofits will want to be pursuing and investing in.
I want to remind everyone that Community IT is vendor agnostic, and this presentation is to discuss how nonprofits are using technology tools. We only make specific recommendations for our clients based on their specific business needs. So we’re going to start out as we often do with a poll.
Poll 1: size
What size is your nonprofit? We know that different sizes have different IT needs and maybe are looking at these trends that we’re going to be talking about today in a different lens.
So the options are from
- one to 10 size nonprofit,
- from 11 to 25,
- from 26 to 100,
- 101 plus,
- or it just doesn’t apply. That’s you’re not part of a nonprofit that is that size.
Johan Hammerstrom: Yeah, thank you everyone for, for inputting your response into the poll. We have 4% of our attendees, that’s one attendees who’s in the one to 10 range, about 20% in the 11 to 25 range. Most of the attendees, about two thirds are in the 26 to 100 range, but we do have another 20% of the attendees in the over 100 range. So it’s a pretty nice mix of organizational sizes represented on the webinar today.
Carolyn Woodard: Thank you. And I think that you have different sizes, different levels of maturity. Maybe you’re a startup and you’re growing quickly. Maybe you grew really quickly, so you grew to a large size but you still kind of have a startup mentality. Maybe you are at an older organization that’s been kind of mid-sized in doing what you do for decades, perhaps.
So there’s different technology needs at those different levels. But for sure, thank you so much for sharing that with us.
Poll 2: How complex are your IT needs?
All right, so our next poll, we’re going to jump right into a second one. Johan is going to read through the options that we have here for how complex your IT needs are at your organization.
Johan Hammerstrom: Yeah, thank you.
How integral is IT to your mission and your business needs? How important or central is IT specifically to the work that your organization does?
- Do you use IT for basic office needs to communicate and maybe send out reports or are all of your business tools online that you can manage yourselves? So that’s category number one.
- Category number two is in addition to that, you also have some business critical platforms that you need IT experts to support for you, like a CRM, a database, more advanced financial tools, things that are beyond what you can support yourselves without dedicated IT staff or support.
- Three, are you using it directly to deliver services? So they’re not just supporting the work that you’re doing, but they’re central to your programmatic work. So that could be, for example, a charter school that is using IT education, ed tech to deliver education to its students, a healthcare provider that maybe is using iPads out in the field for the work that they’re doing.
- Number four, finally you were founded by disruptors, and you use IT in innovative ways. Maybe you’ve got your own development team in-house, you’re building your own applications. We’ve definitely seen a lot more of that in the last five to 10 years. Nonprofits that are basically creating IT as part of accomplishing their mission. So that’s category number four.
- And if none of these apply to you, you can respond to category number five.
Carolyn Woodard: So we had a fairly similar bell curve, I think. We had one respondent who is really just using IT for basic office support, about 60% with a basic office support plus category, another 27% delivering services using IT. And one, using IT in innovative ways and another two that it was not applicable.
Thank you so much for sharing that with us. And that helps us also frame how we’re going to talk about these different trends.
So what we wanted to do was take 10 to 15 minutes on each of these topics. So you see a kind of busy slide right now with three columns on office management, cybersecurity and cloud computing.
When we were preparing for this webinar, we talked a little bit among the panelists about how we’ve kind of reached an inflection point. Our initial impressions when we talked about this was that maybe the future is not as unpredictable now as it was a couple of years ago. We’re out of the uncertainty phase, we’re out of this kind of churn phase of needing tools to handle rapid change and maybe choosing them very quickly to deploy them.
Office Management
Johan Hammerstrom: Yeah, as we were thinking about trends, what we’re seeing with the organizations that we support and what we actually are, to be honest, seeing with ourselves as a business is a shift like we’re in the post pandemic stage now.
