With everything that happened in 2020, it can be tempting to leave it behind and never look back. However, while 2020 brought significant stress, grief, and uncertainty to many, it also introduced unprecedented changes into the business world that we can’t afford to ignore.
As we look to the year ahead, it’s important to take stock of what happened, what we learned, and how we can better equip ourselves to progress and compete in a fast-changing market in 2021. We’ve compiled the six topics we found businesses were most concerned with in 2020 and provided relevant resources for each, including some of our most-read blogs and case studies, to help you prepare for 2021.
- End-User Security
- Disaster Recovery
- Azure Active Directory
- Project Management
- Working With MSPs
- BONUS: Executives Get The Security Message
A defining factor and international common denominator of 2020, the coronavirus pandemic drove changes that reshaped business as we know it. Social distancing drove a fast and widespread work-from-home initiative, and remote and hybrid-remote work have become the new normal.
In the first half of the year, businesses went into survival mode, and anybody who could spare a helping hand reached out. With most of its internal systems already remote-ready, ZAG was fortunate enough to find itself in a position to help. In May and June, we donated 100% of our available resources to non-profit, education and healthcare organizations pro-bono.
Pro Bono Community Outreach
We setup wireless infrastructure at DigitalNEST’s new technology center in Salinas, California. DigitalNEST is focused on integrating technology education into the rural communities of Watsonville and Salinas. With a ZAG office located in the region, we also assisted the Gonzales Unified School District to improve education outcomes in Monterey County. We worked on GUSD’s Active Directory instance, along with the creation of a Restore VM.
The San Jose-based Law Foundation of Silicon Valley (LFSV) needed help with technology strategy. We also delivered a review of common IT security considerations to assist the organization take a modern approach to the security of client information. Another community non-profit we helped was Oakland’s East Bay Community Foundation. Our work focused on their communication and collaboration platform, integrating Microsoft 365 while delivering technology strategy consulting to provide best practices to incorporate M365 into their employee’s workday.
Last and not least, we helped Sky Island Alliance in Arizona better leverage existing Microsoft solutions in their day-to-day work. With COVID-19 forcing their team to work remote, we improved their use of Microsoft Teams, while also optimizing their SharePoint instance.
Read about our pro-bono work and the organizations we assisted on the links above.
In late April, the economy in the United States started to reopen, causing massive uncertainty among American businesses. With the move arose several questions that were unprecedented for the business arena, like “should I retain my employees’ physical temperature data?” All of a sudden, non-healthcare businesses faced HIPAA compliance issues and found themselves making health-related decisions they hadn’t previously considered: who could come into work, and who should stay home? This was the topic of one of our most-read blogs in 2020.
To help businesses navigate this new, vital frontier, we also developed a Health Check App for checking and recording employee symptoms before they enter the office. The app is still available – learn more about it here.
Even after businesses began reopening, they weren’t all rushing to get everyone back into the office. Now, if you’re doing business as usual, odds are you’re doing it wrong.
We found that the pandemic forced many businesses into a model that had the potential to be more profitable and productive than their pre-pandemic environments. While most businesses are still in remediation mode (remote device security, data retention, and business continuity remain issues), having the options for remote and mobile work grant them the flexibility they need to cut overhead and optimize their workflows.
For many businesses, the sweet spot is a hybrid-remote model. Rather than having all employees work remotely 100% of the time, companies can turn to hybrid-remote models that strike a balance between a fully distributed workforce and a fully on-site strategy.
With the adoption of remote and hybrid-remote work came questions around getting them to succeed. We find that a few key changes make a significant impact on your employees’ engagement, productivity, and morale:
- Overcommunicate. When not everyone is in the office, it’s easier to let regular communication lapse. However, camaraderie and collaboration are what keep employee productivity and morale high. Don’t forget to reach out to employees and overcommunicate when it comes to both work-related information and the pleasantries that keep people connected.
- Adapt your management philosophy. Hybrid-remote models don’t work without employee trust. If your employees have the tools they need, trust them to use them effectively and choose the work mode that best suits their tasks and needs (in some cases, in-office work or in-person meetings may still be the answer). Hybrid-remote doesn’t eliminate the face-to-face; it creates flexibility for employees to choose the mode that works best for the tasks at hand.
- Prioritize secure collaboration. Collaboration tools are critical to hybrid-remote work’s success. Now, when entire workflows take place virtually, collaboration tools need to do more than facilitate basic messaging and calling; employees need tools that allow them to file-share, schedule, brainstorm, work on projects, and essentially manage their full set of tasks remotely.
Further, as hackers increasingly target remote environments, businesses need to make sure their collaboration tools are secure. At ZAG, we typically recommend Microsoft Teams. It offers chat, scheduling, file-sharing, calling, and document collaboration in a single-pane-of-glass view. It’s also a leader in collaboration security.
