Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Ask the Experts Panel Discussion
Join three Community IT Innovators executives for an “ask the experts” discussion and Q&A. Hear about nonprofit technology trends we expect to deliver new impact this year. This is always one of our most popular webinars as we take a deep dive into nonprofit tech.
We know our nonprofit community has been going full speed, above and beyond, over the past 2 years. In the midst of enormous changes and upheaval, we hope this webinar on using technology to deliver for your constituents will put your organization in a good place to grow and thrive.
CEO Johan Hammerstrom moderates the discussion, drawing on his decades of experience in nonprofit technology work. As our offices have moved to all-remote, all-in-person, or a hybrid, Community IT has seen nonprofits implement nonprofit tech projects that impacted their entire organization. The experts discuss our work with implementation of large multi-stakeholder tech projects, and the change management tools and principles needed to assist in successful tech transitions. Do you have a major tech project coming up? Are you in the middle of one now?
Our clients are moving to cloud-based tech, following the market as their on-premises solutions age. Cloud computing is transforming offices, from supporting productivity and remote work, to providing stability and lowering costs. Director of IT Consulting Steve Longenecker discusses his experience with cloud computing platforms. Remote work specifically has put new pressure on cloud solutions to deliver – is your team utilizing all the tools that you have? Do you have all the tools that you need?
Cybersecurity has only grown in importance for nonprofits as hacks and ransomware have made the news. Community IT Innovators’ CTO and cybersecurity expert Matt Eshleman answers questions on emerging threats, prevention, and staff cybersecurity training. Does your organization need a cybersecurity assessment or cybersecurity insurance? Have you taken our free self-quiz to see where you stand in cybersecurity readiness?
As with all our webinars, this presentation is appropriate for an audience of varied IT and security experience.
Community IT is proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.
Community IT Innovators CEO Johan Hammerstrom has always been interested in using technology as a force for good that can improve our world.
He pursued a career in Information Technology, and started at Community IT in 1999 as a Network Administrator. Since that time, Johan has been a Network Engineer, a Team Lead, the Director of Services, Vice President of Services, Chief Operating Officer, and beginning July 2015 President and CEO. Working directly with over 200 nonprofit organizations, to help them plan around and use technology to accomplish their missions, has been one of the most positive and rewarding experiences of his life.
Johan has a long experience in the nonprofit technology community and always looks forward to sharing tech tips for staff and leadership at your nonprofit.
Johan has a long experience in the nonprofit technology community and always looks forward to sharing tech tips for staff and leadership at your nonprofit.
As Director of IT Consulting, Steve Longenecker divides his time at Community IT between project managing client projects and consulting with clients on IT planning. Steve’s appreciation for working at Community IT Innovators is rooted in respect for the company’s dream and vision, and for the excellent colleagues that the dream and vision attract. Steve is MCSE certified. He has a B.A. in Biology from Earlham College in Richmond, IN and a Masters in the Art of Teaching from Tufts University in Massachusetts.
Sharing expertise in the nonprofit technology trends roundtable 2022 –as every January–is always something he looks forward to.
As the Chief Technology Officer at Community IT, Matthew Eshleman is responsible for shaping Community IT’s strategy in assessing and recommending technology solutions to clients. With a deep background in network infrastructure technology he fundamentally understands how secure technology works and interoperates both in the office and in the cloud.
Matt has dual degrees in Computer Science and Computer Information Systems at Eastern Mennonite University and received his MBA from the Carey School of Business at Johns Hopkins University.
Matt is a frequent speaker at NTEN events and has presented at the Inside NGO conference and Non-Profit Risk Management Summit
Johan put several additional resources in the chat during this webinar. Here are those links ICYMI.
Microsoft changes to pricing for nonprofits:
How Autopilot can configure laptops remotely in less time:
More on Web3 as a cutting-edge trend or scam:
Johan: Welcome everyone to the January, 2022 Community IT Innovators webinar series. We’re so happy that you could join us for today’s webinar on 2022 IT trends. This is an annual event that we’ve been doing for the last six or seven years at Community IT, where we take a moment at the beginning of the year to review all of the trends that we’re seeing in nonprofit technology, and to provide you with some insights on where we see things going with IT.
We want to make these webinars as interactive as possible. We have a lot to cover today. There’s a lot going on in the world of technology right now. So we have a lot of content that we’re going to try to get through, but please don’t hesitate to use the Q and A tool as part of Zoom webinars to ask your questions and we’ll do our best to answer them today during the webinar.
We’ll also be recording today’s webinar and the recording will be made available along with the slides. After the webinar, you’ll receive an email with a link to our website where the recording can be found. It’ll also be posted on our YouTube channel.
If you happen to be listening on YouTube right now, we encourage you to subscribe to our YouTube channel so that you’ll get the updates every time we post a new webinar and we will also invite you to subscribe to our email list. We don’t send a lot of emails but we just try to keep people apprised of the webinars that we offer every month.
I’d like to start by introducing myself. My name is Johan Hammerstrom. I’m the CEO at Community IT and also the moderator for today’s webinar series and I’m joined by Steve Longenecker. Want to introduce yourself?
Steve: Sure. I’m Steve. I’m Director of IT Consulting at Community IT. I’m glad to be here today.
Johan: Great and our Chief Technology Officer Matthew Eshleman. Matt, do you want to introduce yourself?
Matthew: It’s great to be here to talk about some IT trends. I’m looking forward to our conversation and any input that you all have today. So, great to be with you.