Matt and I were talking once and he’s got some good epidemiologist friends and they were telling him the pandemic’s over when everyone decides it’s over, like there’s no sort of epidemiological definition of the end of a pandemic. It’s like we all kind of decide, okay, we’re getting back to normal life. And what I mean by that and when the impact that that has on the work that we do is that for 2020, 2021, certainly and for a good part of last year, we were still very much responding to a very fluid dynamic and unpredictable world.
When the pandemic began in 2020, we all had to make a lot of changes very quickly on how we were going to be working as organizations. And there’s the big shift to working remotely. And then there was a lot of uncertainty around how long the pandemic would last and how long organizations would need to work remotely. And so a lot of decisions had to get made very quickly. A lot of technology had to get deployed in a pretty rapid timeframe just for organizations to continue surviving and doing the work that they’re going to do. And as best we can tell, and certainly it’s been the case for us and for a lot of organizations that we work with, there’s now a sense that I kind of feel like I know what 2023 is going to be like and 2024 and 2025 for my organization in terms of how we’re working.
Are we going to be fully remote? Are we going to be hybrid? Are we going to be going back to the office?
There’s a lot more clarity around what that might look like over the next two to three years. And because of that clarity, there’s a greater sense that we can plan ahead a little bit more. And a lot of the decisions that were made in kind of a rushed fashion over the last two or three years around technology can be replaced with more deliberate decision making processes.
So that’s not an exciting trend in the sense that it’s not as exciting as some of the crazy technologies that we’re seeing emerging recently. But I think getting back to a place where technology planning and technology management and decision making is a little more considered and done with a little bit longer timeframe is something that we’re strongly recommending and something that we see as a trend. That organizations really need the stability that comes from that longer term planning and more deliberate decision making process.
Steve Longenecker: Obviously we discussed this ahead of time and that is kind of what we were feeling, that is a significant trend and particularly in contrast to how things have felt during the pandemic. Again, the line between the pandemic being something that we’re living with and something that we look at in the rear view mirror is not going to be a bright line. And I’m sure many of us feel like we’re still living with it, for sure.
But yeah, we are definitely seeing clients doing more budgeting and planning. I think it’s also interesting to say things are getting normal again. It is true in the sense that we are feeling a sense of normalcy, but it’s not the same normal that preceded the pandemic.
There may be some things that have returned. I know that some of our clients, particularly the larger ones, are very interested in having people back in the office, maybe not full-time like they were before the pandemic, but at least part-time. But frankly, some of our smaller clients that have found during the pandemic that they could do their service to accomplish their missions without being in the office. It’s very freeing to work remotely. Employees certainly appreciate not having to do a daily commute. But also there’s an opportunity to save on office costs and some of the things that maintaining an office requires both in terms of IT and in terms not just IT. So it’s not like we’ve gone back to the way things were before the pandemic.
Some things have changed forever. Another thing that comes to mind is the use of virtual meeting tools whether that’s Zoom or Microsoft Teams or, or what have you.
All those funny videos that were trending in early 2020 of lawyers who couldn’t figure out how to make themselves stop looking like sea slugs on their Zoom meeting. We’ve gotten through that. Now everybody knows how to run a Zoom meeting. My mother-in-law, bless her heart, can get on the family Zoom meeting and have her sound work which wasn’t the case when the pandemic started. It’s like some of that stuff’s just been burned into all of us.
So it’s, it’s different. But at the same time, it doesn’t feel like the floor is constantly being pulled out from under us, which I think it did feel like for quite a while there. It just didn’t seem like it would stop. You thought, oh, we’ll be back in the office in six months and then a new wave would hit and it didn’t feel like you could plan. And now I think we’re back to the fact that you can and we need to be mature again about this.
Johan Hammerstrom: Yeah, I think the pandemic really accelerated a lot of trends that were already underway, like the virtual meeting trend. There was a saying that “the end point is the perimeter,” meaning all of your computing world and your data is now not behind a firewall at your office, but out there in the world. And you have to figure out how to protect all of your data and your information and provide security in a remote and dispersed way.
