Covid-19 is changing the way we communicate – but who do you trust to deliver the change?

It’s been said a lot recently that we are living in unprecedented times. I don’t think anyone could ever have imagined the current mass lockdowns, forcing companies to embrace new ways of doing business. Thank goodness for technology and more specifically for Video Conferencing. Almost overnight all VC/Collaboration solutions have seen a huge spike in new users signing up. Solutions such as Zoom, HouseParty, Bluejeans, Microsoft Teams, Cisco, Avaya and Google Hangouts have all seen a big increase in traffic. Companies and individuals are frantically trying to find new ways of working and keeping in touch with customers, colleagues, family and friends, around the globe.

One front runner Zoom, reported they had seen well over 500% more daily traffic to their Zoom.us download page in the last month. We have seen celebrities and politicians such as the British PM Boris Johnson and the former US federal reserve chair Alan Greenspan used it for conferencing as they work from home.

Bad press

Whenever there is suddenly a huge demand for an urgent new solution factors like convenience, price and ease of use are top of the agenda, and the usual due diligence often goes out of the window. It’s no surprise then that some solutions have experienced some bad press. HouseParty were the victim of a totally false report doing the rounds on social media that they had been hacked. Fair to say the company were so “hacked off” that the owner of HouseParty has set a $1 million (£810,750) bounty to anyone who provides evidence that the video chat and game app fell victim to a commercial smear campaign. Zoom have also had considerable bad press with a number of articles in the Guardian and other Tech publications accusing the software of being a “malware” and “a privacy disaster”

This current scrutiny of Zoom does raise the question: Are all these Video Conferencing solutions really safe? We know that not all software is created equally. Any technology company can be subject to a cyber-attack, but we should at least do some due diligence to choose the right product. These 3 factors should guide you in making your choice of service provider:

1. Secure
2. Easy to use
3. Feature rich

Zoom Reported Vulnerabilities

Yes, it’s true that upon a little investigation you can find out that Zoom received a report in March of 2019 about a flaw in their application for Mac. Unbeknown to the Mac user, installing the Zoom client also installed a web server that Zoom used to speed up the launching of Zoom meetings. Even after the Zoom client was uninstalled, this web server remained. Zoom appeared to do nothing about this breach until it was publicly announced. On July 9, they provided a patch, but it ultimately took a patch from Apple to remove this silent web server. Then again in October 2019 Cisco contacted Zoom with a concern over their “Zoom Connector” This time, the Zoom Connector for Cisco would allow anyone on the Internet with a specific Zoom URL to gain access to the browser interface on Cisco endpoints without requiring any authentication on the Zoom cloud or on the endpoint inside the enterprise firewall. Once connected, this unauthorized person could control the endpoint, see the video, hear audio in the meeting room, and make calls. The same is true of Zoom connectors for PolyCom and Lifesize endpoints too; these endpoints are similar in that they all have administrator web interfaces that allow browser-based management and control of their video devices. Besides identifying a serious security breach, Cisco has also taken Zoom to task for the display of its copyrighted logo on its website without authorization; justifiably they are not impressed.

On November 25 Zoom released a statement saying that it had released a patch on that fully resolved the vulnerability. The statement said, “We were glad we could resolve this matter to ensure the continued security of our platform.” This public statement is now also available on the Zoom website.

Have a strong password and never share your meeting ID..

So let me be clear, despite the current ongoing reports in the press today provided you ensure that you have a strong password and never share your meeting ID there is little evidence today that Zoom is less secure then some other comparable solutions and there is not no evidence that any of the previous vulnerabilities were ever exploited. It should be fine for most types of personal use. It’s also true that some of the articles in the media are somewhat sensationalised and over exaggerated. There is no question that Zoom should not be classed as a Malware – it clearly isn’t! Putting a password on the Zoom URL before someone can just dive into the browser interface on Cisco, Poly, and Lifesize endpoints from the Zoom’s cloud is a big help. However, it is reported that Cisco still has an architectural beef with how this “workaround” gains access to its video device interface. 

MS Teams is a step up

For most organisations who will be more sensitive about security, I would look at other solutions such as Microsoft Teams. We all know that over the years Microsoft have had their own failings in the area of privacy but these days security and compliance is at the forefront for Microsoft. Their solutions such as Office365 which includes MS Teams have matured over a long period of time. It takes a mature company to learn the lessons of past mistakes to be able to build mature products with high levels of security. Whilst Zoom may still be on that journey to maturity and will need to overcome some naivety when it comes to software development Microsoft have learnt that lesson the hard way. 

