This webinar was recorded on September 24, 2020.
Jeanne Bell: All right. Good afternoon, everybody. Welcome to “Tech Policies for Virtual Teams—A Leader’s Responsibility.” My name is Jeanne Bell. I’m with Nonprofit Quarterly, and I direct our Advancing Practice program. We took August off in the Leadership webinar series, so it feels really good to be back with you and to be back with you with a partner—the first of two webinars we’re going to do with our friends at Tech Impact. And I’ll introduce them, and you’ll learn a little bit more about Tech Impact if you don’t already know about them in a moment.
But welcome back, and a special hello to Leading Edge members. As you know, we’re building a membership program of people that focus on advancing their leadership and management practice. I’ve been in community with you now for actually two years around that, through the webinar program, and I’m just really glad to welcome you back, if you are a Leading Edge member. And if you’re not, you can consider that on the upper-right-hand corner of our homepage.
I’m really pleased that we’re focusing on technology. We haven’t focused on that yet in the program, and I know it goes without saying that with COVID and shelter-in-place, technology is front and center for all of us, even in ways that we didn’t imagine. And it’s very important, we think, that we take some time to take stock now, multiple months in, of how should we be approaching this as leaders. And you see the subtitle of this is “a leader’s responsibility,” so while we are going to go into the specifics of some of the policies, at least at a general level, and we’re going to be providing you with a new guidebook from Tech Impact, we’re also really coming at this from a responsibility perspective: how do I create a culture of responsibility around technology?
So that’s what today is about. And again, we have a second webinar coming up on October 22nd, also with the Tech Impact team, about taking your finance office even more virtual, which is something that so many of our participants have been trying to do.
I want to let you know that this is a 75-minute webinar, so please note that. We have a lot of content, and we know that you’ll have questions. We have multiple polls. We have a short evaluation at the end and formal breaks for Q&A throughout the session, so we invite you to stay engaged. If you’re using social media, please use the hashtag #NPTechLeaders, and some of our team will be on social media with you as well. And we’re not using the chat feature with you; we’re using the Q&A box to be in dialogue with you, so please feel welcome to use that at any time as questions arise. And as I said, there’ll be formal breaks in the content where we review some of those questions.
So let me introduce our two Tech Impact presenters. Francis Johnson is Managing Director of Technology Services at Tech Impact, and he oversees all the technology infrastructure projects and support services that they do. And it’s been a pleasure to get to know you a little bit, Francis, in planning for this webinar, and what an extensive body of work in helping people plan for and use technology effectively inside organizations. (Next slide, please.) And Karen’s role is Director of Education and Outreach at Tech Impact. And you might recognize that word “Idealware.” She leads that Idealware team of researchers, presenters, writers, who create technology information resources, and as I said, we’re going to share a resource with all the participants at the end of this webinar, and I’m sure we’ll allude to it. So, welcome to both of you, and thank you for partnering with NPQ on such a timely question of a leader’s responsibility around virtual. And I’ll turn it over to you.
Karen Graham: Wonderful. This is Karen speaking. I hope most of you can see me, as well, in the little corner. I want to just tell you a tiny bit more about Tech Impact before we begin, so that you know what qualifies me and Francis to be talking with you about this. Our organization is a nonprofit, and we are on a mission to use technology to better serve the world. And we do that in three main ways: through providing technology services for nonprofits, through providing education and training for nonprofits to help them make smart technology decisions—and that’s kind of the pillar under which we’re doing this webinar today, and then, thirdly, to provide training programs that help opportunity youth to gain the credentials and qualifications they need for technology careers.
And some of the things that make us special is that we are a nonprofit, and so we understand the needs of nonprofits better than almost anyone who is providing technology services to nonprofits. Our motto is “We’re here to help,” and we really take that seriously with our service and in the ways we try to be responsive to the needs of the people that we serve, whether they’re nonprofits or individuals. We also are practical, and agile, and collaborative. Those are some of the hallmarks of the way we conduct our work. So, we would be delighted to interact more with you in the future, if you need that.
But for now, let us go into a poll, and our Nonprofit Quarterly friends are launching that right now. So, the question here is, “What is your role in your organization?” More than one of these things might be true of you, but maybe pick the one that you most identify with when you think about your technology role in your organization.
And your perspective on technology policies, I think, will vary a little bit depending on your role in the organization. I see that a little over half of the people that responded are in management or senior staff, and many are also executive directors. So, we’ve got a majority here who are in a formal leadership role in your organization. But I’ll tell you what, even if you are an “accidental techie,” which is the phrase we use for people who maybe don’t have any formal training in technology but they’ve been given responsibility for that in their organization, or if you are IT staff and do have some formal training and credentials there, you may not have a formal leadership role in your organization, but you certainly can still show leadership in how your organization uses technology and how you apply technology policies.
