In previous posts we’ve discussed rethinking the corporate conference room in the new world of remote work. We've also talked about the need to secure the home office against hackers. But what about the overall comfort and functionality of the home office?

 With the pandemic continuing way longer than we ever thought it would, it's time to think more long term about how we work. Many companies are embracing the work-from-home model as a permanent part of their culture. Many are offering a split schedule with a few days in the office per week and a couple of days remote. Flexjobs has compiled a list of 30 prominent companies with various plans to allow remote work on a permanent basis.

 For the long term, the dining room table is just not going to cut it as an effective home office environment. It's time to really look at what is going to make for a comfortable, productive space. We've all become accustomed to the standard amenities of the typical office. Comfortable chairs, fancy electronics, break rooms, etc. Emulating the office experience at home may require some investment in furniture and gadgets that will transform your space into a true "office away from office".  CableCompare.com has come up with 12 suggestions for particular gadgets and accessories to make your home office more functional. These include: 

• Ergonomic Office Chair

• Standing or adjustable desk

• Second (or even third) monitor

• Wireless Charging Stand

• Compact Fitness Equipment

• Improved lighting

• Blue light blocking glasses

• Fan or Air Purifier

• Noise Canceling Headphones

• Coffee/Tea maker

• Mini Fridge

• Whiteboard

 It is now common to see television ads targeted direct-to-consumer for high end office furniture such as the X-chair. We've also seen the explosion in the demand of relatively compact home fitness equipment such as Peloton, Tonal, and the Mirror. What used to be wasted time in the car traveling to and from work is now time that can be spent on our physical well being. If you don’t have the space or the budget for the ones above CableCompare.com has offered several suggestions as well.

 The home can be a noisy place with barking dogs, screaming kids, and the neighbor's lawn mower. This can be very distracting when on a video call with coworkers and clients. So Krisp has come up with a software product that eliminates background noise through artificial intelligence. It can even remove the background noise coming from the other parties on the call. For limited use it is free, $5 per month will get you the pro, unlimited version.

 And if your "office" is far removed from the kitchen like mine is, the coffee maker and mini-fridge are a must. How else are you going to do "beer Friday's"?

 Check with your employer as to the future of remote work at your office before making major investments. But if you are going to work from home over the long term, you might as well have the best environment possible in which to do it.

In last week's article we brought to light the need for MSPs to shore up their own security. As part of that strategy we discussed the need for a Cyber Insurance Policy to protect against any lawsuits that may arise due to perceived negligence on the part of the MSP.

 So let's delve into the Cyber Insurance industry in general for a minute.

The cyber insurance industry is still very much in its infancy. Although it has been around for a decade or more, that pales in comparison to other forms of insurance such as casualty and property. With more mature forms of insurance, companies have decades worth of data and actuarial tables to accurately assess risk and assign value to premiums.  With less history and a rapidly changing threat landscape, the cyber insurance industry lacks any real method of assessing risk accurately. Thus, there is no standardization across the industry.

At the same time, the cyber insurance industry seems to be experiencing a bit of a plateau in demand according to a January article in the Harvard Business Review. Of course, that article predated the recent high-profile ransomware attacks against a major gas pipeline and the meat packing industry. The demand for cyber insurance will most be on the rise again as corporate balance sheets return to normal post-COVID.

Meanwhile, back in the MSP world, recent incidents such as the Solarwinds attack and the Kaseya infiltration should come as a wake-up call to all MSPs. We can do everything we can to bolster our own security, but most of us are vulnerable to weaknesses within our business partners' security. There is little that we can do to prevent their tools from becoming weapons that we inadvertently help distribute.  Had the Kaseya breach affected their SaaS customers, the effects would have been catastrophic. Literally thousands of SMBs would have been shut down. And they would be looking to their MSPs for restitution. The rash of cascading lawsuits would have been tremendous. SMBs suing MSPs, MSPs suing Kaseya, etc. Even if Kaseya were able to pay a single ransom payment to get an unlock code to be distributed to all affected systems, it would take a while and all of those SMBs would incur significant downtime and losses. Even though the MSP is simply the middleman in this attack, customers would perceive them as being responsible.

This just demonstrates the need for cyber insurance for MSPs. However, due to immature nature of the industry it is important that MSPs shop carefully. Work with a firm that specializes in the MSP business. MSP Alliance offers Cloud and MSP Insurance policies to its members. Some MSSP services offer Cyber Insurance along with their security services for added protection. Regardless, read the fine print. Make sure there are not glaring exclusions or very low caps on payouts.