Of course no software can 100% prevent all phishing attempts and malware or ransomware attacks but rest assured if your privacy is important to you then Microsoft Teams is a step up from its competitors. According to Microsoft, “Teams is built on the Office 365 hyper-scale, enterprise-grade cloud, delivering the advanced security and compliance capabilities our customers expect.” Microsoft classified Office 365 into four basic compliance categories: A, B, C, & D. Teams fits into the “D” category, which enables security compliance services by default. Additionally, Teams features two-factor authentication and encrypted data (in transit and at rest) as well as DLP, Mobile Device Management and access to the Office365 Security & Compliance Centre. If you’re still not convinced about switching to Office365 and MS Teams you can get more details around security on Microsoft’s Compliance Page.

---

References used in this article from:
https://www.theguardian.com/
https://www.computerweekly.com/
https://www.nojitter.com/
https://www.brainstorminc.com/
https://www.gartner.com/
https://docs.microsoft.com/
https://www.gartner.com/

Every growing business will get to a stage where they either need to recruit more IT staff or buy more services to help them develop, grow and support the technology to provide valuable outcomes for the business. Another option is to partner with a 3^rd party and outsource your IT. Deciding which route to take can be tricky. First we need to understand what is meant by “IT outsourcing”

Gartner’s definition of Outsourcing IT is as follows:

“IT outsourcing is the use of external service providers to effectively deliver IT-enabled business process, application service and infrastructure solutions for business outcomes.
Outsourcing, which also includes utility services, software as a service and cloud-enabled outsourcing, helps clients to develop the right sourcing strategies and vision, select the right IT service providers, structure the best possible contracts, and govern deals for sustainable win-win relationships with external providers.
Outsourcing can enable enterprises to reduce costs, accelerate time to market, and take advantage of external expertise, assets and/or intellectual property.”

The decision to outsource your IT can be a complicated one and there are a number of key factors to take into consideration. Many businesses outsource for all kinds of different reasons some of these reasons are valid and some can lead to disappointment. It’s vitally important to consider all the risks and pitfalls before you go ahead. Here are a few of the things you need to consider.

Think Holistically

Clearly define your strategy and the objectives for your entire business. Outsourcing takes many forms and these days very few companies rely entirely on internal resources only. Review what technologies you currently use and how they are supported across your business. Some of these may already be outsourced. Whether you opt for outsourcing your technology or staff or prefer to do it inhouse you will have a much better understanding of the correct option when you take all the functions and departments into consideration rather then just focus on IT alone. Failure to look at this holistically can lead to unnecessary complexities and a “mash up” of multiple outsourced partners and internal services.

Consider the value versus the cost 

Building an IT Team to deliver and support your IT from scratch can be an expensive business, make sure you consider the cost of recruiting staff, employing managers and any training requirements, don’t forget to include any hidden costs such as time spent in the HR and Admin functions. 

If you already have a complex internal IT infrastructure and/or Technology stack, supported by an internal IT team and you’re looking to outsource this then you must consider the additional costs and the associated risks. Often internal staff will have a gained a great deal of valuable knowledge of the environment and business processes which are not always easily passed on to a 3^rd party. 

Avoid reinventing the wheel

Do you have a complex requirement and currently rely on your non-technical staff to maintain or support this whilst keeping on top of their “day jobs”?  Try to avoid ripping everything out and replacing it with something else. Instead see how you can re-utilise existing services and skills and build on your outsource requirements from there. Outsourcing your IT Support can however be a quick way to “buy in” the expertise you need and reduce the stress on your existing teams. This in turn will allow staff more time to focus on one specific role and undoubtably improve their morale. 

Keep it Simple

One of the challenges of outsourcing is deciding who to partner with. Many outsourcing relationships break down because the 3^rd party is not able to grow with your business or lacks the correct expertise to really meet your requirements. be prepared to kiss a few frogs before you meet your prince. The answer is to keep it simple, start small and grow from there and avoid putting all your eggs in one basket too quickly. This will make it easier to change partners before you become too deeply embedded with the wrong one. 

Don’t lose touch

Once you’ve selected your outsource partner and undertaken a full due diligence with them, make sure you keep up a close relationship. Its very easy for businesses to drift apart and the partner you rely on for so much of your technology is not kept in step with you. You will need to ensure you have a Supplier Manager or IT Business Partner Manager to collaborate with all your suppliers, partners and internal departments. Their job will be to ensure that you, your partners and internal teams all understand the vision and are working towards the same objectives of the business. Hold regular service reviews and have a strategy to improve any service which is not performing well. 

Shadow IT is by no means a new concept, to some extent businesses have always had to make room for IT solutions which were not known or approved by the IT department. In the past this may have nothing more than a business process using forms created in Excel, or software/hardware purchased “off the self” by an employee. I remember a time an employee logged a call to say his backups had stopped working and could I assist him. Considering we did not have a solution for personal backups at the time I quickly realised this was a case of Shadow IT with an employee backing up his personal data on his own external hard drive. In recent years though, Shadow IT has gone “viral” and there are a number of reasons for this. 