So, let’s close that, and I will pass the mic virtually over to Francis to kick us off with a story.
Francis Johnson: Sure. Thanks, Karen. And I’ll actually reiterate what you said about the different levels, because this rolling out of tech policies and thinking through them and really trying to implement them wisely really works at every level. We’re going to focus a little bit more on the leadership side of things, but it’s glad to see that we have a good, diverse crowd in terms of different roles. So that’s great.
So, going into my story here, for this story, we’re going to go all the way back to March of 2020. It seems like a very, very long time ago. But we are going back to mid-March, specifically, the frantic time where organizations, companies, and people alike were trying to find a way to effectively transition from working from offices and facilities to move into a remote workplace. During this time, naturally, Tech Impact received a lot of requests for support and implementation projects and things like that—and also advice.
And one of these organizations specifically reached out to us, and they were in a unique situation than most of the organizations that reached out to us. They had actually moved on through their digital transformation stage and had implemented a lot of the things that we had recommended to be able to work in a remote workplace. So, they were not dealing with two particular issues; they really were dealing with one. And so, they were already set up, per se, to move all of their staff into a remote workplace. The problem they had was they didn’t really have policies to really govern and guide their staff towards effectively transitioning. They had also never really tested out the capabilities of moving to a fully digital transformation state.
So, this particular organization came to us—as I said, their management team—and consulted with us. And we went through a lot of these, a lot of questions, a lot of points to help them think through—wisely think through—all the different things that go into making up tech policy. We started from the very basics of dealing with the COVID-19 pandemic and having everyone have to go and work from home because of shelter-in-place orders. So things like asking, will the organization be providing computers and mobile devices for all staff, or would there be a hybrid model where some staff would have organization-issued computers and other staff would have to rely on their personal devices? And if they had to rely on personal devices, how would the organization ensure that those devices were protected and be able to securely connect to the organizational data? A lot of security concerns there that we had to talk through.
Other things around collaboration: making sure that everyone on staff knew exactly which tools to use to collaborate with their colleagues, and obviously management. And one of the bigger ones that we had to go through was also the fact that your office had now turned into multiple offices, sometimes across the United States, and having to deal with different networks. And the question was really, were the networks and the Internet bandwidth for each person’s home adequate enough to do the job? So, we went through a bunch of these questions, went through a bunch of scenarios, helped them build their policies, and some of these points that we went through with this particular organization/client, we’re going to go through in this webinar today.
So just to wrap it up: they were able to implement a few policies, revise some of the policies that they already had that were outdated. And the big point was, even though they set these policies up, they were flexible enough to understand that there would have to be some trial and error, because they would need to have a lot of buy-in, because of the state that we were in, and the fact that the workplace as we knew it had changed drastically. And so, they did commit to revising and reviewing on a periodical basis to make sure that every staff member felt included in terms of the process.
And with that, I will turn it back to Karen, so she can go through our agenda for today.
Karen Graham: I’m guessing if we could see you all, that there’d be some head-nodding here. Can you relate to that story? I think it’s pretty typical—right, Francis? Like, this is not an unusual story. It’s not an anomaly. This is what a lot of organizations are going through.
Francis Johnson: Exactly.
Karen Graham: So, we’re gonna unpack that a little bit. We’ll look at it from some different angles, including looking at what has changed about the context in which we work that might point to a change in your policies, or an update to your policies. And then we’ll also touch on six key technology policies that most organizations would probably want to have, and what should be in them, and what kinds of questions you should ask about those policies. We’ll talk a little bit more about your role as a leader and your responsibility there. And, as Jeanne said at the beginning, we’ll be taking questions throughout. We’ll also allow just a little bit of extra time at the end for remaining questions. And also, toward the end, we’ll be sharing some additional resources for you to be able to work through this, and build your own policies, and strengthen your policies.
We won’t be covering whether you should allow employees to work from home or in what circumstances. I know, as the pandemic hopefully winds down, that we’ll have some decisions to make about that. Like, how quickly do we bring people back to work? Do we maybe allow some people to work from home indefinitely? So, what we’re assuming here is that you do have employees working from home—at least some of them, some of the time—for the foreseeable future. We’re gonna focus more on technology policies here than personnel policies. It’s also hard to cover policy without also talking about practices and protocols. And they’re different things, but they’re so interrelated that we’re going to touch on those throughout.
So, let’s roll into a little bit about what has changed. And we have another poll here to start this out. The question for you is going to be, “What has changed about your technology use in the past six to eight months?” And…so actually, it’s not technically a poll. I’ll invite you to use the question-and-answer panel to type in your response to this. What’s one thing that has changed for you? And while you’re doing that, let me share a few things.