- Do your research on tools. We found some providers (like Zoom) reported misleading numbers to stretch their success stories in 2020. Don’t believe the hype at face value; do your homework before investing in a tool and engage with your IT team or provider about solution roadmaps.
- Delegate and look to the future. This new environment can identify new leaders. Look for those who thrive in their hybrid-remote environment, and don’t shy away from delegating tasks and decision-making to them.
With hybrid-remote work came an increased need for end-user security. As employee supervision decreased, businesses needed new ways to ensure employees understood security parameters and followed them appropriately.
The latest NIST password guidelines suggest that we move away from enforcing upper/lower, alpha/numeric, and special character combinations and simply use a phrase that is easy to remember but impossible for someone else to guess. Phrases of randomly strung together words (not sentences) such as “DogStatueSunnyConcert” are proving to be far more secure. At issue is that many people still use passwords that are easy for them to remember and are therefore easily compromised. Worse, the same passwords are often used across personal and corporate account logins.
Email security was a critical concern for businesses in 2020. Remote work requires employees to make more decisions without direct supervision, and many businesses fell behind on their security awareness training when focusing on transitioning to remote work and keeping their business up and running. This caused an upswing in email-based cybersecurity attacks. In fact, 22% of data breaches in 2020 involved phishing attacks.
The following were our most-read articles covering email security:
February to March saw a 667% increase in phishing attacks, and 71% of data breaches target stealing a company’s money. One of the increasingly popular phishing attack methods is duping employees into completing ACH transfers. This blog covers ACH phishing attacks and how to guard against them.
Office 365 compiles lists of safe senders and blocked senders for your entire organization. However, many employees don’t realize that making changes to these lists can have organization-wide effects. For example, if an employee marks a sender as safe, this can override the organization’s spam filters. Learn how Microsoft’s filtering works and how to avoid common mistakes in the full article.
Phishing attacks are designed to target mass groups of people, and spear phishing attacks target specific people. Because phishing attacks generally cast a wide net, they aren’t able to hone-in on each target and are therefore more generic and easier to detect than spear phishing attacks. Spear phishing attacks, on the other hand, have much fewer targets, but spear phishers research each target and craft messaging designed especially for them. This makes the attacks generally harder to detect and protect against.
DMARC, domain-based message authentication, reporting and conformance, is a great defense against spear-phishing and stops many of the most common attack methods. It is also a free service; however, implementing DMARC should be done conservatively and with a watchful eye since it presents a high risk of false positives. CEOs and CFOs should ask their IT team or managed service provider today whether they have DMARC enabled or not.
The move to remote work also prompted businesses to revisit their disaster recovery plans. These were the top-consumed articles around disaster recovery:
This article covers Business Impact Analysis (BIA), Restore Point Objective (RPO), Restore Time Objective (RTO), traditional backups, continuous replication, and hardware replacement. This is a great overview article for businesses starting out or looking to shore up their disaster recovery strategy as a whole.
We dove further into the mechanics of disaster recovery planning by breaking down two common disaster recovery KPIs: Restore Point Objective (RPO) and Restore Time Objective (RTO).
RPO measures how much data is lost as a result of a disaster event, and how much time we can afford to have between the creation of backups. RTO measures how much time it will take to get back up and running from a disaster. This metric is just as important as RPO because this tells you how long the business will be without IT services. The full article also covers how to use RPO and RTO in your disaster recovery plan.
It’s not if, but when. When it comes to disaster recovery, think of a disaster as inevitable and plan accordingly. In this article, we cover how to create a runbook, testing procedures, and recovery procedures in detail.
Microsoft Active Directory
Active Directory is a universal platform for managing and securing identities and remains the backbone of many organization’s information technology systems. Our Active Directory posts continue to be popular, and these were our top Active Directory articles and tips people read in 2020:
These were our top Active Directory articles and tips people consumed in 2020:
Starting with a solid foundation is important. Start with this checklist of AD best practices:
- Rename Local Administrator accounts
- Remove unnecessary users from Local Administrators group
- Remove unnecessary Domain Admins, Enterprise Admins, and Schema Admins
- Use dedicated Accounts for Domain Admins
- Deploy LAPS
- Enforce Password Policies
- Password changes forced
- Password settings
- Password length
- Password Timeout Policy
- Password reuse
- Password security
- Are Administrator Accounts Tiered?
While we could write entire volumes on the best practices to follow within Active Directory environments, we suggest you focus on administrative rights because these are very much the “keys to the kingdom.” Our post on Active Directory admin security best practices was one of our most popular. In a related article, we also shared how to manage Local Administrator Account Passwords in Active Directory.
