Remote working models are basically a given in today’s business environment, and while this allows for flexibility that was previously considered a luxury, certain security risks also come with the package.
Remote work often means decentralization, and with many people working remotely and using their home networks, it becomes more and more difficult to ensure efficient and secure IT management. Most companies employ such tools as Virtual Private Networks or move their systems to the cloud to achieve utmost security, but without proper IT management, these efforts are not always enough.
Cybernews invited Adam Barney, the President of Sales and Partner at Framework IT, an IT management service provider, to talk about the most common misconceptions and practices that businesses have regarding IT infrastructure management, as well as discuss the challenges brought into the cybersecurity field during the pandemic.
Tell us more about the beginning of your story. What was the journey like for Framework IT?
John Fakhoury, Framework’s Founder and CEO, worked in public accounting and Business Change & Management after graduating from the University of Illinois Urbana-Champaign. While traveling the US helping Fortune 1000 execute, assess, and solve complex challenges, John grew increasingly frustrated with the experiences he had to support his technology, and ultimately his productivity. Observing the experiential gaps in how IT support was being delivered, John believed there had to be a way to create a better experience, and so he founded Framework IT with an acquaintance in the technology management field.
Shortly after founding Framework, while running with his charismatic dog, Dino, John incurred a serious foot injury that prevented him from traveling and rendered him on short-term disability leave. Unable to remain unproductive, John invested his energy in building the foundation for Framework to expand, raised angel capital, and recruited the earliest team members, including myself, Adam Barney.
After establishing the foundation and a small team of tenacious professionals, Framework kicked into growth mode over the coming years, expanded its service offering and team, landing a spot on the Inc 500 and Inc 5000 list of Fastest-Growing Private Companies in America in 2013, 2014, and 2020.
Since those early days, Framework has continued to grow a world-class team and culture, securing recognition on the 101 Best & Brightest Places to Work in Chicago, and in the Nation. As Framework matured, the organization maintained a start-up culture of creativity and agility and experimented with numerous innovative models to deliver Managed IT Services that stand apart as truly unique in a competitive industry.
Can you tell us a little bit about what you do? What is the Evolution Framework?
Framework’s core focus, Managed IT Services, is holistic IT management for small and midsized organizations, with an emphasis on 3 core pillars of successful IT management: support, strategy, and security.
In addition to that core focus, Framework delivers a range of value-add services to clients including cloud unified communications, traditional phone systems, VoIP, cloud services, Internet service, cybersecurity, etc.
Framework provides clients a direct reward via reducing their Managed IT Services pricing, for adopting the data-driven best practices, which we call the Evolution Standard. This standard came by way of analyzing a decade of IT management data, which clearly demonstrated that certain high-level best practices for an organization’s technology environment had a massive positive impact on Key Performance Indicators of successful IT Management (such as reducing issues, increasing security, reducing IT management costs, etc.). Seeing this clear correlation in the data, Framework innovated a pricing model that rewarded clients that adhered to these best practices. The Evolution Standard laid the foundation for our Evolution Framework, our equivalent of a client journey, to guide all clients towards adopting these best practices. As part of engaging in a potential client partnership, we shepherd our potential partners through the Evolution Framework, which entails extremely in-depth discovery, partnership alignment, and technical assessment, which ultimately leads to an in-depth GAP analysis and a strategic roadmap to adopt the Evolution Standard, improve results, and achieve reduced Managed IT Services pricing!
What are the most common misconceptions people tend to have when it comes to IT support?
Many people think of IT support as being solely about fixing problems that arise so people can get back to working productively. The perception is often that the IT person handling a support request just sees it as a ticket they want to resolve and close as soon as possible. This type of break-fix mentality is a thing of the past. While reactive IT support is a core component that will always be necessary, it is only part of the equation. To create great outcomes in technology management and support, organizations must invest time, effort, and money in proactive strategies, solutions, practices, and policies that futureproof the organization and prevent and minimize issues in the first place! Stellar IT professionals and organizations are less concerned with how many tickets they can close, and instead take the mindset of owning the entirety of the technology environment and the experiences it drives so they are more focused on building and maintaining systems and processes that create consistent, ideal outcomes and positive experiences for all stakeholders involved.
Many organizations have the misperception that IT support is just an operating expense on the P&L that should be managed and minimized as any other expense. Many people view IT support as just a cost you pay at the end of the month, like your electric bill keeping your lights on. Few appreciate that technology’s role in enabling productivity, reducing risk, increasing organizational agility, and ultimately contributing to expanding the top and bottom line. Technology can help drive profit by harnessing efficiency and enabling innovation!
People tend to think of IT support in a silo, as something that can be managed with success (or failure), independent of other critical technology management considerations, such as strategy and security. IT support cannot deliver successful short-term and long-term outcomes consistently without a thoughtful all-encompassing technology strategy that ensures the right systems, plans, budgets, and change management procedures are in place. Moreover, reactive and proactive support efforts and investments cannot make up for lackluster IT security efforts and investments. In other words, organizations need to expand their view of IT management beyond support and recognize that successful IT management relies on all 3 pillars of IT management: strategy, security, and support.
