EXP Technical recently hosted a FREE webinar: Collaborating Remotely and Safely In A Changed IT World.
The webinar overview:
You can view the webinar below:
Tony Lesirge:
Welcome everyone this is Tony Lesirge with EXP Technical and thanks for joining us today for our webinar on “Collaborating Remotely and Safely in a Changed I.T. World.” I hope everyone's well and surviving these “interesting” times we're living through.
There are still people joining but we are going to get things started…
Today's presenter is Pat Cook—one of our principals here at EXP Technical. Pat leads our security practice, among other things, so he's well educated on one of the key topics for today. He's a CISSP, which is the sort of de facto I.T. security certification in the industry and also led a large healthcare organization as CIO for a number of years.
Today's presentation we think will last about 30 to 35 minutes. We will be taking questions during the presentation and afterwards. And we'll leave time afterwards for that.
In your Zoom app you should see down the bottom a “Q&A” section. We're going to be using that, not the chat. So please use the Q&A if you have questions. Well as I said we'll try and answer them during the course of the webinar, but we will save some towards the end.
So without further ado, I'll hand it over to Pat.
Pat Cooke:
Thanks, Tony! …Appreciate the introduction! Good afternoon everybody. Thanks for taking the time to join.
The agenda for this webinar is as follows:
So what's the reality in this strange world that we're now living in?
Lots of people are working remotely. It was pretty amazing, I think, to us, that people were able to flip so quickly here—in Washington at least: early March—from full offices to working at home. ‘ Happened relatively smoothly. We helped a lot of people iron out the kinks and get things going properly. We were also able to help people by giving them access to our remote access software. Which I know helped a number of firms out. So we were glad to be able to do that at no cost.
So there are several security implications in these times it's of course a wider computing footprint.
You know the work computers…are still turned on but you've now got approximately the same number of home computers, which are a less controlled
Environment. They may not be patched. They may not have antivirus etc. Now the I.T.
staff and our outsourced I.T.,like EXP needs to think about what the platform is, and how far it extends, and how to control that.
There's, of course, heavy use of virtual private networking and remote desktop technologies, which have their own risks bandwidth is becoming, you know, a real commodity—both at home and in the office—when you've got people coming in through the same pipe etc.
So a lot of our clients have actually been upgrading bandwidth at home and at work.
And collaboration implications! You know there's nothing like in-person contact for communication. A lot of stuff in the office is sort of heard over the partition. That goes away.
And there's a greater use of e-tools and a need for a greater use of e-tools. And we'll talk about what some of those might be later in the webinar.
Before we go into into the security and collaboration, you know, we we are a Microsoft partner. We don't really make money from selling software. There's a bewildering array of subscriptions out there of various different capabilities and costs. We firmly believe that the one that I’ve highlighted here is the best for businesses. It's Microsoft 365
Business Premium. And this is the caveat: being under 300 users, which I’m guessing Most people on this call are are below.
The main reason for that is as well as everything else that you get a lot of really good security tools and management tools and these were tools that were not really available to small and medium businesses until now. And I see that as one of the biggest benefits of the cloud computing platform is the availability of these tools. So there's…we'll go into more detail on them…but there's a lot of security: advanced threat protection, encryption, talk about conditional access later and a lot of management capabilities within that.
We take security very seriously here and we're trying to make sure that all of our clients are protected. That's a challenge, because we have a lot of clients—and some of them are sort of what I call “infrequent use clients”—they just use us when they need us for help with something that's gone wrong.
We feel that we need to make sure that everybody regardless of the size is protected. We came up with a hierarchical…a matrix of security baseline items. And we've got basic medium and high basic. It's cumulative, so everybody…
We should have basic, smaller clients up to 40 or so [employees].
Medium would be clients around 40 and up.
High would be regulated clients and these are people who have you know health care data, defense or ITAR [International Traffic in Arms Regulation] data, SEC, are deal with the European citizens etc. GDPR, and there's also the California Privacy Act now and of late we've seen a lot of clients—a lot of new clients!—with supplier data protection requirements. Vendors like our suppliers, like Microsoft are mandating that their vendors meet certain security requirements. And we've been helping people with that quite a bit.