What you’ll see on your screen is just a search on Amazon for “remote work.” This was actually a couple of months ago, when we were first cooking up the idea for this webinar, and I thought, I wonder what kind of information is out there for people? So, I found tons of results on this. Lots and lots of books have been written about remote work, long before the pandemic started. But they’re not really from a nonprofit angle. And I think it can be easy to just get overwhelmed with a lot of generic information that doesn’t really give you the answers you need. So, this is what we’re going to strive to do for you today.
And so, we’ll talk about three things that have changed here. I’m going to let Francis address this next one.
Francis Johnson: Sure, absolutely. So, just to go back to the story, one of the questions was about technology resources—computers, to be specific—and basically technology equipment. Not really specifically to computers, but mobile devices. I know some organizations were allowing staff members to take monitors home and essentially be able to set up their workplace at home. What it comes down to is understanding the risks that are involved with that. Things to think through in terms of usage of these computers, these mobile devices, etc.—are their household members using it? Is it being used for personal use instead of work? You know, things to think through as you build a policy around use, with also understanding that, because things have changed, and the fact that essentially everyone is working from home, there might be a situation where you have to kind of loosen the grip a little bit on some of these policies to accommodate for the reality that we’re in right now. But understanding those risks and laying them out as you build your policies are very important. Next slide, please.
Karen Graham: Yeah, Francis, we have a whole bunch of responses that have come in to that question we asked at the beginning of this, too. And I’m seeing a big trend in just using new platforms, especially for virtual meetings. A ton of people mentioned that.
Francis Johnson: “Digital security.” Yeah, I see that.
Karen Graham: Yeah, just remote, remote, remote. And there’s some specific things here about, like, using technology for virtual fundraising, moving all the finance functions to be remote, teletherapy, other aspects of program and service delivery that are remote. Oh, and somebody says, “more phishing scams in my email box.” And that’s something we’ll touch on as well. So, lots of great comments there. I don’t know if there’s anything specific you want to address here. I’m just scanning through to see if there’s anything real juicy. So go ahead, Francis.
Francis Johnson: [laughs] No, that’s fine. So this next slide is touching on personal devices and resources. I’m not sure if that’s been called out, but some organizations weren’t able to procure equipment for all of their staff that had to work from home, and so they had to be, as I mentioned earlier, sort of a hybrid model wherein some staff would have to use personal devices. And there were a lot of questions that go around with that, in terms of reimbursement, stipends, etc. Working on a personal PC, what are the requirements in terms of applications and standardization? Will there be a strict policy on non-work-related applications and services? Things like that.
I mean, the biggest thing…this would be probably a good time to speak on a little bit of a story here on the last point, which is home network and internet. As everyone had to…well, most organizations had to move away and move away from their offices and have staff work from home, one of the main things we noticed, because we provide support for quite a few organizations, and we had a few users logging in and calling us in from their homes, and some of the disturbing things—we found out that some of these networks, these Wi-Fi networks were open. They were never secured, and they weren’t password protected. And obviously, that was a huge red flag. We had to bring that up with the executive team and basically build some policies around that. Because the assumption was, because folks are working from home, that they had the basic level of security on their network. And you do not want, obviously, to be having your data and your applications being accessed on an open network that is open to anyone in the vicinity essentially. So, some of the things that we’ve had to kind of combat and really recommend and urge organizations to look into, even from just from a basic Wi-Fi security perspective.
Karen Graham: One of the comments I wanted to point out here, which actually relates a little bit more maybe to the previous slide about organization-provided technology resources, is about what happens when an employee leaves. What about a termination? Like, how do you collect that stuff from them? And what do you have to do with your data to maybe clear it off personal devices if it’s stored on there? So that’s a complicating issue, too. And—oh, sorry—with this one, there was a relevant comment too. Somebody said they’re an anti-violence organization, and with people distributed, it just becomes harder than ever to monitor harassment issues and things like that.
Francis Johnson: I think adjusting habits and trying to remain connected and organized and secure. I think the probably the underlying theme of what you’ll be keep hearing on this webinar is security. And it’s important, because we are now spread out, to be able to make sure that the level of security needed isn’t ignored or put to the side. So those are the three things that we try to point out in terms of things that we noticed that have come up in terms of issues or things to really consider. Sharing passwords, shadow IT—and for those who don’t know what “shadow IT” is, essentially, it’s staff members, users, basically going out and evaluating and purchasing and implementing IT applications, programs, systems that have not been approved or been reviewed by anyone in either management or the executive level. So, essentially using tools that are not quote-unquote “organization-sanctioned” tools.