Poor Active Directory maintenance, such as retaining stale, out-of-date data, can lead to intermittent and difficult to diagnose issues within your environment. This article covers these five best practices for clearing out stale data:
- Migrate SYSVOL Replication to DFSR
- Update the Active Directory Functional Level
- Decommissioning Servers and Accounts
- Use Organizational Units
- Schedule Active Directory Maintenance.
Helping Monterey County’s Gonzales Unified School District was one of our pro-bono projects during the coronavirus pandemic. Our work focused on Active Directory and creating a Restore VM.
With so much change to the status quo in 2020 (many of us consider it a “reset” year), we found many businesses reconsidering their approach to business fundamentals, like project management. Hybrid-remote work and increased technology use and complexity is prompting new project management techniques and philosophies.
IT projects are interesting project management cases, as they are almost always part of a larger project. To help deliver consistently outstanding results, we recommend project managers keep the client’s expected outcomes in mind. We’ve outlined these helpful steps for project leaders:
- Ask your client to explain their entire project, from business benefit to costs to schedule.
- Tell your client’s story to your team to get them invested in a successful outcome. Give them a sense of why the project is important, who are the other vendors involved, the total cost, and the overall implementation schedule.
- Prioritize the project outputs crucial to successful outcomes; make sure to schedule and resource these first.
Learn to avoid late and out-of-budget projects and recognize common contributors to delayed completion times. In this article, we dive into the top methods for keeping projects on time and on budget:
- Manage to the project scope.
- Cultivate executive sponsor engagement.
- Shift priorities where needed.
- Understand and monitor resource availability.
Despite all the collaboration tools at our fingertips, we still sometimes undervalue communication. Why do we do this, and how can we improve communication in our organization, whether remote, hybrid-remote, or in office? Read our answers and analysis in the full article.
Working With Managed Service Providers
For those who were not prepared, the shift to remote work was a heavy lift for IT teams, and some businesses found their MSPs weren’t up to the task this past year. For businesses that suspect they could be getting more value out of their MSP, we’ve outlined 3 signs it might be time for a new provider.
At ZAG, we hold ourselves to a rigorous set of standards (we have more than 200 written information technology and business continuity standards) to ensure we provide strategy, value and outstanding service in every engagement. Learn more about our IT standards in this post.
The Year Executives Took Security Seriously
The biggest technology news of the year was the dramatic increase in security incidents targeting government and corporate networks. From the SolarWinds hack that did as yet untold damage to the security interests of the United States, to cybercriminals targeting hospitals and schools, it seemed that no organization was exempt from hacking attempts. Those are the publicly disclosed incidents, and you can assume all industries were targeted.
As the year progressed, we saw the security posture of many companies change. CEOs and CFOs started looking at IT as less of a cost center, realizing that information technology is now front and center in securing the operational stability of their business. We also saw some CEOs whose companies were involved in security incidents share some details within their industry’s business community. This makes good sense when we realize we’re under attack and that we are “stronger together.”
It is difficult to understate the importance of these changes. Where once security conversations were placed in the “it’ll be all right” category, the C-suite now want to know whether they are vulnerable. It’s sobering for them to hear, “of course you are.”
The IT security industry has been moving to an anomaly-based approach to intrusion detection using AI and machine learning for some time, and this was the year where corporations got the message and caught up. The big players like Microsoft and Cisco delivered improvements to existing solutions, while startups like Arctic Wolf saw significant interest and growth (backed by massive venture capital investments to prove the point).
Much of the content published on the ZAG blog this year either discussed security or had an underlying security theme. Indeed, security is a recurring theme in our ZAG Standards, a uniform approach to ensuring the stability of security of your IT systems and the continuity of your business.
Looking to the year ahead, executives will move beyond understanding to actually commit the necessary financial resources to securing their business. We also expect to see more CEOs take business continuity seriously.
For those readers outsourcing part or all of their information technology services, we will leave you with a thought about how might like to view your partners in 2021. There’s a saying that “every company is now a tech company.” Well, similarly, every managed services provider is now an IT security company. Just as 2020 was a reset year for many companies, 2021 will be the year where American business gets on the front foot, secures their information technology systems, and leverages IT as a competitive advantage. We wish you every success!
We believe that IT can be a competitive advantage for every business. We start by understanding your business objectives, and then enable IT to become a driver of your success. We do this by surrounding your business with ten core capabilities & competencies, backed by more than 200 standards & best practices. If you need help managing and securing your IT, augmenting your team, migrating to the cloud, creating disaster recovery and business continuity plans, or simply getting an IT project over the line, reach out and start a no-obligation conversation.