So how to secure the home environment as best as you can…
First of all I think it's worth having a policy or a section in your company manual that talks about the sort of contract for remote use. Obviously, it's an uncontrolled environment in most cases, but you should have a minimum standard just like you would have at work.
So out-of-date operating systems? Not a good idea! We would suggest Windows 10 or macOS10.13 plus as the minimum home operating system. Most people have Windows 10. If they don't, it's fairly easy to upgrade or buy a new PC.
Most of the Office 365 subscription levels let you load Office at home. You should check your actual home-use rights through your subscription, but you can actually in most cases… If you don't have the latest version of Office you can put that on your computer at home without violating the licensing agreement.
Not everybody has antivirus/anti-malware at home. That's really important! A lot of our clients use our subscription-based Webroot antivirus/anti-malware. It's affordable. It's good. You might consider extending that to your home user computers, if you wanted to be safe or at least encourage them to have a third-party anti-virus. We really don't believe that Microsoft Defender is fully adequate. We would recommend that you have something a little bit more powerful, and more targeted towards the evolving threat environment.
And patch management's fairly easy to do. Just run windows update at least monthly. It can be scheduled. But it's important to do that—even though it's a pain when you have to restart your computer and it takes 10 minutes to load the patches.
A product called Microsoft Intune, if you have it, as part of your subscription can help that with this management of remote computers.
Security: Top Threats
So to talk about security the attack types and vectors haven't changed that much but the intensity has increased during this pandemic: phishing, spear-phishing and ransomware—all coming in by email—are are still the top threats.
Phishing: very broad.
Spear-phishing: very targeted, where they are. They actually know who they're trying to find—trying to get at. They're often trying to hijack invoices, or have money wired.
We've seen some really ugly ransomware attacks recently. We had a client--that wasn't one of our clients but it came to us for remediation-- and every computer in the organization was encrypted as were all the servers. And they had actually deleted all of the backups! So it was very very disruptive and an ugly attack and I'll talk a little bit more about how to protect best against that later.
So this list is is ranked I would say in terms of how to improve security if you've attended prior webinars (EXP webinars) you've heard this stuff before but it's worth reinforcing and you know
So just to go through those…
“NIST” is the national institute for standards and technology and they provide a lot of guidance for security for the federal government and that passes on to the business community in general so they have changed of late their guidance on passwords. They are recommending that you do not have complexity requirements as in numbers, characters etc. You do not expire them. The reason for that is that people were essentially writing them down and keeping them in spreadsheets and stuff like that. And that was counterproductive to security. So we recommend 64 characters… Obviously you'd be typing a lot every time you wanted to log in. We recommend 10 to 12. And we recommend passphrases over passwords. They're easier easier to remember. And they're much more secure.
So if you have essentially a sentence and you can put spaces or not—which one of your your preferences. I recommend that you have a standard of capitalizing or not capitalizing that's consistent amongst your passwords. And of course don't use the same password in different areas.
Office 365 has self-service password reset. At some of the subscription levels, including the one that we were recommending—the Microsoft Business 365.
And you should also check against lists of known passwords there's a number of different sites that will do that for you. You can check online. haveIbeenpwned.com. It'll tell you whether your password has been compromised or your account has been compromised.
We do recommend the use of password managers. These days Keeper's a very good one. LastPass is probably more commonly known. Those are two good ones for managing passwords
And of course if there is a organizational incident such as a serious breach you should have everybody change their password even though it's not that fun. Not that much fun!
So there's a certain amount of a false sense of security with Microsoft Online. Everything is backed up but it's limited and the restoration is not as granular as it needs to be in a lot of actual real-world situations.
So you get up to three months with SharePoint, Teams, In OneDrive through the recycle bin--14 to 30 days Exchange Online. If you go to restore something. it's not going to be pretty. Trying to restore a particular mailbox folder etc. is not easy.
We recommend Dropsuite, which is three or four bucks per user per month for Office 365 backup. Of course if you're in a hybrid environment you'll have on-premises tools, but if you're cloud only I think that Dropsuite is a good one…and it's not that expensive. And it also has archiving
A couple of questions just came in.
Microsoft E5? Yeah.