The things that we realize that happened most around file-sharing and collaboration and having two people look at the same document. If you don’t have a true collaboration system in place already, it just it begs for people to go out and get and look and evaluate other tools. And before you know it, there are so many different file-sharing systems, and so many different…for example, marketing solutions and things like that. It’s very important.
And this, I put more onus on leadership to put a lot of emphasis on standardization of their applications—and training. I think that’s the other piece of it; if your staff do not know how to use a particular tool, they’re more likely to go out and find something they’re more comfortable with. I’m not saying it is right. But I think that’s just the reality of some of these shadow IT forces out there, so to speak. There is a learning curve. And I think training, as I mentioned, is important—making sure everyone is informed and able to use the tools that are at their disposal basically will dissuade people from going out and implementing other things on top of what you already have.
You wanted to add to that, Karen?
Karen Graham: Well, yeah, there’s just one thing. I just wanted to address something that came in in the questions and answers. But before I go to that, I’m feeling a little bit of like, wanting to push back on this, Francis, and that’s just because of like a difference in our roles. Because your role is to make things consistent, standardized, stable, secure, right? So, you’re going to be thinking about, how can we standardize this and minimize that shadow IT? And part of my role is to encourage organizations to be innovative, and I’m really excited about all the creativity with technology that has happened during these last six months. Sometimes, some of the best, most innovative ideas come from skunkworks and, you know, kind of shadow IT stuff. So, I think it’s tricky to find a balance in an organization where you’re allowing time for people to kind of experiment and maybe even use unsanctioned tools but still protecting your organization’s assets.
Francis Johnson: And that’s the key, right? The protection piece. Ultimately, sometimes, you’re right. You get more innovation from going out there and figuring out—and that’s why I said “evaluate.” Sometimes it’s as innocent as evaluating a piece of software. But then it becomes rolling out, without anyone…any real collaboration in terms of approval, so to speak.
I think it’s okay. I think, ultimately, that’s the way you implement newer systems and more effective systems, is by evaluating what’s out there. But there’s a balance, there’s absolutely a balance, and you don’t want to leave yourself too stretched and overexposed if you’re continually going out and evaluating and rolling out new software or systems.
Karen Graham: Yeah, absolutely. One other thing from the comments, that kind of relates to finding that right balance between standardization and making exceptions when they make sense, is about accommodation. Somebody brought that up. Providing accommodations for somebody with a disability to be able to work from home looks a little different from providing those accommodations in the office environment. [Francis: Absolutely.] And maybe there’s more likelihood of using personal devices and things like that. That’s just something to think about, and it’s not something that I have a great deal of expertise on. I think that’s probably a good question for your HR department, or a consultant or whatever, or legal counsel, to navigate those issues. But there definitely are issues to pay attention to there.
I’m just going to show this Q&A break on the screen to prompt people a little bit more. We’ve gotten 78 responses in the question so far. That’s pretty awesome. I’m glad that you all are paying attention and have things to say. A couple of questions have come in, I think. But I just want to specifically invite you right now to post your questions in there. And we’ll be looking at those.
Jeanne Bell: And I’ll use this moment to just say that last little segment really rocked. You know, having you both show us that there’s always two, or three, or four sides to the coin, and that the leadership dilemma is trying to balance all of that, was super helpful. And I also want to thank you, Francis, for lifting up training, because I think in my nonprofit experience, even if we’re allowing for the tension between shadow IT and innovation, training is often undersupported, and so that innovation, even when it does percolate, doesn’t get trained in and integrated well enough, even if that’s the spirit of accepting it. So, I love that you raised that, Francis, but thank you both for sharing that multifaceted question with us.
Karen Graham: There was a little question about work-related injuries here, too. To extend what I said about accommodation, there’s some things with Fair Labor Standards Act that might come into play here—OSHA, workers comp, that kind of thing. There was an article, I think, from last week in Nonprofit Quarterly about that, and I can’t get my hands on the link to that right now. But maybe somebody from NPQ has that to put into the chat to share with people. That had some more information on the legal and human resources aspects of working from home or working remotely.
I’m just looking through here. There’s one. Go ahead, Francis.
Francis Johnson: I see one that’s been asked twice now, I think. It’s about the “employee that leaves” scenario, which is probably a reality for a lot of you. So, I’ll answer the second part of it—the collection of equipment. I don’t have a standard way you can do it. We usually, in our organization, would just request that they get sent back, and even pay for mailing and that expense, specifically. In terms of deleting [organizational] files, it’s important to roll out a mobile device management tool. Those are essentially installed on every [organization]-owned equipment. Instead of having to—in a situation where the computer is lost or the person doesn’t return it, you can remove the files remotely, or essentially encrypt it and allow for the data basically to be locked out. So, you can roll out actual tools to help protect the data within a device. And that works both ways, for [organizational] or personal devices. In a personal device, you can lock a specific application without the device itself. There are definitely tools out there that can help you with that. You’re not definitely hamstrung in that situation.