Finally, don’t bear the entire burden of insuring against cyber-crime. Make sure you are encouraging (or even demanding) your customers to purchase their own cyber-insurance policy. Make sure they fully understand what their own responsibility is in protecting themselves. A user clicking on the wrong link or wiring a gajillion dollars to Nigeria is not the MSPs fault. They will need their own policy to recover losses in those scenarios.

Going back to last week's article, you'll have to get your internal ducks in a row to get the right coverage so start there. The insurance company is going to want to see the protections, countermeasures, and policies you have in place to offer you coverage.

The time to get started is now.

Most traditional MSPs today are aware of the need to provide their client base with a much higher level of security services. The recent spate of high profile ransomware attacks make national headlines but lesser attacks that don’t garner as much attention occur every day in much smaller institutions. Many MSPs are seeing the need for advanced security services as not just an opportunity but a "must have". Whether they are looking to build their own MSSP practice or partnering with others the provide the service for their clients the need to look internally at our own security is a must.

Although, it was revealed early on that the SolarWinds Orion Platform compromised in March of 2020 was not the same one used by many MSPs, it was a wakeup call. In 2018, long before that attack, the Department of Homeland Security released an alert indicating that bad actors were targeting IT Service Providers as a way of gaining access to their client's networks. According to a recent Perch Security study, in 2020 73% of MSPs surveyed reported at least one security incident. In that same study 69% reported a ransomware attack

Famously, bank robber Willie Sutton was asked why he robbed banks. His reply, "Because that is where the money is". This rings true in the MSP industry today. MSPs have elevated, if not complete, access to their client's networks. Back in the early "00s", as a service manager for a fairly large MSP, I would lose sleep at night thinking what might happen if anyone ever gained access to our client documentation system. It contained our password database as well as detailed documentation of our customer's networks. It was basically a cookbook for any hacker to compromise any number of our clients. We implemented Token-based Multifactor- Authentication for remote access when only larger institutions and banks would invest in the technology.  Additionally, we contracted with an independent security audit vendor to perform internal and external penetration testing, including social engineering. We learned a lot and as a result improved our security greatly. It was a case where we had a higher level of security than the vast majority of our clients. Back then few SMBs could afford such a level of security services, nor did most need it. That has all changed.

Many MSPs over the years have had a bit of "cobbler's kids" syndrome. In a "do as I say, not as I do" kind of way, MSPs have not given the same level of attention to their own internal network that they do their customers'. When we were primarily focused on monitoring and managing the health of the infrastructure and ensuring systems were patched, the implications of an internal failure were relatively contained. It might lead to a disruption of service, but typically not result in damage to our clients. That is no longer the case. A security breach in your own network can result in irreparable harm to your clients.

Before you focus on building out the advanced security services you will offer your clients, make sure you implement them internally first. Even if you aren’t looking to get into the MSSP business, this is a critical step. You are custodian to very sensitive information for your clients. In effect, you are the "bank" for your customer's information. Guard it with your life.

Here are some critical steps for MSPs:

Start with a comprehensive outside independent security audit of your organization. This should include Internal and External penetration testing, vulnerability scanning, policy reviews, social engineering (including email phishing and fake password requests to the helpdesk). Identify your weak spots and address those.

• Review the 2018 DHS Threat Alert for MSPs and follow recommendations therein.

• Enforce strong passwords, password change policies, and ensure EVERY employee is using MFA for external access to your network.

• Continuously scan your network for vulnerabilities. Remediate critical and high vulnerabilities immediately.

• Log, log, log! Enable logging at the highest reasonable level on all internal systems. If there is suspicion of a breach you need to be able to review what happened on the system.

• Develop a comprehensive response policy. Train your employees how to identify and handle suspected breaches. Exercise your response plan regularly.

• Review your cyber insurance coverage to make sure that you are protected financially against losses due to a direct attack or any claims against you from you clients due to a breach.

Security starts at home. If your environment is not secure, your client's networks are not secure.

Photo Credit: JonaThunder

By now, we have all heard that many major corporations are instituting policies allowing workers to continue to work remotely even after the pandemic is declared over. Facebook is allowing employees, whose jobs are conducive to 100% remote work, to work from remotely on a permanent basis. Those that require, at least, some in-office participation will be allowed to work remote as much as 50% of the time. Twitter has done the same. Apple has announced a three day in-office work week. Google and Microsoft are tracking with Apple's policy.

 Regardless, the era of the hybrid office is here. Businesses at all levels are grappling with this issue.