So those trends were already kind of starting to happen in 2015, 2016, but the pandemic really made it so that that is the new normal. And there is no going back to a world with servers and a world with firewalls. There’s no going back to a world where nonprofit staff aren’t expected to provide some level of their own IT support, which is what happened when people had to work from home.
They also were able to define their own user experience in many ways.
I think in some ways, the pandemic also empowered nonprofit staff to take more ownership and control over their use of IT and their IT experience. And that’s something that IT departments, IT teams and nonprofits need to be mindful of and take into consideration as they’re planning new initiatives. The dynamic between the IT department and the rest of the organization has changed because of the intense reliance on individuals to support their own IT by working at home and over the course of the pandemic.
Steve Longenecker: It’s gone both ways too. I mean, users had to step up, but also IT departments had to step up. There’s a lot more tools available now or maybe to your point, Johan, the tools were available before, but the tools are now in use.
We had so many of our clients that were using Windows and there’s a Mac equivalent, but the Autopilot In-tune and having laptops shipped directly to the end user. The end user unboxes the laptop, turns it on and right away, it talks to the cloud, picks up its policies and starts basically installing all the software and everything that’s needed. Those tools existed pre-pandemic, but they weren’t that important for us. We explored them, we played with them, but it didn’t seem like a value to our clients to really push them because everybody went to the office every day.
So why not ship the laptop to the office and have an IT person unpack it and set it up and give it to the end user? That seemed like a pretty reasonable way to do things. And it was reasonable when everybody went to the office every day. But the pandemic changed that.
And so end users needed to be comfortable doing their part, but IT departments also have changed. And that fits in with the second bullet point that we made that Community IT’s business has changed. Not that you guys are tuning into this webinar to hear about our business, but our business has changed in that we really are able to deliver services nationally now. And we ourselves turned down business if people made inquiries from too far away from Washington DC where our home office is. I guess because we felt like it was important for us to have the ability to put people onto the keyboards themselves, boots on the ground or whatever the expression is, for us to deliver good service.
That just wasn’t possible, even for our customers that were in Washington DC, because their problems were at home and they didn’t want us showing up at their house anyway because they didn’t want us bringing COVID into their house. So we had to do things remotely.
And if we’re doing things remotely for people in Washington DC, we might as well do things remotely for people all over the country. Our staff now are all over the country. It’s amazing how it’s changed. We are definitely taking on clients now that don’t have an office. That’s becoming much more common. So it’s changed things.
Johan Hammerstrom: Yeah, I think one of the things that we learned in the pandemic is what can be done remotely and virtually and what can’t be. For example, teaching. Public education is something that can’t be done remotely. All of the studies that have come out over the experience of virtual learning have been pretty conclusive that trying to teach children in a virtual way does not work very well and they need to be in the building.
I think on the flip side, what we’ve learned is that you can actually do IT support and you can deploy IT solutions pretty effectively in a remote way. I think that’s something that organizations who look to 2023 and the next three to four years can count on.
It’s this whole remote working now. It’s going to vary. Certain organizations have to be on-site; they have to have offices. One of the trends that we’ve seen is that larger organizations also tend to be returning to the office and returning to hybrid work environments more than smaller organizations. So being able to work remotely is not a one size fits all solution.
Being able to deliver IT solutions effectively to remote and dispersed staff has been very effective and I think that’s a trend that will continue.
Carolyn Woodard:
Has that changed governance needs and maybe policy needs for nonprofit organizations after going through this huge change of having more people working remotely? Have you seen that clients need to up their understanding of their policies or change their policies?
Johan Hammerstrom: Well, I think it gets to the fact that we were all moving so quickly to just keep the wheels turning on our organizations and our businesses. We had to move quickly and didn’t have time to stop and write a big employee handbook or a big policy document.