The collection, though…I can’t give you a strict thing that will work, obviously. I think what works for us might not work for the rest of you, but at the very least, looking into rolling out a mobile device management tool or mobile application management tool to protect your data, whether it’s on a personal device or an [organization]-owned device, from essentially getting into the wrong hands.
Karen Graham: Great. Well, in the interest of getting through all our stuff here, I think I’ll just move along a little bit. But we do have some questions we might want to come back to at the right point later, too.
So here are six technology policies that most organizations ought to probably have. And that doesn’t mean that these are six separate policies in your employee handbook or whatever document you have; it might actually be just one technology policy that addresses these six things. But the six are: acceptable use, which is kind of overall use of your networks and equipment; security, which is mainly about protecting your data, more than anything else; “bring your own device” policy, so use of personal devices (on the slide it says “in the workplace,” but now the workplace is kind of like wherever people are); and then incident response and disaster recovery—even though that is not a technology policy, per se, it has a whole lot to do with technology. So, what do you do in case things go wrong, whether it’s with a technology system, or there’s a hurricane that wipes out your office or whatever? Remote work. And then, social media and digital communication.
So, we’ll touch on each of those going forward here. And I want to find out which of those policies your organization already has, now that I’ve described what they are. so, take a moment to respond to that. Even if your current policy is just garbage, I’d still like to know if you have one.
Wow, we’re getting a lot of questions, Francis. If you see anything you want to jump on, let me know.
Francis Johnson: I see that. There’s some really, really good ones too. Well, yeah. We’ll get to them.
Karen Graham: Yeah. And some of them veer away from the tech policy topic and go into the other things, but if we have the answers to those, we’ll try to get to them.
Here we go. Okay, so here are our results. So, it looks like…“remote work.” More people have that policy than any others. That’s interesting to me.
Francis Johnson: Very interesting. Yeah.
Karen Graham: What did you expect to see, Francis?
Francis Johnson: “Acceptable use,” for sure. That’s pretty standard. I mean, remote work makes sense, because everyone has had to work remotely. I’m glad everybody kind of picked up, and ran through, and set up policies around that. It makes the most sense in the times. For sure.
Karen Graham: Yeah, very interesting. Okay. Well, so we’re gonna ask you later which or which of those policies need work. So, keep that in mind as you’re listening here. But now, we’ll talk a little bit about each of these policies in turn.
Francis Johnson: Sure. So, let’s start with acceptable use. As I mentioned, it’s usually a pretty standard policy, and essentially, it’s what the agreed-upon standard for your organization and the use of equipment in your organization—from a tech perspective, specifically. So, we have some questions about what could go wrong. Misuse of equipment, especially now, and I think there was a question about damaged computers and things like that. Low productivity, bypassing security measures, for sure, is something that’s very important that a lot of organizations reach out to us about.
When considering this particular policy, rewriting it or creating it from scratch, there are a few things that you can consider. For example, number one, thinking about the equipment itself. Who maintains it, who fixes it, and how? Some of you might already have IT staff internally. You might be contracting with a third party to help you in that support and maintenance. Does that contract go through the home users at this point? Some vendors might fight back on having to manage home users and home networks, because they don’t have much control over that. But it’s important to understand and kind of weigh what might be as you build a policy in our current time, right? Who can install software? That’s very important now. Can people use [the organization]’s IT, as I just mentioned, for personal or commercial purposes? (Well, that’s different.)
So, in this situation, if we went above the workplace, and a user or a staff member had an issue with a personal device that had nothing to do with any of the applications for work, is that something that’s acceptable now than when everyone had to work from your offices, and it were actually on an [organization]-issued computer? And commercial purposes as well. Questions to ask. It might just be “no” for both of those, but this is something that you have to consider.
Automation and remote-access support. Two things that are ideas to help combat these particular scenarios. You know, automating installations, automating fixes, and providing IT support for your remote workers, essentially. You want to add to that, Karen?
Karen Graham: Well, yeah. I remember we were talking about this a little bit, yesterday or the day before, about the personal use of organization-provided devices, right? And I said, well, what if somebody wants to watch Netflix on their company laptop? (When I say companyI know we’re not companies, but it’s just an easy shorthand to explain that.) If you’re in an office environment, you’re probably more likely to say, no, that uses a lot of bandwidth. It’s going to compromise the availability of our systems and whatever. So no, you can’t watch Netflix at work. Like, even when you’re on your lunch break, a lot of organizations just say no, that’s not okay. But if it’s eight o’clock in the evening, and I’ve got my organization laptop at home, and I want to watch Netflix, like, who cares, right? So, it feels like some of those kinds of policies maybe actually need to be loosened up right now, whereas other policies probably need to be tightened up a little more than they were before.