 Organizations pivoted a year ago to enable workers to stay home and remain productive. MSPs rose to the challenge of setting up and supporting the new environment. We, as a community, have enabled our clients to survive and perhaps flourish in some cases over the past year. However, most of us most viewed this as a temporary situation. Things would certainly return to business as usual once Covid-19 was behind us. We now know that is not true.

 Now is the time for MSPs to be having discussions with their clients regarding their return to work policies. In many cases you will find that, no matter the size of the organization, they are taking a similar approach as major corporations.

 So what does this mean for network security and data protection? According to 2021 Remote Workforce Security Report by Cybersecurity Insiders, despite having spent the last year managing a large remote workforce, 79% of organization interviewed are still feeling worried and unprepared when it comes to securing off-premises users.

 So here are a few tips for MSPs as we help our clients navigate the re-opening:

• Don't assume that the infrastructure and protections you put in place in 2020 to support remote work is a permanent solution. Now that you know a portion of the workforce will be working from home networks on a permanent basis, review the systems and processes in place to ensure the home network does not pose a risk. Make sure that there is adequate protection in place to prevent the propagation of viruses or ransomware across the VPN

• Implement a Zero-Trust model for remote access. Employees and remote traffic are granted the very least amount of privileges to get the work done.

• Ensure that home IoT devices (Echo, Google home, Nest, etc.) are blocked from access to the network

• If they have not already done so, make sure EVERYONE is using Multi-factor Authentication.

• Employ strong mobile device management to keep non-corporate applications off the devices (or at least cordon them off).

• Double down on whatever cybersecurity education you have being promoting. With the dramatic increase in ransomware attacks it is more import than ever.

• The concept of the "road warrior", the employee with a significant travel schedule, has existed for a long time. The risks imposed by these individuals have always been understood as they tend to connect to public networks (hotels, airports, clients, etc.) to get their work done. They then return to the office and potentially expose the network to cyberthreats. As such, most organizations made sure these employees were well protected and educated on proper use of the computer. Now, with a large portion of the workforce operating the same mode, we need to make sure the same attention is paid to all employees.

 Finally, most MSP contracts have traditionally excluded home networks from support. Over the past year many MSPs have, understandably, been somewhat lenient on this policy. Again, we all thought this was a temporary situation and, being good partners with our clients, let it slide. Now, with many employees working BOTH from home and in the office, the potential for increased support exists. With the "new norm", MSPs are going to have to formalize their policy on supporting and security home networks on a permanent basis. Do we offer support for home networks and increase our fixed fee accordingly? Add a rider for home network support? Or simply go back to excluding home network support?

 Regardless, we need to be clear with our clients as to what is included in their contract and charge accordingly. Failure to get ahead of this can lead to a "hole in the boat."

 As we emerge from the other side of the pandemic all MSPs will have to work with their client base to determine the proper strategy. There is no right or wrong answer here as we are all in uncharted waters here. Take heart in the fact that it is a level playing field as nobody has yet created the best mouse trap.

Microsoft 365, formerly Office 365, formerly Business Productivity Online Suite (remember that?), has been around for over 12 years. Originally, the online version of the standard desktop apps and an online version of Exchange, MS365 has grown into a much more robust platform offering virtually all of the capability of the traditional on-premises networking experience.

 Organizations are slowly adopting various facets of the MS365 platform, but many have yet to fully embrace the promise of a completely serverless, cloud-based architecture. There can be many reasons for this. Some may be using third party applications that are not adaptable to the cloud. Others may be waiting for their on-prem infrastructure to fully depreciate. Still others may be uncertain of how the architecture will change their office culture.

 Regardless of the reason, the post pandemic world may change the conversation as more and more employees will be working remotely on a permanent basis. While the systems in place prior to the pandemic may have been adapted for remote work quickly to accommodate the immediate need, it is unlikely that they are designed optimally for the long term.

 Now take into account your next wave of new employees. For years we have been talking about the fact that Millennials are reshaping the way we work. However, believe it or not the next generation (Gen-Z, Netgen, Zoomers, whatever you want to call them) is already entering the workforce. This is the first generation that truly knows nothing about a world without Internet. Fundamental to their experience is the ability to simply pick up a device and have access to everything they need to communicate and "get stuff done". The mobile device is virtually another appendage to this generation. The concept of having to load up a VPN and authenticate to some service before they can even begin to work is quite foreign. Ironically, recent studies have shown that Gen-Z is more enthusiastic than their Millennial counterparts about getting into the office following the pandemic (42% or Gen-Z compared to 26% of Millennials in one study). This is likely due to the fact they are in the process of starting their first jobs. They are looking for a personal connection with co-workers to establish new relationships. However, this will not change the fact that we are living in an increasingly mobile world. The new network infrastructure model will need to accommodate both remote and in-office experience seamlessly.