But I think we’re all now looking at all these new systems and environments that employees are working in and realizing we need to play some catch up with policies like the employee handbook maybe hasn’t been looked at. The IT acceptable use policy maybe hasn’t been updated in three or four years. There was a time where you could probably wait three or four years to update your acceptable use policy, but obviously if you haven’t updated it in the last six months, it’s probably really out of date. We’re entering an interesting time where the most important things in IT right now are probably the least exciting or the least interesting. We all want to talk about AI, but you probably should be rewriting your IT policies.
Carolyn Woodard: That is a great segue. We have a question from someone about how Community IT provides device lockdown to nonprofits with all remote teams to limit the use of the device to help increase cybersecurity. You were talking earlier about being able to deploy the laptops remotely to the end users.
I want to make sure we have plenty of time for Matt to be able to talk about cybersecurity and I think that relates to governance as well as your policy for that use. I’m going to turn it over to Matt.
Cybersecurity
So we’re going to talk a little bit more about cybersecurity, issues with cybersecurity insurance, some hacks that are recently in the news, MFA and SSO, and what those mean and what that will mean for nonprofits and whether the funders are keeping up and cybersecurity decisions. Who’s making cybersecurity decisions? I feel like that used to be something that somebody in the IT office would just do something and then everybody would have to take the training. I know there have been some changes in that. So Matt, do you want to take that on?
Matthew Eshleman: Yeah, so there’s a lot of different things in there and thanks for the question. Please feel free to chat in any additional questions that you may have.
So in terms of device management, I’ll take that actually in a couple different pieces. Talking about technology adoption, the tools that Community IT have used for over 10 or 15 years have really been cloud-centric. No matter where devices were, they could check back in and be managed with the tools we had. That was helpful as organizations were supporting staff working all over the place. I think the interesting side element to that question in terms of device lockdown is employee monitoring or productivity tracking.
There’s a whole cottage industry of those types of solutions. And I will say, in general, we have not deployed or even recommended those types of solutions to be in place.
Our approach has been largely to manage and handle staff performance in other ways. If you were having problems with staff while they were in the office, that transition to remote work maybe exacerbated that or didn’t change it. And so the idea that you’re going to have a technology way to monitor your way out of employee performance and productivity is not something that we’ve really gotten into. Coming back to Johan’s point about the employee handbook, I think having that content in there, the expectations around personal or incidental use of a corporate asset to be used for personal traffic or personal use.
I think that’s a discussion that the organization needs to have. And that needs to be clearly communicated. I think the same thing goes for mobile devices. Many people are using their personal devices to access corporate data. And nonprofits have in general been in favor of that. That’s been a nice thing to be able to do.
I think the pendulum is now kind of swinging back to realize we’ve got a lot of staff turnover and people are syncing their email and maybe the contact list or all kinds of information about our organization, about the people that we interact with. And then that leaves with them because we don’t have a way to control what data is being accessed from their mobile device.
Organizations are now getting to the point where they’re being deliberate around the policies that they are establishing to govern that access. And then making sure that there’s technology solutions that can help support those controls.
So talking a little bit about controls, I was reviewing what we said last year in terms of cyber liability insurance really driving adoption of technology solutions and policy solutions. And I think that trend only accelerated. I think we did a great webinar several months back with Jenna Howard from Lockton, which is a big insurance broker. And in that shared some hard data that we were seeing from different clients that we were supporting through their cyber liability insurance applications.
The underwriting requirements were becoming a lot more strict. And policy renewals themselves were becoming a lot more expensive. That was forcing organizations to implement delayed cybersecurity projects, make changes to how they were using and supporting technology. And that has only continued.
I don’t think we’ve seen relief from those year over year price increases and the cyber liability insurance applications seem to be even longer this year than they were last year. That continues to drive a lot of the change and adoption for nonprofit organizations. I think because nonprofits are leading edge when it comes to adopting cloud technology solutions that really helps with a lot of the technology control adoption.