The easy availability and reliability of a wide range of cloud-based applications (SAAS) and Hyper Scalers (PAAS, IAAS) means that any department or division can quickly find a solution for an IT problem, using their own budget, without the need to involve the IT department. Just register your name in an online form, pay with a credit card and within 15 minutes you can spin up your own environment with half a dozen virtual servers without the need for any IT knowledge.

Particularly in SME’s it’s not uncommon for IT teams to be under resourced and for that reason they are often perceived by other departments as a hindrance or a blocker rather than a help. IT teams often focus primarily on supporting the underlying hardware and infrastructure which supports business applications. This can result in a lack of understanding of the complex needs of the end users, their “less-then-perfect” business processes and their daily frustrations, that in turn leads to employees, departments or divisions looking elsewhere to find their own solutions.

The Good

Shadow IT is here to stay. It would be a mistake to try to simply prevent it. In many ways Shadow IT has enabled SME’s to become more Agile and employees are empowered to control their own destiny. It can also mean a reduction in the burden placed on, an already stretched, IT team or Service Desk. In effect Support is “outsourced” reducing their workload.

The Bad

Off course it does not mean that businesses should declare “open season” on the company credit card (although a lot of Shadow IT is freeware, but employees don’t realise its only free for personal use and not for business purposes). So how do we allow for Shadow IT without losing control? First of all, it is essential that SME’s adopt a comprehensive Shadow IT Policy. This will provide boundaries and definitions on Licencing and Policy Compliance, Application Security and Network Compatibility. Secondly the organisation needs to maintain a central Risk Register or SAM (Software Asset Management) which keeps an accurate record of all Shadow IT used in the organisation. 

The Ugly

Failure to maintain control of Shadow IT could result in some serious issues such as a breach of Licence terms. Compliance to Standards such as ISO27001 or GPDR could be at risk due to the use of undocumented software or hardware. Both of these could do serious damage to the company’s reputation and result in big fines and loss of revenue. In the long run it will likely have a big impact on the efficiency of the business as multiple varieties of similar software co-exit rather than be managed by a single solution at a lower cost. Lastly, it’s only a question of time before the IT manager is asked to provide integration between Shadow IT and other back office applications usually when it’s too late to change. This can be time consuming, costly and present a risk to stability and scalability of your infrastructure due to a complete lack of planning, Change Control and UAT testing. 

In Summary, IT departments need to be ready for Shadow IT and ensure that the business is aware of the risks and ensure suitable mitigation is in place as well as strong leadership to ensure policies exist and are enforced. With these controls Shadow IT can happily co-exist alongside the organisation’s main business processes.

Cloud 100 are delighted to sponsor the environmentally conscious reusable mugs for St James Preparatory School; all proceeds from the sale of these mugs will go to developmental projects within the school.  

We at St James Preparatory School are delighted to have received such a thoughtful and environmentally conscious sponsorship from Cloud 100 Ltd.  The generous sponsorship of the St James Travel Mug by Cloud 100 will help reduce the use of paper cups which is most serendipitous as that is what our sponsored travel mug is made from!

– Kim Brown, Development Manager, St James Preparatory School 

It was just 3 days into 2018 and new ‘exploits’ attacks have been reported affecting microprocessors from all the major manufacturers. The exploits work off vulnerabilities in microprocessors that will allow kernel memory to be accessed, allowing all data in memory to be viewed or copied.

These vulnerabilities have been dubbed Meltdown (1 reported) and Spectre (2 reported). Some details on the vulnerabilities explained below.

Meltdown

• Only Intel CPUs have been identified to have this vulnerability
• Leaked memory can store private and sensitive information such as passwords and credit card into
• Microsoft has released patches through Widows update to mitigate exposure

Spectre

• Report to affect almost all CPU manufactures
• Intel is the most hard hit but 3rd party testing has also confirmed AMD and ARM CPUs have the vulnerabilities
• Ready to run JavaScript exploits were created as soon as the 4th of January
• Microsoft has released patches through Widows update to mitigate exposure

While it is difficult to trace whether you have been hit by this exploit due to the way these applications would function, we have not been able to find any reports

Microsoft has offered some advice that will help protect against attacks:

1. Make sure your antivirus software is up to date.
2. Keep your device up to date.
3. Check that you’ve installed the January 2018 Windows operating system security update from Microsoft. If automatic updates are turned on, the updates should be automatically delivered to you, but you should still confirm that they’re installed.
4. Install any firmware updates from your device manufacturer.

Cloud 100 have further secured their arc of growth into the Cloud arena by becoming a market leading vendor of Office 365 essentials to the UK market.

Cloud 100 is now a full service provider for Office Online (Word, OneNote, PowerPoint, and Excel documents), Apps for Office and SharePoint, Online conferencing, instant messaging and Skype connectivity and an array of email and remote IT support solutions.

“We are now your fully comprehensive one stop vendor, for everything. Every single day we are delivering the complete communications infrastructure for businesses all over the UK” Says Group Managing Director Nick Shraga.