 Most Gen-Zers will be coming on board with experience in either GoogleDocs or Office 365 already. They will be used to collaborating over one of these platforms, Slack, or some other application. They'll even have experience in some cloud-based ERP systems from their experiences in school. Their tolerance with legacy applications and environments will be limited. They may view your organization as stagnant and boring in comparison with others that have adopted the technologies they have grown up with.

 However, you have an existing workforce that you need to be sensitive to as well. Whereas the millennials in your organization will be equally familiar with the newer technologies, older Gen-Xers and remaining Boomers (yes, I am a Boomer so I can say that) may have trouble adjusting to the new way of doing business.

 Whether it is Microsoft Office/SharePoint/OneDrive or GoogleDocs and Gdrive, there is a bit of a culture shift necessary. File sharing is similar but with subtle differences. Those long-reliant on email as a communication tool may find the collaboration platforms to be difficult to get used to. Also, for network administrators maintaining structure and security to the corporate data, a whole new way of establishing permissions must be understood.

 Regardless, this is a shift most companies should be making in the next few years. MSPs will be instrumental in helping their clients make this shift. Here are a few key points in working with your clients in in making this change:

• Start at the top. Get executive or owner buy-in. Make sure they are engaged and actively using the technology as it is rolled out.

• Work with your customers to identify legacy applications that can be replaced by SaaS-based alternatives. An IaaS based cloud server may be required in some cases.

• Focus on the overall experience, not the technology. Emphasize the ability to work from anywhere seamlessly. The office is wherever your device is.

• Incorporate end user education into the program. Make sure that they are properly trained on the new technologies. Make sure that network administrators are properly trained. This includes administrators at the MSP as well as the client.

• Roll out the applications in phases. Perhaps the cloud-based email and file library technologies can be deployed first followed by the collaboration tools.

As the world returns to normal let's not just get back to business-as-usual, let's get to business-as-new-and-unusual.

The past decade has seen a shift in the account management role from that of an inside sales associate to a true strategic partner. Monikers such a Virtual CIO (vCIO) and Technical Account Manager (TAM) have aimed to articulate the distinction. Instead of being in the role of waiting for the client to make a request for a product or service, the role has become proactive where Quarterly Business Reviews (QBR) are conducted to ensure that strategic goals of the client are met as well as the relationship bolstered. Ideally this also helps the MSP retain the customer and sell more services to the client.

 Traditionally, most of these meetings were held face-to-face and perhaps over lunch. Covid-19 changed all of that. In the beginning of the pandemic, many businesses were in rapid transition from in-office to remote working. The strategic discussions were very short term and simply focused on "keeping the lights on" and making sure that the technology could support the new remote workforce and maintain at least some level of productivity. As the world settled into the new normal, our clients have become more comfortable with the concept of transacting business over video calls. As I have discussed in previous blogs, we are now moving to a much more hybrid workforce. Many of us will be working remote, at least a part of the time, perhaps for the remainder of our careers.

 However, as restrictions are eased in most states and offices and restaurants open up we cannot ignore the importance of human contact in our relationships. I am reminded of a TV commercial for one of the airlines 1990 in which a manager discusses the fact that the company lost their oldest customer because "they didn't know them anymore". His team was relying too much on doing business by telephone and fax (this was even pre-email). He then proceeds to hand out airline tickets to his account management team to go out and conduct face-to-face meetings with each one of their clients.

 Although the advent of video technology has improved the ability to convey a more personal touch to our remote meetings, it is still not a great substitute for the face-to-face experience. Many of us are suffering video fatigue. Our clients will truly want to meet in-person as the restrictions are lifted.

 However, in this transitional period, the etiquette of meeting in person is in uncharted waters. Each individual has thoughts and feelings about their own personal safety in any given situation. Those fully vaccinated can now resume life completely (barring any mask restrictions in certain areas), while those not fully vaccinated must continue to exercise the use of masks and social distancing in many scenarios. Trouble is, we don’t know who is and isn’t vaccinated. Many companies will continue to have their own policies on employee-client interaction regardless of CDC or state guidelines.

 The key is to be in clear communication with your clients as to their policies. Likewise, form your own policies with your employees as to what you are comfortable with. Encourage those employees that have not yet been vaccinated to do so (barring any underlying medical circumstances that prevent it).