There’s huge sections that really are really focused on on-premises controls and remote access to on-premises environments. And for a lot of organizations, even up to those with a hundred, 150 staff, it is now realistic to actually not have or not need any on-premises servers or equipment, which actually makes your overall security footprint a lot smaller. You can a lot more easily respond to those questions, like, do you have MFA enabled on everything? If you try to enable MFA on a local server it’s a really big technical challenge; it’s a huge headache. If you don’t have a server, then you don’t have that requirement and it really makes responding to those applications a lot easier.
Steve Longenecker: Matt, wouldn’t you say that one trend that we’ve seen for years and years is that in some ways these requirements are bureaucratic in nature? Like cybersecurity – there’s obviously a lot of good stuff there and we’re always delighted when a client asks us to help them implement multifactor authentication, even if the reason that they’re doing it is for a cybersecurity insurance policy. I know we have a client that has a lot of remote staff and having to update their password every three months or six months to meet their cybersecurity insurance requirements is a real headache for them. And, we’re seeing Microsoft issue guidance that passwordless is the way to go anyway. Changing your password every six months has its own costs, including the fact that people tend to write them down because they can’t remember them because they’re changing them all the time, et cetera. So those insurance policy questionnaires are interesting. I guess I should just pivot on that.
Johan Hammerstrom: It’s sort of like when they were developing auto insurance in the 1920s, they had no data to go on. The best practices on how to actually make people secure were still being figured out. And so these questionnaires are just the best guess by the carriers. Their concern is not necessarily security. Their concern is to minimize claims, and so the industry is very much in flux right now. What that means is it’s become a lot harder to complete those questionnaires because a lot of the things they’re asking you to do don’t always make sense because they’re just basing it off of the data that they’re collecting from claims that have been filed over the last few years.
Carolyn Woodard: So talking about security and MFA, we have a question in the chat.
Do you think single sign on is really the theme for 2023, Matt, or should we pursue passkeys whole hog?
Matthew Eshleman: Hey, maybe somebody hacked into our system and read our presentation in advance because yeah, I think so.
Digital identity and security around the digital identity is where we see most of the threats coming. I’m actually in the process of reviewing and analyzing all of the data that our team has responded to in 2022 in security incidents. And for the past number of years the biggest risk that organizations face is really around digital identity. Your account gets compromised and is used to target other organizations or your account is then used to try to open up bank accounts and that kind of thing. So I think for the small to mid-sized organization, your digital identity is really the key.
And that requires the most focus. That’s why we’ve been so emphatic about multifactor authentication.
A couple of early data points that I’m seeing in the data this year is that I saw more cases where we were responding to compromised accounts beyond just the primary user identity, their Office 365 account or their Google account. A person’s Facebook account gets compromised, their LinkedIn account gets compromised. And so that’s why single sign-on becomes really appealing interestingly enough. Single sign-on with your one username and password combination, then grants you that identity, then grants you access to many other linked systems as opposed to using a password manager where you are just storing that username and password in the application.
Then that’s getting inserted into all of those different websites. In the event of a breach? We had Lastpass as the year end security nightmare that everybody’s reading about. If you were involved in that or caught up in that, you really need to go through and reset all the passwords in there. If you’re like me, that could be a hundred or several hundred accounts that you need to go through and update and reset. Whereas if you were in a single sign-on environment, that would be one password. The mechanics of maintaining the integrity of that digital identity is a lot easier to monitor, adapt and then address if there are problems in the future.
The barrier to implement single sign-on for your organization really continues to fall. Now, if you’re even a 10, 15 staff organization, implementing single sign-on would probably be a good use of time because there’s so many integrations that are now available. That means that you can do that implementation if you’re in Office 365 or if you’re a Google customer, there are easy ways to do that integration. Vendors like Okta continue to be a good partner to the nonprofit sector in offering discounts and donations. And so you can get a really great enterprise grade single sign-on solution to help protect that digital identity. In a way I think that’s much more effective than password managers can be.