The question was: is Microsoft 365 Business different from the E5 license with the advanced security features? You pretty much get the same features there, but the E5—the reason you probably have that is because you're using Voice and they didn't have the Business Voice license. I think at the time that you deployed but the same features are there in the E5 license.
Other question was: What do you think of the password generators and stores in Google chrome? I would tend to use a third-party product just because of essentially having…not having all your eggs in one basket. But it's certainly better than nothing. And it's free!
So Dropsuite will let you restore at the folder file or even individual email level, and it's also got archiving at the four dollar level. So it can help with your retention policies etc.
A note on separate security for backups: If a domain admin account is compromised—the attacker can possibly delete all your backups in the event of a ransomware attack. And with that in mind, you should have either a second-level password or a non-active directory, azure active directory account to access the backups just so if they do compromise with the main admin account that they can't change the password and get in there and delete backups because that's what they'll try to do.
We are a little bit of a broken record on this but it's really important. It's the number one defense against account compromise, which is what we're seeing all over the place. And the idea is: it's something you know (as in your password passphrase), something you have (a token or a app on your phone with a one-time password, or which would be biometrics etc. which are less common these days).
It's mainly via the authenticator app on the smartphone. It's really not that onerous it can be dialed in to the point where it doesn't ask you on devices, or caches it for 14 days or whatever. There's a number of settings involved with it but it looks just like this screenshot here—where basically you're approved to sign in. And I would say 19 out of 20 incidents that we've seen would have been prevented by multi-factor authentication.
Yes it's another nuisance thing you have to do, but think of it like your bank accounts. You probably want to have MFA. Most banks offer two-factor authentication these days. So it's really important. And we will help you roll it out. It's relatively painless to roll out it's included with all of the Microsoft Online subscriptions.
And conditional access which is a feature that's part of the M365 Business, and the advanced security etc. has some really good tools to help you roll that out smoothly and it can also only ask it on certain devices etc at certain times and in certain geographical zones and stuff like that. Just about any sort of policy that you can think of.
Security awareness training—really important! The human being is generally the weak link in the in the security defense line. We recommend at least annual for all employees and on hire--so that when somebody's hired, before they sit down and use the systems, they've had some level of training. The big focus is still on email hygiene not clicking on inappropriate links, checking links that have different URLs than they pretend, and recognizing a good link and a bad link, and just being very cautious about entering account details.
The number one method for account compromise is a phishing email that asks you to change your password or to log in to Microsoft or somebody like that. And it's a fake! It's a fake website and they've got your password at that point. Again multi-factor authentication will stop that. You'll get a…probably a request for a sign-in that you did not initiate. And you'll know that your account has been compromised. And you can change your password etc.
We have free training available online on our website, if you go to our blog section and search for it, it's about 20 minutes or 25 minutes. Tony did it. And it does a good job of covering the basis of email hygiene etc.
More is better of course I’m available to provide in-person--well these days probably remote—training at a company meeting etc. I do that all the time. If you're having a all-hands meeting I could spend 30 minutes just going through a security training slide deck and then answer questions as well so that's billable, of course, but i'd be happy to do that.
And we can leverage Microsoft resources as a Silver partner. We can get you in touch with people at Microsoft who will do training and it's actually really good and they really know their stuff. It's a little bit generalized but some can be somewhat customized but they will do Teams training, Office training for free. And if you want to know more about that please let me or Tony know and we can put you in touch with some of the Microsoft trainers.
As I mentioned before, now we've got approximately double the devices in most situations and device management and application management’s become really important.
It's not typically available with the lower subscriptions, so again we're encouraging people to go with the Microsoft Business Premium M365 Business Premium. It comes with Intune which is a device and application management platform.
It's all policy-based so once a computer or a device—it could be a phone or a laptop or a home computer—is registered or enrolled with Intune, you can then do stuff with it, or insist that it have certain attributes before it connects. If the user authorizes itor I.T. or the management authorize it. You can also wipe devices that can be valuable if a device is stolen or lost. And you can manage corporate applications like SharePoint, Outlook, Office etc. on devices, whether they be iPhones or laptops. And that's useful when people leave etc. or again things get stolen. You can wipe the data that's on those devices pretty easily.
There's a huge, huge depth of things that you can do with Intune.