Johan: Fantastic. Before we begin, if you’re not familiar with Community IT just a little bit about us. We are 100% employee owned, managed services provider. We work exclusively with nonprofit organizations and our mission is to help nonprofits accomplish their missions through the effective use of technology. We have about 40 staff. We’re technology experts and we are consistently named a top 500 managed services provider by Channel Futures. And that’s an honor that we received again in 2021. So let’s get into the webinar today.
The agenda basically is: we always want to hold ourselves accountable. We make these predictions every year and we’re going to look back on the predictions that we made in 2021 and see how we did and then we’ll move into talking about the predicted trends for 2022 and as you can see, we have a very long list. We have a lot to talk about today, looking forward to getting into it.
So let’s start with the 2021 predictions. I will read these and then invite Steve to tell us what actually happened.
So what we said in 2021, at the beginning of the year, a year ago, we said that more organizations were going to go serverless, leave their servers behind, once and for all.
Steve: We definitely got that one right. We were already seeing that in 2020, so it wasn’t hard to predict the trend would continue. It’s a slow moving process.
If you have a server based infrastructure that’s working for you, there’s not necessarily a lot of reasons to change. That’s something we do have – clients getting away from servers, just because in particular with remote work, having a server in the office can be inconvenient for getting to the files and so forth that are stored there. But a lot of times what we’re seeing is that the actual pulling of the plug, truly going serverless happens with a lifecycle changeover.
So a server gets to be five years old, it’s time for it to be replaced, or its functions need to be replaced and it’s at that time that we see the change. So we’re seeing this happen. We’re going to continue to see it happen. There are clients that are large enough that having something on premises still makes sense. So we’re not predicting that all of our clients will be serverless by the end of the next year or two. But it’s a trend for sure.
Johan: And then somewhat related to that we thought there was going to be some tension between organizations that had a bring your own device policy, where employees were either allowed to, or expected to use their own personal computer to do work for the organization versus having staff use devices that are owned by the company or the organization.
Steve: Now I’ll let you do some of these, but I’ll do this one as well. Yeah, I think we got this one right as well. There was tension. For the most part we’re still seeing that organizations like to own the laptops, the computers that staff use and therefore can make sure they have good antivirus on them, they’re managed, they’re patched, and all of those things.
Mobile devices are often BYOD, bring your own device, at most of our clients. There are some of our clients and some nonprofit organizations that are providing phones to their staff and asking their staff to have a company phone as well as a personal phone and carry both. But that’s rarer because of the inconvenience of having two devices.
But it’s also true that this tension was manifested more. That has always been commonly the case. There have been organizations that say to bring your own device when it comes to laptops as well. But, it’s definitely true that organizations are more conscious of the risks of bring your own device approach and the fact that there’s a lot of data that ends up on personal phones if you don’t have any controls in place. That was something that we saw clients becoming more conscious of in 2021.
Matthew: Yeah, I think that’s true. It’s a trend that continues. I think there is a growing awareness that these personal devices are just that: they’re personal. While they’re used to access organizational data, that can present a risk to the organization itself. Organizations, as they’re being more intentional about cyber security and some of the policies around that, I think that the data on mobile devices will continue to be something that is reined in over time.
Ditching Traditional Phones
Johan: We got rid of the servers, we kept the laptops. What about the phones? We had a prediction that organizations were going to be moving away from traditional telephony. How did that turn out?
Steve: That’s definitely happened. You use the words traditional telephony. Everyone has either already or will soon replace the traditional telephony system with a voice over IP phone, which is oftentimes not even a handset. It’s just something that you access on your laptop or you have a number forwarded through to a different cell number. So we got that, and we got the spirit of the question that I’m not sure we said it exactly, but who needs a phone?
We got the spirit of that right as well, in that people aren’t using those 10 digit numbers very much at all. It’s a rare day that I am talking to a client on a phone number. I have one and use it occasionally, but most of the time I’m setting up a Teams meeting or talking to someone on Zoom. It’s not that common that I’m using a telephone number to be in touch with someone. That said, the phone number still remains important. It’s something that everyone needs for that occasion. It may not be their main line of voice interactions. Communicating remote voice conversations, Teams or Zoom, or something else may be what’s being used for the most part, but you need to have that number, for now.
Johan: We also talked last year about data reporting and business automation. We were anticipating a rise in organizations doing more reporting on all kinds of data, the growth of big data, as well as using a lot of business automation tools like Power Automate.
It’s a more slowly developing trend than I think we gave it credit for last year. The potential is there, but it wasn’t something that took hold in 2021, in our experience.
We’ll talk more about this as we discuss 2022 trends, but we also talked last year about the rise of the Microsoft stack versus best of breed solutions, which combine technologies, generally cloud hosted technologies, from different providers. I don’t know if we just want to save our comments on that prediction for the 2022 predictions or if there’s anything to add to that.
Now, we’ll move on: cybersecurity. We said that that was going to be a top IT priority. Matt, what happened with that in 2021?
Matthew: I think it has been a slow and steady climb. We’ll talk about this in more detail. As cyber liability insurance underwriting requirements have changed, I really think that this has pushed a lot of organizations to make more significant investments and become more aware of the risks that they face in that realm. So again, slow and evolutionary. I don’t think we saw any really dramatic changes in this area. But again, I’m pleased to see that it did increase in focus and mindshare amongst the nonprofit organizations that we’re working with.
Johan: And then finally, the last prediction we made was we were expecting organizations to become ever more virtual.