Francis Johnson: Yeah, absolutely. Yeah, that was a good point. And I also mentioned, in terms of the personal devices, and having a say on what people can do and not do on their personal devices, might not go far at all. I think you can obviously make sure if people are productive and are using the tools that you have in your organization. But ultimately, there is not much control there, right? So, there’s something to weigh in terms of that. You know, weigh the personal versus the organizational device, and exactly what you can kind of impose on a person at that point.
And you’re right, even with [organization] computers, at 8pm—and I you know, watching Netflix on my home network with my home internet that hasn’t been reimbursed or received a stipend on—at this point, I don’t think that’s something that people should be coming down on staff members for at all. So yeah, you’re right, there’s some things that should be acceptable now that weren’t pre-COVID.
Let’s go to the next slide. So, data security. We’re going to park here a little bit, because there might be some questions, more questions around security. And, really, it’s important. It’s important because even though we are dealing with a global pandemic and racial tensions, etc., this has not deterred all the bad people on the internet. You become more and more vulnerable as you allow more and more folks to work from outside of your control network. Being more vigilant in this time is absolutely a must. The things that could go wrong—this shouldn’t be a surprise to anybody. Lost data or theft, compromised privacy, and obviously a harm to your reputation if you did actually have a breach. Things to consider—things to really, really consider—are redefining your access levels and permissions. Whatever you thought you had in terms of permissions and access levels, you should look into, and review, and redefine if possible. It’s just a lot different when you’re dealing with disparate networks and disparate computers and systems. And so really, really dig into that. Enabling security protocols that you might not have wanted to enable before.
Multi-factor authentication. I can tell so many stories about organizations really just not wanting to do that. It’s such an important piece of securing your network that it shouldn’t even be a conversation, frankly, at this point. Putting in MFA, rolling out things like email encryption, and password management.
Sign up for our free newsletters
Subscribe to NPQ's newsletters to have our top stories delivered directly to your inbox.
And I can speak on that a little bit more—it was in another slide. I usually would not ever recommend sharing passwords or sharing accounts. I truly believe if you have systems and you want to secure them, at the very least everyone should have an individual username and password and have some type of authentication that’s unique to them. But if for whatever reason—whether it be a licensing thing, maybe it’s a software limitation—you have to have a password and username that multiple people have to have access to, there’s ways to securely do that. Rolling out a password management system that have individual connections too, and that you can control who has access to that particular password, is definitely the way to go. So, rolling out tools like that, rolling out protocols to really secure your organization and your data and your applications, is paramount now. And so also, we roll out things like backup, and conditional access policies, and things like that.
Do you want to—and I’m gonna keep asking if you want to jump in on these slides, Karen, but did you have something to add?
Karen Graham: Maybe I’ll just focus on trying to manage all the questions. But I will say I think people have a lot of questions about security. Okay, what is multi-factor authentication? What are the choices available for password vaults, and stuff like that? We’re not going to go into that here, but we have a lot of resources on techimpact.org about that. Like a lot. Like 200. So, if you need those questions answered, we’ll direct you there.
Francis Johnson: Great. All right, we got a few more policies to go through.
Karen Graham: Yeah. “Bring your own device.”
Francis Johnson: So, all right, “bring your own device.” I think it should be called “use your own device” now, because we’re not bringing it anywhere. But it’s essentially using, going back to personal devices to access data. It was a great question about what happens if somebody leaves, how do we wipe or essentially remove access to the data that might be on the application? On that device, I should say. So, definitely rolling out things like device encryption and mobile device management—those are the ideas at the bottom—are very important. It’s one of those things that you should do on all of your [organization]-owned devices, mainly because they won’t be confined to a specific space anymore, and being able to protect what’s stored, saved, and accessed on those devices is very important.
Yeah, and so, even down to the insecure networks and failure to update. Ultimately, if you’re going to allow for personal devices—and sometimes it’s just you had no choice, you probably had no choice, when all of this came down on us—there should be policies and guidelines. I’ll start using the word “guidelines,” because I don’t want it to seem like it’s a top-down, you-must-do-this approach, because we do need buy-in from the staff members. It’s guidelines in terms of how to effectively access data and work on your particular tasks, right? And so, if they’re going to use personal devices, you should have some type of policy around securing your network, making sure that they run updates. And that can be something that you can contract with a vendor to help out with. If you have IT staff, they can help roll that out to personal devices. We should just not leave personal devices just out there without any level of protection, because the access level that they have now, they didn’t have before. And we should adjust to that. Right?