Conditional access essentially lets you apply policies based upon scenarios. For example, you might not want multi-factor authentication on your office network because you feel relatively safe there, but you might want it off-network. It can do that. It can do geo-blocking, as in: do not allow anybody to log in from outside the United States or Canada. It can, you can define policies as to what makes a risky user or what's a risky login and ask for secondary authentication in that scenario. And as I mentioned you can have device compliance policies which would be something like do not allow a device to connect to the corporate data if it's not above a certain patch level, or a certain operating system level like Microsoft Windows 10 etc.
It's really important to look at look at what's going on you'll be surprised if you look at your Office 365 authentication logs, you will see people trying to log onto your network. I'd be very surprised if you didn't.
If you're at the basic level have your consultant look at it quarterly. More is better. Medium should be at least monthly and if you're a high compliance client somebody should be looking at it weekly, in our opinion.
This is all a la carte but these are our recommendations.
It's really important to look at firewall logs, authentication logs in Office 365. If you've got a large network you should have something that will keep track of failed logins etc. and access to different parts of the network.
A lot of people have this but some don't. The company I was talking about with the big ransomware attack did not have it in that situation. We recommend that everybody have it. The level of course depends on your risk [tolerance] and what you…what sort of data you store and how you store it. And there can often be a reasonably high deductible. So you know that could be twenty thousand dollars, but bear in mind that if there's a serious breach with forensic etc. you know once the lawyers get involved and the forensic security now analysts get involved it's easy to get up over $100,000 in terms of the bill for just that! And then remediation is more on top of that.
If you have large corporate clients… We have some clients who, for instance, 50 percent of their business might be with Microsoft or Google or somebody like that. If you have a breach that's reported and makes the news or involves client data and you have to tell them about it, they may drop you as a client, which would be devastating to a lot of smaller businesses. So we recommend that you get reputational risk coverage, if possible, that will essentially give you some money for lost revenue when you lose business through reputation loss or brand loss. And we can help and we often do. We can help you review the appropriate coverage and make sure you're not paying too much or not getting too little coverage.
So moving on to collaboration and productivity…
You know the things have changed forever. I would say you should do your best as business owners. If you're a business owner, make sure that your employees at home have good equipment: large monitors, decent webcams, etc.
It's a different work environment. The flexibility is inherent in the home. Remote working people have kids etc. They can't, very often can't do it eight to five day, but it might be seven till ten at night with gaps in between. So understanding that is important. Some tools that we are seeing as very useful in collaboration:
Microsoft Teams. Most people on the call will have heard of that.
Forms, Power Automate, Smartsheet is another product that I think is very good for company-wide project and task management.
And of course with the lack of in-person contact e-signing is becoming very important.
So what is Teams?
You know it's a little bit simplistic to call it “social media for business” but that's sort of what… It's like if anybody's familiar with Slack. It's a bit like that. It separates essentially internal communication for the most part from your email stream.
Email gets really polluted or is really polluted these days, and it's got better context so if you want to talk about a document you can have that link to that document right there in the in the chat. And the posts etc. And it's got instant you know chat/instant messaging which is really valuable for quick ad hoc communication. Also online meetings, file sharing.
Microsoft is giving this a lot of attention. They really want to dominate the business environment the collaborative business environment. And the meeting environment. They want to beat Zoom
I think they will because they have such a footprint so they're putting a lot of development resources into Teams.
It's great for internal project communication. A lot of our clients keep all their files in the file system because they can be architectural or engineering companies so it doesn't work as well in that environment but for those who have files in the cloud, it's really good. And you can have external users. But be careful!
It's also got a really good phone system that you can essentially integrate into teams and a little bit more about that in a minute.
So you know a Team is built in layers. It's got a Office 365 group which is a shared mailbox. It's got a SharePoint site, or SharePoint sites, for… If you've got channels…private channels for documents, OneNote. Lots more. Very easy to use and most people—especially millennials etc.—take to it very quickly.
So you can access your groups to Teams but also through SharePoint and Outlook and external access you know from a security point of view.
I’m a bit cautious about external access, so I like it to be controlled, but you can, within teams, you can set your external sharing settings to the level that you feel comfortable with. And you can very easily share and collaborate on documents with external parties.