Obviously that’s a trend that started with the pandemic in 2020 and I think that’s definitely our experience, both at Community IT and with the organizations that we serve. The Delta wave that hit in the summer, in July and August for us, was kind of transformative.
Up until that point, we’d been thinking or at least in the back of our minds had an idea that we’d be going back to the way things were. We wanted to leave that option open to us. We had plans to return to the office, like many organizations did in the fall of 2021. The Delta wave just erased all of that and made it clear that we were now moving into the future. We embraced that and I think a lot of organizations did as well.
We did not talk about the supply chain challenges. That’s been a very real issue in 2021 and will likely continue in 2022. There were times where it was very difficult to get needed equipment for various IT requirements throughout 2021.
Steve: Yeah. We’re not going to talk about that again, although it’s true. It’s easy to predict that that will continue into 2022. All the headlines assure us that it will.
It was a really big deal to either have to have laptops ordered ahead of time. “Oh, we’re hiring someone six weeks from now. We need to order their laptop today.” And a couple other things to say: one, it was interesting how Apple, in various ways they’re insulated from some of this stuff. They’re so much more self-contained in terms of their supply chain; they own so much more of their own supply chain. And also I think they do things differently in terms of shipping.
I know they do things differently in their relationship with China. So for whatever reason, it was interesting that oftentimes getting a Windows laptop, you were looking at lead times that were four weeks, six weeks. But you could get a Mac laptop much more quickly than that. And the other thing that was interesting was how, because of supply chain problems on the Windows side, we just saw steady increases in prices through the year.
So our estimates on what you should be spending on a laptop have really gone up significantly and it happened without anyone really noticing. It’s like a little bit, a little bit, little bit now I’m turning around. Wow, this laptop’s a lot more expensive than it was a year ago.
Whereas Apple, I’m not trying to necessarily overdo the comparisons, they’ve had more control of their pricing. At this point, I think you still pay an Apple tax if you’re an Apple organization because of other costs to being different from everybody else. But certainly just getting the hardware on your desk, it’s very comparable in price now. It’s amazing. And the performance of the hardware is terrific as well. So that’s an interesting thing.
Johan: Yeah. The arrival of Apple Silicon with the M1 chip has been a real game changer because you’re getting an incredibly powerful laptop now for probably less than an equivalent Windows laptop.
Johan: Well, let’s move on to the 2022 predictions and the first one that we want to talk about is the rise of Google Workspace. This has been an interesting development for us this year.
Steve: Yeah. This fits into the 2021 prediction that we thought there would be tension between the going all in on the Microsoft stack, an integrated stack that goes up and down.
You get your Windows operating system. You get your Office desktop suite, you’ve got your email in Office 365, your files in SharePoint and you even have Azure Identity Services for single sign on and device management for your Windows computers. Everything’s in that stack. Each part of the stack may not be perfect, but the fact that there’s such good integration between them, it makes it just a no-brainer. Why wouldn’t you do this versus that best of breed idea that Johan talked about before, where you take the best of each service?
So who has the best way for me to do a virtual meeting? I think Zoom’s the best. I’m going to do Zoom for my virtual meetings. Then where’s the best file sharing? I think I’ll get Box. That seems like that’s the industry leader when it comes to file sharing. You put all these things together with Slack for communications, and you have your best of breed thing.
Google Workspace kind of fits into that. They want to provide integration, but they don’t really own nearly as much of a stack as Microsoft does.
We’ve always been a pro Microsoft shop. Microsoft has been and continues to be very generous to nonprofits and that makes it really simple. Simple for small nonprofits can be a very powerful advantage to going with Microsoft all the way up and down.
I think it’s fair to say Community IT grew up with Microsoft back when we would have clients that had Microsoft small business servers with Exchange on premises. The email server was in your office; the files were in your office. You had Office 2010 or 2007. And so the clients that have been on that journey with us all this time, they’ve always been in Microsoft and it doesn’t make any sense to change.
It was in 2021 that we really started to see, especially in our sales pipeline, we brought on a lot of new clients that did not grow up in that world. They’re new nonprofits. They’re nonprofits that didn’t exist five years ago and they’re meeting a new need, like protecting democracy in the United States.
They start out and maybe Google Workspace works really well for them. They’re not particularly tied to the stack. We talked about Macs before. If you’re a Mac client, then you don’t have that need to have tight integration with the Windows operating system. So that’s one less advantage to the Microsoft stack. So we definitely see a lot of growth in Google Workspace.
It was in October of 2020, so more than a year ago that Google rebranded their G suite to be Google Workspace. That really signalled a shift in their commitment to the platform. We’ve seen a lot of investment from them and that was something that really lacked for a number of years.
Google is first and foremost, an advertising company, a search company. I think for a long time, this platform that provided services to organizations was a side project. It’s still not their breadwinner, but they’ve definitely committed to making investments in that platform and it’s gotten a lot better just in the last 18 months.
So at this point we are really straddling. I would caution any organization that’s on one platform or the other that’s thinking, “Oh, the grass is greener. I want to switch,” that the costs of switching are high and I think both platforms are good.
I would be cautious about switching, unless there’s really a compelling reason. If you’re working in a space where all of your external stakeholders want to keep sharing Google docs with you, maybe being in Microsoft is really hindering your ability to partner with other stakeholders that are external, and vice versa. But otherwise, I think they’re both good platforms. Matt, Johan, you want to add anything to that?
Matthew: Yeah. That’s a good overview of the different platforms. A majority of Google Workspace has addressed some of the real underlying weaknesses associated with permissions management and moving away from a completely user centric model to now giving a little bit more of that traditional file folder permission structure.