Some people also think of IT support as a technical database of all the answers to all potential problems. Effective IT teams certainly leverage knowledge bases to streamline workflow. However, IT is rapidly evolving and endless knowledge necessary to properly address all issues that may arise exist. As a result, IT professionals cannot always operate like databases that instantly retrieve answers! Quite often they must investigate, research, leverage problem-solving skills, and collaborate to address problems in the most ideal manner possible. Naturally, employees also want their problems fixed quickly, but too often fail to understand the complex nature of certain issues and do not appreciate the processes and best practices that effective IT teams will leverage to address issues fully, at the root cause, and to prevent them from recurring in the future.
How do you think the pandemic affected your field of work?
The pandemic drastically changed how businesses saw IT and it shifted their views on how work could be accomplished. It opened many organizations’ eyes to IT’s true potential to support and enhance productivity, drive operational efficiency, and improve flexibility to accommodate unforeseen circumstances. The pandemic forced companies to embrace modern communication technologies they otherwise would have avoided for as long as possible. The rapid move to embrace modern communications and collaboration technologies resulted in most companies discovering they could accomplish 90% of their work remotely and still execute goals, maintain accountability, and drive desired results as effectively as they always had in the past.
With staff shifting to working from home, IT support teams found themselves potentially having to support, manage, and help maintain residential grade networks and services. The lack of control over home networks, issues with consumer-grade internet services, and the added variables of a home-office setting increased the need for end-user education and effective collaboration to provide effective support for staff working from home. Additionally, the mass office exodus and an exponential increase in flexibility, both in terms of physical location and schedule flexibility, has made IT support an even more around-the-clock need.
The pandemic also caused a rapid and significant shift in investment priorities in the technology space. Investments in premise-based infrastructure, like upgrading office networks and local servers, plummeted as organizations went virtual or hybrid, first temporarily and then, in many cases, more permanently. Investment in premise-based technology has recovered to a degree, but has not reached its prior peak tempo, and is unlikely to ever fully recover, based on our observations. On the other hand, the rapid adoption of more virtual work environments caused increased adoption of cloud-based technology systems that are better able to support remote, distributed workforces. The increased awareness and belief in the benefits of cloud solutions, and emphasis on cloud adoption, was very beneficial to Framework as our unique Evolution Standard and Evolution Pricing Model already relied heavily on leveraging cloud-based applications, infrastructure, and services. Therefore, Framework entered the pandemic well-positioned to deftly guide organizations through cloud adoption strategies and execute cloud migrations that helped them rapidly accommodate the new ways of working.
What cyber threats do you think we are going to see more of in 2022?
Social engineering and ransomware attack vectors continued to gain ground in the past year. Specifically, phishing and other email-borne threats have risen at astounding rates since 2020, as nefarious actors saw the opportunity in the often-chaotic shift to remote work. The rapid, and often haphazard adoption of work from home, exposed organizations to more threats as many existing security precautions became less effective. Existing security systems designed to protect office networks failed to extend the same level of protection to home office settings. Moreover, cybercriminals are targeting SMBs harder than ever, probably due to their anticipation that SMBs' cyber defenses may be the most weakened from nonstrategic transitions to virtual work environments. Framework expects that we will see a major shift in the usage of multi-factor authentication, single sign-on, next-generation endpoint protection, email security, data loss prevention measures, and cybersecurity training, to mitigate certain types of threats.
We are also seeing continued segmentation and specialization of roles in the cybercriminal space. The person that designs the ransomware/malware is often going to be different from the person that gains access into a network, which will likely be different from the person that obtained root access to your servers, for example. The specialization, and the commercialization of the underlying malware/ransomware itself, has expanded the pool of potential bad actors in cyberspace and complicated the task of policies, punishing, and halting these bad actors.
With more security options and providers available than ever before, certain companies still hesitate to update their cybersecurity. Why do you think that is the case?
Investment in cybersecurity, for many organizations, especially SMBs, is still viewed as an overhead cost, like spending on liability insurance. Outside of certain industries with compliance requirements that necessitate certain cybersecurity practices, many organizations, and SMBs in particular, view cybersecurity as a cost center, rather than an investment opportunity. This mentality leads to an approach that seeks to minimize the explicit, immediate cost of cybersecurity protection and prevention measures, rather than minimizing risk overall and reducing total cost in the long-term via investment in high ROI cybersecurity policies, procedures, and solutions.
The short-sighted cybersecurity investment mentality is further exasperated in SMBs by an erroneous belief that they are too small to be targeted by malicious actors in the cybersecurity space and by a general lack of knowledge of their risk exposure. “We are too small for anyone to pay attention to our company,” is a common response from SMBs when discussing their cybersecurity risk. The reality is that all organizations are a potential target and many cyber threats do not directly target a particular entity anyway, but rather cast a wide net that exposes many organizations, regardless of size and industry, to risk.
Furthermore, many non-technical leaders believe that their trusted IT people provide adequate protection alone. They often fail to appreciate that cybersecurity is its own specialty, for good reasons, and that implementing and maintaining adequate cybersecurity requires a combination of expertise, processes, policies & procedures, and technology solutions to be effective. In other words, a stellar IT generalist, no matter how intelligent or respected in the organization, is not at all an alternative to implementing a holistic cybersecurity strategy.