Karen Graham: Yeah, I think you’re right that there are formal policies, and then there are less formal guidelines, and they’re both important.
One thing, I just want to give a really specific example, is about the question what activities and apps are okay. Say you’re allowing employees to access email on their personal mobile phone. They’re going to access their corporate email on that, their organizational account. You can specify, like, you can do that, but you can only do it through the official Outlook app that then you can kind of control. And then if the employee leaves, you can delete the data from their phone just from that app, or you can lock them out of it, right? Versus, if you allow them to have that hooked up to whatever email app they prefer to use on their phone, then you just have a lot less control over it, and it opens you up to that data getting into the wrong hands. So that’s an example.
All right, incident response. We’ll just touch on that a little bit.
Francis Johnson: Touch on that a little bit. Yeah. So, and this could be—I know, we focused. We touched on everything here. So, cybercrime. If someone were to receive a phishing email and actually click on it and get breached, what is that? How do you actually formulate a response to that? So, data breaches, specific user account hacks, data loss…you know, you can even talk about outages, if the computer crashes. What is your plan in those situations? Probably in the office, you got an internal IT team. You go down the hall, you say ‘my computer crashed,’ and they’ll probably fix it. What’s the process now that you’re dealing with people in different residencies, different parts of the city, parts of the state, etc.? How are we going to centralize resolving major issues that happen on the equipment-level side, user level, or even organizational system level? Having a plan. You just have to have a plan and run through it, and run simulations for several different scenarios, be it the phishing one that I just mentioned. I know there was a question about a lot of phishing attacks. They’re not going to stop. They’re just gonna keep coming. Be able to know what to do, and basically, as I go back to the word “training,” training all the staff on how to react to these particular scenarios is extremely important.
Karen Graham: Yeah. This is tricky, because you think, okay, if there’s some kind of emergency that happens, we need to get an announcement out to our constituents. For example, say you’re running an after-school program, and something went down and you can’t run the program today, and so you’ve got to notify all the parents. Well, normally, you might do a text blast, or an email blast or whatever. But what if those systems are down? Then, what do you do? So, you have to really think about, in an incident, what are the contingency plans if your normal communication channels aren’t working? I think that’s something that some people overlook.
Jeanne Bell: This is also where a data breach would fit in. We’ve covered some cloud-based apps that have had data problems where your own data is compromised because of a vendor.
Karen Graham: Yeah, so what’s your plan for notifying your constituents about that, if their data was affected? Or even if it wasn’t, what responsibility do you have to notify people? And I mean, that comes to more communication policy in some ways, too, than technology policy, but it’s all interconnected.
All right, two more, and then we’ll do another little Q&A break, and we’ll move into some of the leadership considerations here. So, Francis, you wanna take remote work?
Francis Johnson: Oh, sure. Well, everyone already has this, so we shouldn’t talk about it, right?
Karen Graham: Well, yeah, yeah. A lot of this, we’ve already talked about, I think, but maybe there’s just a couple more nuances you want to bring in.
Francis Johnson: There’s definitely levels to that, right? It’s, you know, there’s definitely—I saw a couple of HR questions that’s important to understand and set policies around that. Coordination, as well. Going back to: how are folks supposed to collaborate, and what are the best channels to do it? Dealing with the shadow IT example that we went back and forth about as well, there’s a lot of things there. The loss of culture and team bonding, that’s important, as well, to note and try to figure out a way that doesn’t seem forced to keep that sense of culture and team bonding.
I’ll park this a little bit. So, everyone at this point uses Zoom. I feel “Zoom” is now the “Xerox” word for video conferencing, right? It’s just taking over. And so, one of the organizations that we support wanted to roll out a specific policy about video conferences and video meetings, or internet meetings. And one thing they wanted to do was force, or require, everyone to turn on the camera during meetings. And, if you just look at it at one level, it’s good. There’s good intentions there, right? It’s like, you want to make sure everyone sees each other and can continue to have that team bonding. On the other end, I asked them to think through the fact that not everyone might be able to do that, number one, or be in the right space to be able to turn on their camera at every single video call with video conferencing. I myself don’t always turn on my video. There’s times I feel like there’s certain meetings that don’t need that, per se. And I think that sometimes that obviously, if it’s a staff meeting, there’s enough time, everyone has been asked to turn on video, makes sense. I think the requirement that every single call be on video…I thought that they should probably step back and probably get some feedback before rolling it out kind of top-down and getting a better sense as to how staff feel about that. Because ultimately, we’re already in a very uncomfortable situation. Some of us don’t even have a specific space that we work out of. We should be very cognizant of the fact that not everybody has an office in their home, right? Not everybody has a door that they can lock and allow no one to jump in and disrupt a Zoom meeting, so to speak. And so being very cognizant of that fact across the board before rolling out a policy like that is important. So, I don’t know if you want to add anything to that particular?