So not everything is so tightly tied to the individual. Then that user goes away or their account is deactivated and then there’s massive problems that fall from that. We still see maybe Microsoft as the more full featured, there’s lots more bells and whistles. Almost all organizations are using the Microsoft desktop Office Suite in some capacity. It’s a very rare organization that’s all in on Google.
From a management and administration perspective, I think you can do more and there’s more capabilities within Office 365. Maybe there’s a little bit higher cost associated with it compared to some of the management and administration within Google Workspace.
Steve: I think that’s right. I’d definitely say that Microsoft 365 remains the more mature product. What I’m saying, and I don’t think we’re arguing with each other, Matt, is that Google Workspace is definitely good enough.
Although, once you’re in Microsoft 365 it’s like, “Oh, and we can manage your Windows computers for you!” Whereas in Google Workspace, there’s a little bit of endpoint management. It’s more oriented towards Chromebooks and Android phones and the Windows part is pretty eh. You might be in that best of breed place where you need to get another endpoint management system if you have Google Workspace, because Google Workspace doesn’t provide everything. Whereas Microsoft wants to just keep selling you more and more Microsoft things. You can almost do everything with Microsoft. That’s not quite true, but a lot.
Johan: So we’ll move on and actually that’s a nice segue into the next trend. This is not a trend, but I think it’s worth noting that Microsoft has been making some interesting changes to it’s licensing and pricing for nonprofit organizations. And I’m going to share a link here of a blog post that we did recently outlining some of those changes and I think that’s an important change and trend (almost) coming out of Redmond for people to be aware of.
Matthew: Yeah. It is worth saying; there were significant revisions to the donation program. I think Microsoft kind of telegraphed pretty well. If you’re an organization of under 300 seats, they’re going to give you the basic tools that they think you need to be successful as an organization. The days of getting hundreds and hundreds of free E-1 donations, that’s gone. They’ve really pulled that back up into their enterprise agreement customers.
To some extent, we trust Microsoft to continue to have a commitment to the sector with their generous donation programs. I think at the same time, it was really disappointing to see that donation of the EMS E-3 sku go from something that was provided and 50 free licenses assured they were going to be there, then two years later, having Microsoft pull the plug on that was a surprise.
It is a little bit of a realization that these are donations that are given at Microsoft’s behest and those things can change. We have confidence that the core platform donations are not going to go away. The Azure donation is not going to go away. But there have been significant changes to the donation program from Microsoft.
Zero Touch Deployment
Johan: So let’s move on to the next trend and it’s somewhat related and this has been a game changer in our experience and it’s zero touch deployment. I think there may be some other platforms that do this, but the platform provided by Microsoft through its Autopilot feature has been really impressive.
Matthew: Yeah. Maybe just to build on this, we did a whole webinar on this feature set in the last year.
Steve: Summer I think.
Matthew: Yes, over the summer. This has been really fantastic for those organizations that are largely virtual, that are distributed, to be able to ship computers straight from the manufacturer to an employee’s house, have them sign on with their username and password and then automatically have all the programs and applications that they need to be productive. It has been fantastic.
We’ve really changed from a situation where computers were set up in the office by the MSP or by the in-house IT person, and then handed over to the employee or were shipped out. I think there’s been tremendous efficiency improvements with this really refined process between Autopilot and Intune and then Azure Active Directory which really backs everything.
This is the way that all computer setups are going to be, moving forward. I think you have to be a really, really big organization to not use this as the default method for how you’re doing deployment of Windows computers.
Steve: I’ll add two things, one: it’s not something that you can just do. You have to transition your approach to having Azure AD joined laptops, which is not necessarily as big a shift as it used to be. But if you’re completely oriented around domain joined laptops that get most of their configurations from group policies, obviously these have been tough times for you. Your people have not been in the office very much where their group policies are being pushed down from domain controllers very easily, so it’s a shift. For small organizations, it’s not as big of a shift and it fits in tightly with going serverless, that we talked about.
The other thing worth mentioning is that we’ve basically been doing the same thing on the Mac side. It doesn’t use Microsoft’s products in any way, shape or form, but for our clients, we manage Macs with Addigy. That’s the platform that we use to do mobile device management for Mac OS from the Apple business manager platform. You can basically say, “Hey, when you ship a Mac to us, we want it to automatically enroll in Addigy with this identifier and then it gets the policies. Zero touch, the user can just turn on their computer, log in and it gets going.
Matthew: Yeah, I think that is the next slide that we talk about.
Steve: Oh, I’m sorry. I didn’t realize you had one.
Matthew: You have seen the future, Steve.
But I think it is true. I mean, I think this has been a good shift. We go from this automated computer deployment and management rollout being really a Windows centric thing to, if we take a look at the next slide, something that’s now realistic to do in the Mac world. So Apple, again, revamped their program.
I forget what it used to be called, now it’s called Apple business manager. It allows you to do a very similar process where you can apply an MDM profile: mobile device management profile; assigned to a device at the time of purchase.You can buy your computer, buy your devices through Apple business manager, ship them to your employee’s house. They automatically come enrolled with your organization’s MDM profile.
And then through that MDM profile, standard configurations can be deployed. Applications installed, all of that can be deployed. And it has represented a shift. I have down here at the bottom, devices can be re-enrolled into this program retroactively.