Unfortunately, for many organizations, the false sense of comfort around cybersecurity is often maintained until they face a serious threat, or potential or real business harm, that shatters these illusions and prompts them to start to understand the pervasive threat landscape and the true return on investment proactive cybersecurity measures can deliver.
In your opinion, what are the worst cybersecurity habits that can do serious damage to one’s company?
End-users (employees), their habits, and (lack of) awareness while accessing and using organizations’ technology, pose the most significant security threat. While this has always been true, the shift to remote work and using company hardware or accessing company data under under-protected home networks further exacerbated the risk posed by employees’ habits and cybersecurity awareness. Organizations should invest in empowering employees with the necessary knowledge and best practices to protect themselves and the organization. Regular, relevant security awareness training and accountability procedures should be implemented as part of a standard security foundation in all organizations, regardless of size or industry.
Careless behavior towards email and a lack of investment in email security measures can do serious damage to organizations. Email phishing is one of the most prevalent threats and one of the most common sources of successful data breaches. Too many employees are either naïve or just careless about how they handle email and endanger their organization immensely, as a result.
Lack of knowledge or adherence to password policies and best practices. Password fatigue (Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine) leads to many people succumbing to poor password behavior that reduces the security of their personal and company information. Examples of poor password behaviors include, but are not limited to: reusing passwords across systems and sites, using non-complex passwords, storing passwords insecurely, sharing passwords, changing passwords infrequently, etc.
Also, end-users working on personal devices, without proper BYOD policies, cybersecurity habits, and appropriate security systems in place, can cause serious damage to a company. Since people typically engage in a wider range of activities on personal computers they are often less mindful of security concerns while conducting personal matters online. The use of a personal device for work increases the chances of malware, ransomware, and viruses that can in turn expose company systems and data to threats. Moreover, personal computer use may increase the risk of data loss or theft when an employee departs an organization, as the company may have fewer capabilities available to lock down, retrieve, or wipe corporate data from the personal device.
As more people work from home these days, what cybersecurity solutions do you see becoming crucial for remote teams?
Multi-factor authentication, single sign-on, next-generation endpoint protection, email security, data loss prevention solutions, locking down access to corporate technology environments, cybersecurity training, and multi-factor approval for transactions are increasingly important and critical measures to meaningfully reduce risk in remote teams.
Endpoint management tools and endpoint security are especially critical in a remote team. Managing remote endpoints is difficult for companies to do by themselves so a good endpoint manager and endpoint security are extremely helpful. Also, having a policy of keeping computers’ operating systems updated is important. In an ideal world, it would also be recommended to keep employee home networks updated (routers, access points) but that is very difficult to enforce.
Companies should especially invest in, and emphasize cybersecurity awareness training for all staff, backed by accountability reporting, policies, and procedures. Home networks will never be as secure as office networks in the foreseeable future, exposing organizations to a greater range of threats. Employees that are not armed with cybersecurity awareness and best practice knowledge pose a huge risk in general, but especially in under secured home-office environments. A trained and aware employee can be an effective first and last line of defense against cyber threats, and no amount of investment in cybersecurity software can totally negate the need for the employee to function in that capacity.
Additionally, companies should move towards unified and access-controlled systems for file sharing, collaboration, and workflow processes, either through trusted cloud vendors or through mature, appropriately secured internally maintained systems. Too many organizations that went remote adopted weak security standards and solutions to allow users to access internal networks that were never properly secured from the outside world. The lack of secure access standards and solutions opens a lot of doors for nefarious cyber actors to exploit and gain access to critical systems.
What does the future hold for Framework IT?
Framework IT has made massive strides in the last two and half years to differentiate itself in an increasingly crowded industry. Fortunately, the innovative approach Framework developed in 2019, specifically the Evolution Standard (data-driven best practices), Evolution Framework (client engagement process), and Evolution Pricing Model (unique approach to managed IT services pricing that reduces costs for clients that adopt data-driven best practices), was well-suited to meet organizations’ evolving needs in the new normal following the onset of the pandemic.
Beyond a distinctive approach and pricing model, Framework IT has also positioned itself well for the current labor market conditions by investing heavily in talent acquisition and retention. The results speak for themselves, as Framework enjoys above-average employee retention and has made the 101 Best & Brightest Places to Work in Chicago and the Nation List for several of the past years.
Our Evolution product development, combined with an expanding team of committed, experienced professionals, has primed Framework to seize the shifting opportunities in the present, deliver exceptional client value, and continue growing at an industry-leading pace. Having already reached the top echelon of companies in the industry, Framework IT believes that it can organically expand its reach, capabilities, and impact to more clients across the United States by reinvesting heavily in talent acquisition, talent development, processes, and systems.
In addition to organic organizational development and growth, Framework IT intends to start exploring horizontal and vertical acquisitions with the goals of enlarging geographic presence, capturing economies of scale that can be passed along to clients, expanding the talent base and delivery capacity, and adding additional capabilities and services that enhance the partnership’s value for our clients.