If you're a regulated or controlled company or have a lot of personal information I would be very careful about what you shared that way, but if you manage it well it can be very powerful and you can also chat with users in other domains etc.
So a recent teams use case: About a 20-user law firm. They have about 60 active cases at one time. So rather than creating 60 teams, we created 60 channels within one team. You can have up to 250 active at any time. Channels are sort of sub teams that keep… they segregate the communication and the files etc. Then a firm team and then an archive team for cases as they they go offline. And we recommended in this case because they had a lot of personal data that they kept external sharing separate just for safety.
Wherever we've implemented Teams Voice it's actually been very popular. It is really nice. You can call receive calls on any device.
Here's some pricing on it. It's not Inexpensive. Non-profits should be able to get this for quite a bit less. It is about 20 bucks if you want the full deal on top of your twenty dollars for the Business Premium, which I'd recommend. So that's about forty dollars per user, which is not insignificant, but it is a good system. We use it ourselves and we like it very much. And as you travel you can receive calls on your phone over wireless through teams gives you a new number a dedicated number etc. And if you want to learn more just reach out to us and we'll give you a more detailed presentation.
Forms: I’ve seen a number of clients just pick this up and use it themselves. For instance, a lot of people have to do the health checks and Forms is a good way to collect data for that. It's very easy to use and will essentially you know collect responses that you know the questions etc. can be completely customized. And then it's essentially like a survey tool. But it can be quite powerful when you use Power Automate to do stuff with the data that you collect. For instance. send emails if somebody has a certain response in a health check etc. And we've seen people pick this up and and do it themselves it's not that hard but we can help you get started if you want to as well.
Smartsheet—not a Microsoft product, a competitor, but very good.
It's all they do is is this ad hoc project collaboration. And you can do a Smartsheet of various different types. It's fast. It's inexpensive. One thing I really like about it is that if you have a project portfolio and you wanted to have a global view of them, if you set it up correctly you can have that task completion etc. roll up to a company dashboard. So for instance, if you had 20 projects going with the same type of tasks in each of them you could have a global company-wide overview of your completion and your workload. And that can help with resource planning etc.
E-signing—biggest ones are probably DocuSign Adobe Sign Authentic. You can integrate them with SharePoint and CRM so that within SharePoint you would have a button that is you know get signatures etc. That can be a pretty powerful way to do it. But it's probably, if anybody's been watching the stock market, these e-signing companies have their stocks have gone up quite a lot because it's part of the “new normal” essentially.
So office of the future we have a number of clients who are not going to go back to the office they've decided that they work just fine remotely and don't need the expense. It's certainly worth considering.
I think it will be the minority of companies that that do go 100% remote, but it's certainly worth considering and perhaps spending that rent money on tools. Having, you can still have input. Once things clear up you can still have in person get-togethers but you can use a hotel or or whatever for that.
One thing that's certain is that the ability to flip to 100% remote needs to be flawless and secure. We got a very good practice run there in March. People, once things do get back to normal as I believe they will, that needs to be tested and in place so that it can be really just a flip of a switch for everybody to work from home, which in most cases it was. But some of our clients needed help.
I move towards low-touch voice-enabled technology voice enable has been around for a long time. We might see internet-of-things stuff automated, wellness-checks, distance monitoring etc.
And really going back to cybersecurity, it's wherever you are whether it's in a cafe at home at work. Cybersecurity—there is no perimeter anymore. You really, really need to have tools that extend to all devices, in all situations and locations.
Virtual desktops is a technology that's been around for a while essentially your desktop is hosted in the cloud. You can host it on on your own infrastructure but it's quite expensive and complicated to manage. But it would mean that if you were in the office or at home or really anywhere that you could get to the exact same desktop that you would have and the computing is at the back end in the cloud.
So, for instance, if you use AutoCAD or one of these resource-intensive applications you could use it on any computer regardless of the capabilities because the graphics and the memory and the processing is remote. All you're seeing is a virtual representation of the desktop.
So please ask questions through the the Q&A. and we'll give some time for that. Then we'll have the giveaway.
So there was a question about security being iOS compatible. I assume that was the Intune and conditional access…
Yes it is iOS compatible and manages Macs and iPhones, Androids, as well as Windows PCs etc.