 Why is this important? Because competitors that are willing to get in front of clients face-to-face (within proper health guidelines) may have an advantage in developing a new relationship with your client. Even at the height of the pandemic I was aware of cases where clients were willing to have engineers and account managers transact business face to face, and the provider's policy would allow for it. However, because the provider simply assumed the client would not want people on site, no in-person meetings or engineer engagements took place. In the meantime, competitors asked the right questions and gained face-to-face meetings. In the end, the competitors won the business.

 I would encourage your account managers to schedule face-to-face meetings within the health guidelines of both organizations as soon as possible. If we appear too complacent with the current mode of video conference meetings, our clients may begin to feel like we don't know them anymore.

In March of 2020 the world changed forever. We went from a typical 9-to-5 work existence to a "whatever the alternative was" at the time. Overnight, businesses had to adapt to a world in lock-down. In an unprecedented shift in both technology and business culture organizations transitioned to a remote workforce in a timeframe never before seen in any of our lifetimes. IT service providers scrambled to help their customers make the change and "keep the lights on". In retrospect, the entire community did an amazing job of implementing remote computing technology and procuring equipment required to support the environment. Between March of 2020 and April of 2020, for instance, daily users of Microsoft Teams rose from  44 million to 75 million. During that same month, Zoom's daily user rate went from 200 Million to 300 million. All of this in 30 days.

We have recently passed the one-year anniversary of the start of the pandemic. With the distribution of vaccines, things are just beginning to return to a sense of normalcy. But the "old norm" will never return. The pandemic only accelerated a trend that was already in play. Millennials (I know they hate being called that)  were already bucking the concept of the traditional 9 to 5 office. While the executive team was struggling with remote work policies and fretting about how they could possibly trust their workers to remain productive if they weren't in the office (trust me, I was on one of those executive teams), the younger folks were ready to go manage their own time efficiently. Fortunately, most organizations had at least a rudimentary remote work strategy in place when the pandemic hit. They had to immediately scale that infrastructure to support the whole organization. For the most part, organizations have been able to survive and get the job done using the systems they rapidly put in place.

But those systems are certainly not optimized for the future hybrid workforce. The same way that the restaurant industry erected temporary outdoor tents and installed heaters to  accommodate outdoor dining over the last year, there is no expectation that those structures will meet the needs of their clients moving forward. Restaurant goers will no longer want to enjoy a dinner wearing their winter coat with a brazier hissing behind them. Likewise, the remote work infrastructure that was put in place to survive 2020 is not going to support the needs of 2022 and after.

It is now widely accepted that many companies that are conducive to remote work will adopt a hybrid work environment. One in which employees would work some days in the office and some from home. Recently, PwC survey revealed that 55% of workers surveyed wanted to work three days per week remotely and only two in the office. Conversely, 68% of the executives surveyed thought that employees should be in the office at least three days per week. Regardless of the ultimate mix of in-office vs. remote work, both groups cite advantages of the hybrid workforce. Workers see the advantages of flexible schedules and work-life balance. Executives see the potential to reduce real estate costs and attract and retain talent.

As companies prepare to bring employees back into the office, they have an opportunity to build an infrastructure that provides the experience workers are looking for and maintain or even improve the company culture. 

As companies rushed to implement their remote strategy there was not a lot of thought put into how best to use some of the tools other than pure survival. Although there has been a huge increase in the number of Microsoft 365 and Teams licenses sold and deployed in the past year, many organizations are simply using Teams as an alternative to Zoom. They are not using the collaboration capabilities inherent in the entire Microsoft 365 suite. Now is the time to invest the effort and energy into developing the collaboration foundation.

Likewise, workers are not going to want to sit in front of their Zoom screens at their desk in the office in order to have a group meeting with a combination of in-office and remote workers. The return of the conference room meeting is inevitable. But the experience needs to be seamless for both in-office and home/remote users. The implementation of "<insert your product name here> rooms" is going to be big business.

Finally, the network itself is going need to be flexible, yet secure. In order to realize the savings in real estate expenses, organization are going to need to reduce overall space. In other words, all employees cannot be in the building at the same time. The use of shared spaces and desks is going to require employees to be able to set up anywhere. PC connections (wired or wireless) need to be dynamic and yet secure. Phones will need to follow the worker between the office and home. And finally, the home networks of remote users will need to be scrutinized. During the pandemic, organizations were willing to accept the risk of a home network connected to the corporate network in return for maintaining productivity. Once Covid is behind us and remote work becomes optional, there will be much more attention paid to the remote environments connected to the corporate network.

The next few months will reveal a lot about what the "new normal" will look like. For Technology Service providers this creates a huge new opportunity to help their clients make that transition. This time, however, it can be done in methodical and organized fashion.