I think that’s a great question and I would certainly advocate for SSO solutions to be at the top of any organization’s list as they look at what they’re going to pursue in 2023.
Carolyn Woodard: We have a couple more questions in the chat, Matt.
How does MFA work for multiple volunteers who need to access a nonprofit computer, especially if they don’t have a phone for authentication or their other devices?
And we had another question that was, how does single sign-on work with multiple apps and integrations?
We do have a blog post about the basics of single sign-on. So I’ll put that in the transcript, but I wonder if you wanted to answer MFA best practices for volunteers or people who don’t have a phone.Matthew Eshleman: Yeah, so I do think understanding where the risk is for your organization is an important part. I do think for most organizations the risk associated with somebody hacking into your local computer because they have physical access to your office is relatively low. So, thinking about multifactor on a computer may not be a high priority for your organization. I do think as much as you can support it, multi-factor authentication and named accounts for your volunteers would be a great idea because you want to have some
auditing and accountability for who’s making changes. And so if you’ve got a situation where every volunteer is using the same account and going in and updating the database or deleting things, that can create a problem with accountability.
So in terms of multifactor authentication, you can give physical tokens. There’s a couple of different ways to do that. There are a number of good third party tokens if you want to give somebody a little key fob that has the rotating number keys on it as a way to provide that challenge. Some, some MFA is better than none. If you can get to a point where you’ve got named individual accounts with some type of MFA, that’s certainly preferable to shared accounts or no MFA. As much progress as you can make down that road to everybody having their own login with a linked app-based MFA, that’s the direction to go.
Steve Longenecker: Those key fobs are getting a lot cheaper for sure.
Matthew Eshleman: Yeah.
Carolyn Woodard: We have another question that came in around funding and about the different tiers for subscriptions for single sign-on that you might need to have and not be able to afford.
Matt, I know that you’ve worked with some funders. Is this something that’s changing? Are funders starting to fund more cybersecurity training and then actually specific licenses for nonprofits to have better cybersecurity? Or is it still, you have to do it, but how you’re going to pay for it is a question?
Matthew Eshleman: There’s a couple different pieces there. I’d say one, the actual platform for organizations to build their single sign-on is typically going to be free or very low cost. If you’re in Google, just out of the box, you can use Google to do single sign-on for a lot of different applications.
The same thing, if you’re a Microsoft Office 365 customer, if you have the P1 license which is included as part of their 10 free Microsoft Business Premium licenses, that gives you the ability to do single sign-on. I think Okta for Good through their donation program will give, I think it’s 50 free licenses.
So for most organizations, the cost to get started with single sign-on is very low. Where the costs can creep up in the applications that you want to integrate with, I don’t know. Slack or something, you have to have the upgraded tier and that cost.
Steve Longenecker: I think that trend has changed. I can’t predict what individual vendors are going to do, but I do feel like SSO is going to become more and more table stakes. You don’t get to make it a premium service. It may be optimistic to call that a 2023 trend, but I feel like it’s the beginning. There was a time when MFA was considered kind of a premium service. If you wanted to have MFA, you might need to pay a little bit more. And now if you don’t offer MFA, what kind of service are you providing? I think it’s going to happen with SSO the same way. It might take a couple more years for the vendors to catch up to that, but I just think it’s going to be a reality.
Johan Hammerstrom: I agree with you, Steve. I think the exception will be like SAS solutions that have a small home office offering and then a business offering.
Steve Longenecker: Sure. If it’s just built into their business model, or whatever.
Johan Hammerstrom: So just say you’re two or three people, you’re not getting SSO, you have to be a business. So I could see that not changing, but I think you’re right. Having an additional cost on top of the business licenses you’re already paying for, I agree with you that that should be going away.