Tony Lesirge:
Pat this is Tony back on the line. Maybe we can just recap some of the other questions while we wait for others to come in.
The first question was, “What's the…” Essentially the question was, “What's the difference between Microsoft 365 Business Premium and Office 365 E5?”
Pat Cooke:
I’m pretty sure... It's too complex to keep all that in my in my mind and Tony to chime in. But the advanced security, as in advanced threat protection, encryption, active directory P1 as a lot of features are pr. It's pretty much the same. Most of our clients do not need E5 unless they are using Voice. Am I correct in that, Tony?
Tony Lesirge:
Yeah. I mean some…there's some advanced features that aren't included in the Business Premium offering. It's more like a subset. But for most of our clients, especially those of all of those under 300 people I would say that Business Premium is going to give you pretty much everything you need.
Pat Cooke:
To us, it's sort of the sweet spot. E5 is pushing 40 bucks, I think. You get a lot you get just about everything that you will need. Again you've got to be careful of the 300 user limit, but most of the people in this call, I doubt are even close to that. So it's pretty recommended. It's a pretty good recommendation, I think. And it is a bit of a you know, “Every dollar per month Counts!” and going from $12.50—which I’m guessing most people are... who are not on Business Premium are on the $12.50 a month subscription. An additional $7.50 is not insignificant, if you multiply it by the number of users. But we really believe it is worth it.
A couple of other questions came in there:
“Can we get a copy of the presentation to share with other team members?”
Yes. It is being recorded and we will send out a link a few days after this webinar. We'll also put it on our website. So yes, we will. We will give you a copy of it. If you would just like the PowerPoint, I can… We can post a pdf as well.
Other question was: A recommendation for VPN for laptops?
Very much depends on your firewall environment at work, if that's what you're connecting to via VPN. Usually the VPN client comes with the firewall. We recommend business-class firewalls. With…in Meraki—I would say 90% of our clients use Meraki or Watchguard—and both of those have their own VPN. VPN software I do recommend, if possible, multi-factor authentication for VPN—like Express VPN.. If it depends what your your goal is. If your goal is to protect yourself in public networks, something like Express VPN is not bad. It's also… It can… You can mask your location, if that's important to you.I use expressVPN myself, mainly to watch sports in foreign countries. But yeah if you are in a public wi-fi network, the airport, etc. using a VPN like Express VPN is a good idea.
Other questions: Smartsheet was recommended as a project management tool for Teams. How does that compare against Microsoft Planner and Microsoft Project?
Microsoft Project Online has been around and there's this Microsoft Project, the Microsoft Project Online, the Microsoft project server. It's been around a long time. It's a tried and tested tool. I personally prefer Smartsheet. And it's less expensive! It's hard to aggregate Project's portfolio in Microsoft Project without the Enterprise Project Server. And Smartsheet lets you do that a lot more affordably. And it's easier to use. Planner’s a very basic inexpensive tool…not bad really for what you know, you don't. It comes with your subscription to Office I think Smartsheets is better than project, in my opinion, both as an enterprise portfolio management projects tool, and for just quick and easy tasks tasks lists etc.
Another question is: Dropsuite appears to be focused mostly on Microsoft services. Do you have a recommendation for other cloud service backups that support Dropbox, Slack, etc
There are a number of of tools for Dropbox—too many to mention. And frankly. I don't have them on the top of my head but we will get back to you with… If you have a particular one that you want to us to find a solution for, like Dropbox, let us know and we'll get back to your recommendation there.
Backing up if you have a lot of corporate data in Dropbox, you should definitely try to back it up there are tools where you can essentially sync it off to Amazon Web Services or something like that. So the person who asked that question… We'll get back to you on that.
You might give us a little bit more detail on which particular online service you're trying to protect. But there are a lot out there of course we just, from the point of view of consistency standards, we try to find a decent product at a decent price point that fits most of our clients. And after research, we came up with Dropsuite for for cloud only clients.
…
Thanks for attending and thanks to everyone else for attending as well. As Pat said, if you have questions for Pat or myself or really anything related to I.T., please send us an email. Pat's email is up on the screen there. If you're a client, I’m sure you have your consultant's email or my email.
And have a good afternoon!
If you have any questions, please reach out to Tony Lesirge.