In the previous iteration of the program, unless you were buying 20 or 30 devices at a shot, it didn’t really make sense to do. If you didn’t purchase computers through Apple’s corporate purchasing program, there was no way to add them back in after the fact. The way that Apple did it, the hardware allocations were for the entire region.
If you bought a computer at the Apple store, that computer was associated with maybe the northeast region, and there might be a hundred thousand computers in that group. So you couldn’t back that into your org’s management platform.
But now, it’s a lot more modular and Apple’s following the Microsoft lead. You’re able to generate a hardware hash, load it up into the system, and then you can tie that device to your organization. What originally was just a Windows thing is now something that can be done for Macs devices as well.
Johan: And it’s great. It goes with the new remote and dispersed work situation that a lot of organizations are now experiencing and trying to manage where you can order and ship devices directly to staff, and as long as they can get on the internet, it’s basically going to get automatically configured for them.
All right. So related to that is our next trend. We’re doubling down on going serverless. More and more organizations are getting rid of their servers, even large organizations. Most organizations now, except for those with very specific and specialized line of business application needs are able to get rid of their servers.
Even if they’re planning on coming back to an office with printers, printers had been the final thing that servers were taking responsibility for, and now they’re not even needed for that.
Matthew: I think the reason that organizations can go serverless is really that files were the last bastion of those holding organizations back. Organizations have needed to move their systems into the cloud just to work and be productive over the last two years. SharePoint online has really improved significantly. And so it’s practical for organizations to do some of those lift and shift migrations into SharePoint. Google Workspace, again, has a better way of managing traditional file and folder structures and so that’s made it a lot easier. Then the only thing that’s hanging around on premises are the print servers. At the end, people need to print, but —
Steve: Less than they used to.
Matthew: Less than they used to. But there are technology solutions now that make it really easy and practical to manage printing, to do all of the stuff that you needed a server to do previously. Now there’s some good applications that allow cloud management so that you don’t need an on-premises server to run those systems anymore.
Steve: It’s worth clarifying what we’re talking about just a little bit. Laptops can print to printers pretty easily. They don’t need a printer server anymore, because the printers themselves are sort of self-service. You send a job to a particular IP address that a printer has and the printer gets the job and says, I’ll print this and prints it.
The challenge for a lot of computers, and when I say a lot, I mean more than a handful, is that if you introduce a new printer, you need to tell all those laptops that this new printer exists. When Community IT got a new printer a few years ago, we just told everybody, “Hey, there’s a new printer. Here’s its IP address, deal with it.” But we’re all IT people. Okay, we’ll go online and find the driver, download the driver, install it on our computers and now, and we’re all printing and that’s how that went.
I think someone had to help our HR person, who’s not an IT person, but everybody else grew up in an IT world and was able to take care of themselves. That’s not the case for most organizations. So how do you deploy a new printer to a lot of different computers? And that’s where you get a cloud printing service agent on all your computers, because you have a way to manage all of your computers and once you have that agent in place, then if you add a new printer, you just tell all the computers at once.
The computers are still printing to the printer directly without being mediated by a service. What you’re doing with the service is installing new drivers and adding printers with their correct IP and the corrected configuration to the laptops.
If you only have three people in your office, just go manually add each printer one by one, and don’t pay for a service. But if you have 50 computers, it makes sense to do something like that at that kind of a scale with a service that you push one button and it deploys to all of your 50 computers.
Johan: So basically, if you have a server and its warranty is expiring, you should look seriously at going serverless and not replacing it at all.
Talk to your IT team about some of the implications.
“…more and more organizations were realizing they didn’t have adequate coverage for cybersecurity events or incidents.”
The next trend is something that we didn’t predict at all. Although I think we maybe could have. Well, we’re not in the insurance industry, but 2020 was a landmark year for the insurance industry for a couple of reasons. One of them was for cybersecurity claims, which exceeded premiums. They basically blew out the underwriting that had happened for 2020 because of the number, the severity and the cost of cybersecurity incidents that year. So the insurance industry responded pretty swiftly by raising premiums and by adding more specific and relevant requirements to obtaining a cybersecurity liability policy. And that’s something that we experienced directly and many of the organizations that we work with experienced as well.
Matthew: Yeah. I think this was a miss in terms of where we thought things were going to go in 2021. I think what we saw going into the year was that more and more organizations were realizing they didn’t have adequate coverage for cybersecurity events or incidents. And so they were getting cybersecurity insurance or cyber liability insurance.
But, I know I was really shocked at how quickly the underwriting requirements changed very early in the year. Some of the traditional carriers that we had a lot of clients going through, all of a sudden had much, much more stringent application requirements that had to be in place before they would even consider the application.
Just over a period of a couple years, we went from basically just put your name on the list and we’ll give you a policy, to “Do you have any basic controls in place? You have to have MFA on every system in your organization.”
If it can be remotely accessed, it has to have MFA and that means VPNs, file servers, remote desktop, all of that. Asking for designated CI, CISO, chief internet security officer roles at an organization, expecting formal policy requirements around incident response. Business continuity planning including formal security awareness training as a mandate that organizations must complete before underwriting would complete.
Going beyond the basics of patching and backups to requiring more sophisticated endpoint protection, like EDR endpoint detection response included as a baseline standard, and so I think that has been a really big jump and has caused a lot of disruption for organizations.
I know we had to do a lot of work for a number of organizations to really bring those security standards up to meet the underwriting requirements. Otherwise, they either weren’t going to get coverage at all, or they would’ve had significant price increases related to their policy coverage.