Steve Longenecker: So maybe our advice is to wait that out. I don’t know. It’s a tough call. I do think single sign-on is very important. I don’t want to put this on the person who asked that question. It was a great question, but it’s like electricity. It costs so much, what am I going to do? Well, you’ve got to run a business, you have to have electricity. I don’t. I’m not sure SSO is on the level with electricity yet, but some of these cybersecurity things are becoming critical.
Johan Hammerstrom: Yeah, I’m sympathetic because I do think there are some software vendors who are just, you pay this much for access, but if you want to protect your data with a password you have to buy more. That’s irresponsible to be selling a solution.
Steve Longenecker: Agreed. Agreed.
Matthew Eshleman: Yeah.
Carolyn Woodard: This is a great conversation, but I want to make sure that we have a little time for cloud computing and let Steve talk a little bit more about some of how we use technology now and maybe formal training versus kind of training yourself and how that is changing and how nonprofits are kind of settling into the tools that they’re using and what you’re seeing in that line. Steve?
Steve Longenecker: I do think we missed the question about single sign-on versus passkeys that one of the audience members asked.
Referring to sort of the whole password list approach that Microsoft has now, they recently put out a press release. It got written up in the Washington Post, which is my home paper. It’s getting some attention because they must have put out some good marketing on it. Speaking of trends, I feel like that’s coming. But the whole password list approach is maybe something that we’ll be talking about in this trends conversation a year from now or so. I feel like Microsoft’s blazing the trail.
They’re definitely pointing the way, but it’s only this past year that all my bank accounts have finally gotten good, decent MFA on them. And you’d think a bank would be ahead of the game on that, but they’re just not. It’s like some of these things just take time to come into place.
Cloud Computing
Alright, so shifting to cloud computing. Yeah, it was my assignment to maybe speak a little bit about some of the trends that we’re seeing in cloud computing, specifically. And we identified three when we were doing our prep for this webinar.
One of the things that we’ve observed, and this may not be a trend for 2023 per se, but it’s a trend that we’ve seen gaining speed. And it fits with what Johan was talking about when talking about office management with the fact that so much stuff got rolled out so quickly by necessity during the pandemic.
There’s a shift in how training issues are addressed and maybe there just wasn’t a good opportunity to do a lot of formal training during the pandemic. The way you might’ve done training in the past was to get everybody together in a conference room and that wasn’t possible. But we are observing that in general there’s less training for a lot of platforms and technologies.
There’s much more of user self-services. In some ways Apple famously made it part of their brand. They were certainly not the only one that does it, but no instruction manual. It’s so intuitive. You just do it. You don’t need training on how to use an iPhone. A three-year-old can pick up an iPhone and figure out how to use them. These are the ideas.
I’m not sure how true that is. We still have requests for training from our clients and we do our best to accommodate those. But it really has become something that changed. There’s, there’s more users taking care of themselves, maybe looking things up on YouTube or sharing with each other.
And it’s interesting the costs and benefits of that. The benefits might be that you don’t have to sit through a training as an end user that doesn’t really hit you. You don’t feel like you gained a lot from that 45 minute session that you were asked to sit through. So that’s nice not to have to go through that. I think sometimes though we miss opportunities to find out about the little hacks, little tricks, little tips that might make a platform easier to use.
And so Carolyn was suggesting that organizations might want to at least consider doing a sort of brown bag, not necessarily trainer to audience, but more audience sitting around a table sharing their ideas or what they do that makes their use of the company’s information systems work better. And that’s kind of an interesting idea.
Another thing that we were thinking about in terms of formal training is that the one place that formal training probably is still required, and this fits again, back to Johan’s point about the fact that we rolled out all this stuff without a lot of attention for governance. One of the things that we have to do is circle back to governance and think about the rules of the road particularly for important information systems for an organization. It’s not just your Outlook or your OneDrive. Your OneDrive or your Google Drive can be as cluttered as you want it to be, as long as you can find the files that you need and deliver them when you need to deliver them. The rest of it is up to you. No one cares.