Steve: You can argue with me, Matt, cause you’ve definitely been on the front lines of this a lot more than I have, but I feel like the pendulum’s sort of swinging a little bit. It may be a little bit of an overreaction.
Some of the requirements seem like they do not fit super well to a small org and don’t really address the risks. We definitely appreciate that MFA is required, for example. But, there are certain requirements, it’s like, really? It’s just a period of adjustment and transition and it’s not surprising that the balance is still being found.
Matthew: Yeah. As Johan identified, with the financial loss that the sector incurred, it’s probably going to be a while before those standards are relaxed. The amount of loss associated with cyber attacks is only increasing, year after year.
I do think that maybe some of that stuff is a little bit over-prescribed and that the real source of a lot of these data breaches is still pretty basic stuff related to people getting tricked into wire fraud transactions or poor password policies on their core systems.
We aren’t seeing amongst the clients that we work with, these really sophisticated attacks leveraging the latest vulnerability. They are still very much focused around common attacks exploiting people’s basic lack of security awareness training, or lack of basic MFA control. So yeah, I will be curious to see how this evolves over the years, but it certainly seems from the applications that we’re filling out, that there’s a much more stringent requirement for a lot of these cybersecurity controls and that’s not going to lessen anytime soon.
Johan: Yeah. I remember I was at an IT conference. I think it was 2018, and I went to a session on cybersecurity and the organizer of the session was from the insurance industry. He basically said, “Look, we have no idea what we’re doing. We’re trying to figure this all out. We’re trying to develop basically an entire insurance industry around a completely new type of risk.”
So we’ve certainly seen them figuring it out a little bit more over the last year or two, but I think you’re right, Matt, it’s something that’s going to continue to evolve pretty rapidly over the next few years.
Before we move on to the next slide, thank you everyone who’s been submitting questions, I encourage you to continue to do that.
Could you just speak a little bit more Matt, about EDR and what it entails?
Matthew: Sure. I think it’s helpful to understand EDR (Endpoint Detection and Response) in the context of traditional antivirus. Traditional antivirus looks for a certain virus definition. If this file exists on your computer, that’s bad and let’s block it.
EDR really goes to the next step where it does look for that standard static file analysis, but then it really goes into a more behavioral base of what is this process doing? Do we expect it to do that? Should it be doing that? And so it can block your standard virus files, but it can also block things like malicious power shells, or in the Mac world, bash scripting, or other techniques that attackers have used to exploit computers.
And so, EDR combines a much more sophisticated analysis of system processes and behavior along with an ability to map out the process history, i.e. where did this file get launched from? What are the preceding events? It can include a lot more lengthy logging. Some organizations, if you have HIPAA compliance or other formal compliance standards, may need to keep logs of what happened on a system for a year and EDR tools can help provide that sort of compliance and reporting.
So you can say, “On this computer, six months ago, here’s what happened,” and we can go back and take a look at all of that. So it really combines much more sophisticated process analysis, behavioral analysis along with lengthy reporting to be able to provide that backwards visibility for what happened on a system over a certain period of time.
So, yeah, there’s a lot of acronyms that are coming out now EDR, now XDR is the new thing. I’m not sure I have quite a good handle on what all those acronyms are, but at Community IT we’ve had this type of tool in place for quite a while. It’s been around for several years. It’s a very big, buzzy space. There’s lots of vendors that are getting into it, so there’s a lot of marketing jargon that happens. At its root we see a lot of value in having these types of solutions in place, even though the actual amount of virus activity we see is relatively low.
Johan: Great. Thank you, Matt. We are going to quickly go through the next one, since we did talk about it a little bit at the beginning of the presentation: supply chain challenges. That’s a trend that we see continuing in 2022. I don’t think there’s anything more we need to say about it at this time.
Mobile Device Management
The next trend is mobile device management, which was an interesting trend. One other thing that we missed was that Blackberry would finally shut down its services, although technically that happened, I think on January 4th, 2022. You could still use a Blackberry through all of 2021; that is no longer the case.
People have been talking about mobile device management since the age of Blackberry, so I’m curious, why are we noting it as a trend now in 2022?
Steve: I think it’s the combination of things that have been coming before us. So this is the year that Community IT brought me my laptop and it’s owned and managed by Community IT. I use my Community IT laptop for work and no one else uses that laptop but me and I don’t really do my work on any other laptop and that’s all fine. But then I have my email on my phone. I need to have my email on my phone because I don’t always have my laptop, but I do always need to be aware of email and folks reaching out to me when I’m not on the clock.
That’s a phone that I own. It’s my phone and it’s got all sorts of things on it besides work and it’s just become more and more important for organizations to be aware of the cost of that and Matt was talking about that when we were doing the review of the 2021 predictions.
There are now more ways to address those concerns than there were in the past. So it’s partly a prediction based on the fact that we’re seeing it, the solutions are more available, easier to use and easier to manage than they used to be.
In 2021 we all had to enroll our personal phones in, Matt can talk about the technical details, but it’s a Microsoft solution where basically, I can only use Outlook on my phone to see my Community IT email. I can’t use the Android email app. I have to use Outlook and since Outlook is owned by Microsoft, it’s part of that stack.
If Community IT needs to wipe all of the Community IT email data off my phone, they can do that as long as it’s on the internet and online. Community IT doesn’t have access to the rest of my phone, but they do have access to that part of my phone that’s doing my Community IT work. That’s kind of sandboxing. It just wasn’t something that was very easy to do in the past.
I think I said during the 2021 review slide, that we are seeing some of our clients saying, “We want all of our staff to have company owned phones. They’re just going to have to carry two phones and that’s just the way it is.” It’s not common; it’s not what everybody’s doing, but it’s happening more than it used to and it’s reasonable in certain circumstances to do that.
Another thing that I would say happened in 2021 that I think was the first time, we’ve had clients request us to lock down SharePoint, which you can do to only computers that are managed by Intune.
This works best when you’re in the stack completely. And that’s one of the advantages of going with Microsoft up and down. If you have a Windows operating system managed by Microsoft Intune, you can say that Microsoft’s SharePoint can be synced, you can access it online in a browser that’s controllable too, but the granularity that we thought was best was: staff can access the SharePoint online from any computer, as long as they have their username, password and multifactor authentication all triggered.
If I’m at the public library, I don’t have my laptop with me; I get a text, I need to edit a document right away. I can go to one of those kiosk computers and get online and see it, but I can’t leave any traces of that data. I do it on an anonymous browser, do my little bit of work, close the anonymous browser, and I’m out.
But if I want to sync at that library, I need to be on a laptop that’s owned and managed by the client. That’s pretty cool. So there are a lot of things going on in this right now. I think I’d say that what’s changing the most is that the tools available are finally becoming accessible to small organizations. There’s always been a need, but a need that doesn’t have a solution is a need that you defer and don’t worry about. Now there’s a solution for it, then it’s responsible to make use of that solution.
Johan: Yeah. I think that’s a good way to put it. It’s not so much that the need is new, but the appropriate solutions are finally available.
I remember 10, 15, maybe 10 years ago, for MDM you had to buy two appliances, they cost $30,000 each. It was just a very expensive thing to have to do and it was clearly geared toward very large corporate enterprise environments. With Intune and other solutions, it’s now something that small organizations can take advantage of.
Virtual Reality/VR and Web3
So on that note, we at Community IT do focus on appropriate and effective and affordable technology solutions, but sometimes it is nice to look ahead, down the road at what’s coming. If you watch or read other posts about IT trends, chances are you’re going to read about virtual reality.
Facebook or Meta is obviously making some big moves in that area. Augmented reality is something that’s becoming more and more talked about at least, and then web3, which includes things like crypto, cryptocurrencies, NFTs and the blockchain. So we wanted to talk a little bit about our impressions of these more leading edge technologies and what we see happening with them in 2022.
Matthew: The trend that I see related to specifically web3 and some of the blockchain stuff is a little bit of a backlash against the awe and wonder and promise that maybe we had, I don’t know, four, five, six, seven years ago, whenever this was viewed as really transformative technology to have this kind of open, distributed ledger concept. Everybody was going to be able to participate and we’re going to dis-intermediate everything. I think there’s been some really significant and justified criticism against that. I think I’ll link an article from Usenix that talked about the costs associated with web3.
And again, it seems like a solution in search of a problem. I think there’s also a good reviewer criticism from Moxie Marlinspike, who is the creator of Signal, the encrypted communication platform. Whereas web 1.0 was, as Johan mentioned, we all had clients and everybody managed a server in their office. With web 2.0 being things going to the cloud, nobody to run and manage servers. I’m the CTO. I don’t really want to run a server. I want to have a service and consume services and really focus on integration and leveraging platforms.
Web3 seems a little bit like something the crypto crew is trying to promote to talk about cryptocurrency. But I think there’s a real legitimate backlash because of the model, because of how inefficient it is with energy consumption. There’s been a lot of pushback.
We’re starting to see that Mozilla Foundation has stopped accepting donations in cryptocurrency and I think we’re realizing the true impact of some of these solutions. There’s going to be a receding of that. Maybe there’ll be a new innovation into something more capable and more transformative for us.
I remember going to an N10 session many years ago. It was talking about blockchain and how wonderful this was. But I think at the end of the day, the question was, do you need blockchain? You just need a database. And I think the answer for probably 99.9% of the cases is you just need a database. Blockchain is not something that is an appropriate solution for many cases.
Johan: Yeah. And I think our take on VR and AR is that the technology just isn’t there yet. It’s a little bit like the early days of Palm or maybe even the Apple Newton, where it’s a great concept.
If the technology were there, you could see a lot of interesting use cases for that technology solution. But our read on it is that the technology is not ready. It’s very expensive and doesn’t really work as well as it should. There’s probably a couple more years of development remaining before it gets to that point.
We have about five minutes left. Fortunately we only have two trends. If you have questions, please be sure to chat those in through the Q and A tool.
We wanted to end on a more pragmatic note, a highly pragmatic note: practical cybersecurity.
As you talk about this, Matt, we did have a question come in from someone saying for all of us who are now designated CISOs (Chief Security Information Officer) – I think the accidental CISO is probably a trend that we should have put in this presentation, because a lot of you are going to be accidental CISOs in 2022 – do you have any training or certification recommendations? If you could just append that on to the end of this slide, that would be great.
Matthew: In terms of trends, secure by default is something that if you’ve been a new entrant to getting Office 365 set up, for example, a lot of the security defaults are already in place in blocking old and outdated protocols, requiring MFA, limiting the number of admins, that kind of thing. The platforms themselves are implementing those controls. There’s a big buzz that Salesforce is going to make MFA required here in the next month or so. The platforms themselves are taking more responsibility to ensure that they are used in the most secure manner possible and I think that’s a great trend that we’ll see continue.
Having those secure defaults available and required out of the box is great. I would also say that for the next topic: Microsoft makes monitoring easy, and that is true. They have some really great tools within their platform that are available at the higher tiers.