But for places where there’s collaboration like a CRM or a finance system where multiple people are plugging in data or manipulating data, you need to have rules. This is how the organization does it. When we put in a record, we need to have this field filled in and this field filled in. You can leave this field empty if you want to, that’s fine, but this field absolutely cannot, you cannot hit okay until you fill this field in.
Training around those kinds of governance type activities where there’s rules for how we do things is probably something that we’re going to need to backfill some of that stuff in, in the years ahead.
Johan Hammerstrom: Yeah. We have the cloud solutions. Now we need to use them effectively. That requires standard operating procedures, business processes and documentation. I’m coming back with some really exciting things for 2023. IT policy, standard operating procedures and business documentation. Sorry folks, but that’s kind of where things are right now. Those are the things that really need attention, in our experience, heading into 2023.
Steve Longenecker: Yeah. And in the same vein, I think users were empowered to find ways of getting things done when they were suddenly working from home. And if it worked for a department to sign up for a Trello account or an Asana account and share amongst themselves to get some of their work done, that was fine.
But now I think people are circling back – organizations and particularly the people in charge of data at the organizations. I don’t know if anyone’s in charge of data at some organizations or not, but people who think about and worry about where data is and what’s it doing?
There’s a realization that all these cloud platforms do require some active management. You need to know what platforms are in use, who’s using them? How are they being used?
One of the most important questions that you want all of your employees to know the answer to is what to use and when. It’s a funny question that Matt and I picked up at a Microsoft conference about five or 10 years ago. The hour long session was, what do you use when? It was the Microsoft stack. When do you use OneDrive? When do you use SharePoint? When do you use Outlook? Microsoft has a million products and what do you use when, but please whatever you’re using, it has to be a Microsoft product. Well, that’s not true for our clients. There are lots of platforms outside of Microsoft’s world that our clients are using. But you want your employees to know what to use when. Helping establish those rules takes management and takes work.
My job batting clean-up here is to circle back to everything. Circling back to what Matt was saying, one of the benefits of single sign-on is that it becomes then your gateway, your control point is the better word for it: your control point for all of these platforms. If the way to get to the platforms that your organization makes available to its staff to get their work done is through a single sign-on platform, then you control there who has access to what. Even the on boarding and offboarding of staff becomes easier through the SSO, the single sign-on platform.
It is just an extra thing to consider as all of the things that are on this slide that Carolyn’s sharing again. There’s lines you can draw between the different bullet points and circle amd this affects this and that affects that. Lots of this stuff all fits together.
Carolyn Woodard: That was a great, great wrap up Steve. Thank you for batting clean-up for us.
I want to go quickly to our learning objectives. We’re hoping that you would understand some of the trends for nonprofit management, office trends, cybersecurity and cloud technology.
We talked a little bit about the different sizes and the different technology trends that would be appropriate for different sizes, but we’ll try to talk about that more next month in our second piece.
Thank you Johan, for mentioning all of the boring things that are the trends, governance, usability, single sign-on and passwords, costs, self-training, user experience becoming more and more important like formal training versus self-training. And that all wraps back to governance of some of the things that we put in place, maybe pretty hastily, and now we’re going back to being a little bit more deliberate about it.
Next Webinar
I want to be respectful of people’s time, but I want to make sure to let you all know that the next webinar is February 15th, 3:00 PM Eastern, noon Pacific. We’re going to have some of the people from this panel back to talk a little bit more about some cutting edge and more forward trends that we’re going to see.
We’re going to branch out, talk about things that are on the horizon, including some things like AI, some more cybersecurity issues, tech innovations that nonprofits might be exploring. So I hope you will come back and join us for that, as well.
Thank you all so much for staying with us here until the end. I want to thank Johan, Steve and Matt so much for joining us and sharing your expertise with us. And thank everyone for joining us and we’ll see you next month.