One thing I would love to see is for those security features to be available to everyone even if they’re not paying for the most expensive tier. I think a real problem with some of these cloud solutions is that you’re only getting the best features if you’re turning up and really paying a lot for your licensing. Security is so important. The capabilities are within the platform. I think it’s important for vendors to make that available to all their customers at a base level, not something that’s kept only for the most expensive security tiers.
Then finally, this idea of zero trust or cloud access service brokers, where we’re really switching the model from, “Hey, as long as you can get to this service, you can try to log in and then we’ll accept your username and password.” I think it’s really going to start to shift more to “We’re only going to allow connections from trusted devices or trusted locations. We’re going to prompt for that reauthentication.” Something that is going to finally take hold here in 2022, is we’re going to really shift the model.
Organizations have made good progress in implementing multifactor authentication. The tools are improving to manage devices, whether they be corporate-owned or personally owned, to put those controls in place. There’s a bit more validation around where those connections are coming from. That’s what I see on the practical cybersecurity side for this year.
Johan: We’re going to run a few minutes over; I hope you can stay with us. If not, it is being recorded and you can catch the last few slides on our YouTube channel.
Before we go to the last trend, which are sector trends, I did want to let everybody know we’re going to have a very special webinar.
Next month, we are partnering with Your Part-Time Controller, which is a nationwide financial services firm that focuses on nonprofit organizations. We’re going to be joining forces with them to share how to protect your organization from wire fraud. So it’s continuing with this theme of cybersecurity. It’s going to be a great webinar and I really encourage you to sign up for it.
Let’s finish with our last trend, the sector trends.
What do we see happening in the nonprofit sector as a whole in 2022?
Matthew: Maybe it’s some wishful thinking, or some optimism, but I do think that in 2022, foundations or fiscal sponsors are going to make a shift from being hands-off on funding IT projects to being really specific. Saying, “Hey, this is what we know nonprofit organizations need to be secure and well-managed, and we’re going to provide that to all of our grantees.”
The answer for a lot of these cybersecurity solutions isn’t hard. The tools are out there; they just need to be implemented and managed well. I think this is going to finally be the year when foundations or fiscal sponsors are really proactive in saying, “We’re going to make sure that the organizations that we’re providing funding to have the right tools and equipment in place, so they can focus on their mission and not worry about all the cybersecurity stuff. We’re going to fund that and we’re going to actually pay and provide and vet the solutions that are implemented.”
I think that’s something that is going to be a shift in 2022. I also believe the next one: nonprofit pay jumps to remain competitive.
I think we’re seeing this in our hiring. Salaries have risen and risen pretty significantly. It’s a very competitive landscape out there and I think nonprofit organizations are going to need to make some significant improvements. Pay has traditionally lagged in the nonprofit sector, and I think the really competitive and effective nonprofits are going to identify that and be proactive about raising salaries so they can maintain a competitive edge and increase their impact.
One of the things we didn’t identify as a trend, but I think we’ve certainly seen in 2021, is that overall, the sector seems like it’s growing and growing significantly. In 2020, I think there were a lot of people holding the line. There was a conservative approach in growth, and uncertainty.
From where we sit, we’re seeing a lot of growth, a lot of demand both within our existing client base and new organizations that are coming to us. Overall, it seems like the nonprofit sector is very healthy and is growing and so I do think that pay is going to be a part of that.
Then finally on the cyber side of things, I do think we will finally get to a place where this term a “Geneva Convention” for cybersecurity is defined and maybe enforced. So that effectively means that certain industries or sectors are going to be off limits for cyberattacks.
Hospitals shouldn’t be attacked by ransomware just because they have a vulnerability. Making sure there are certain guardrails put up to protect vulnerable organizations from cyberattacks and have it codified under law, maybe international law, this is not a new concept. A lot of big thinkers are talking about this and have been talking about this for quite some time. But I think this is the year that it finally happens.
Johan: Let’s hope so. I mean, that would be an important advance in international diplomacy and I think you’re largely talking about nation state threat actors.
As I mentioned before, we have a great webinar lined up for February. We’re going to be working with Your Part-Time Controller to provide a joint IT finance webinar on Protect Your Nonprofit from Financial Fraud
Thank you for all the great questions today. We did actually have two questions that were related on artificial intelligence. Are we seeing anything with AI? What is your hot take? I’ll just pass to you.
Matthew: The hot take is I actually like Microsoft Viva and it going through and telling me what I need to do for the day. So I think that some of the basic stuff like that I really find valuable.
Steve: Different side of the fence on that. I just wrote back to Jennifer Keller Jackson that I’m not impressed. But you’re right, that’s what we’re seeing, at the most.
Google and Microsoft are definitely trying to innovate with AI. They think that it can be a differentiator, and it probably can be. I just don’t think it’s there yet, but if it’s useful to Matt, it’s useful to other people. Different people get different things from that, but that’s all AI. It’s some machine parsing your emails and your clicks and saying, “These are files you should know about. These are things you should follow up on.”
Johan: I scheduled a meeting yesterday and the little Viva thing popped up and said, “You made this meeting for an hour. You might want to allow a little downtime after your meeting. Do you want to change it to 45 minutes instead?” And I was like, well… AI has come a long way.
So anyways, Viva would be unhappy that we went six minutes over on this webinar, but thank you all so much for joining us today. As we mentioned before, this recording and the slides will be up on our YouTube channel and we hope you can join us next month. Have a great afternoon.