Karen Graham: Yeah, kind of related to that. There’s some norms and new practices we have to establish about, how do you virtually knock on somebody’s door, right? When you’re in an office environment, you’re not just gonna bust into somebody’s office, but you get sort of a visual cue if their door’s open or closed—if they have an office with a door. You get a visual cue of whether they’re available or not. So how do we simulate that digitally?
Like, on my team, we’ve worked remotely from each other for a long time, and we just have this practice of instant messaging each other first before we initiate a video call. We send a message like, “Is this a good time to talk?” Whatever. And we also use our availability to some extent. We’re on Microsoft Teams; we use that a lot, and you can use availability in there to indicate whether you’re open or not. So that’s less policy and more just about office or team practices. But that’s an important thing to think about.
Francis Johnson: Yeah, absolutely. You wanna take this one?
Karen Graham: “Social media and digital communication.” Yeah, you know, I think this came out in some of the comments and questions that people are thinking about this. There are some differences in our work environment right now that maybe make you want to take a second look at your social media and digital communication policy. One of them is just that there’s a lot of stuff that people are upset about right now, and we’re under a lot of pressure and stress, and so I think the odds of someone going off on your social media channels, whether it’s one of your staff members—or whether it’s one of your constituents, maybe more likely—posting something that is a little more heated than it normally would be, or maybe even just inappropriate for that channel. I think the odds of that are a little bit higher right now than they’ve ever been before. And you can’t as easily shout across the office and say, “Hey, Jill, can you take a look at this message that I’m about to post on Twitter and give me your opinion on it?” I think there’s also a little more risk that people are just acting without each other’s input on those kinds of things. And so that’s something to think about with your social media policies right now.
One idea to kind of help with that on a practical level is to implement social media management tools. Hootsuite is one that we’ve used here to coordinate some of that stuff. So, people can coordinate messaging with each other and provide some oversight and approval on certain levels of messaging, as well.
So, I’m gonna share this with you just quickly—I won’t give you enough time to read through this whole thing—but this will be on the slides that you get to keep forever and ever. This is not a model policy, all right? This is an example policy. It’s pretty standard, and I think it might be interesting for you to look at this and think about, like, what does it cover and what doesn’t it cover? And what are the things that you might critique in this policy? What might you change if you had the chance? If we had a little more time, I would spend some more time on that. But I think we want to not miss the end of the presentation here. Here’s another example of a list of prohibited activities that an organization might name in their technology policies. These are things that are not allowed.
So now that you’ve heard a little bit about those six different technology policies, let’s bring up a poll again, and this time, we’ll answer a little bit differently. Choose the one that you think needs the most work at your organization. And then, right after this, we’ll have a quick little Q&A break as well. And so, I’ll invite you to start typing in questions if you have more right now, too.
It looks like we’ve got plenty to choose from, Francis. So maybe you want to look and pick one right away.
Francis Johnson: Let’s see. All right, the first one I see says, “I’m a little overwhelmed by all this. We have an IT company helping us. Do you have a checklist of questions to ask them?” Yeah, we can actually—
Karen Graham: Good question.
Francis Johnson: That’s a really good question. That’s something we have in our system that we can provide.
Jeanne Bell: Just, real briefly, as you can see, guys, it’s pretty much across the board that security was the one that people were slightly most concerned about.
Francis Johnson: Makes sense.
Karen Graham: I think we have a few specific resources at the end of this, on the last slide, that can help people with that, too. And we’ll try to maybe prioritize some of those questions, too. So, I’m gonna go ahead and close that.
Francis Johnson: I’m just pulling this up.
Jeanne Bell: There were a couple of questions about insurance, which kind of gets to this issue of security, I think. Several people have asked…first of all, there was a comment that a lot of this suggests that organizational-issued equipment really is superior in terms of security and getting it back. I know, I’m sure there’s a mix of that, and that’s changing, and that’s part of the reason, but at least on the security side. And then that led to a couple of questions about insurance, and I wonder if either of you have any guidance about what kind of insurance is relevant here. And if not, we can send some resources after.
Karen Graham: I’ve got something to say about insurance. I think cyber insurance is a great idea. It seems like it’s expensive, right? But then if you see the cost of an actual breach, it’s way out of proportion to the cost of insurance. So, it’s something to look at. But it also can give you a false sense of security. Insurance is not going to prevent a breach, and it’s not going to cover everything. An insurance policy only covers very specific things, and so you can’t count on it covering all the costs of repairing the damage, and certainly it’s not going to repair your reputation if something happens. So, that’s just something to think about. Like, yeah, it’s good, but it’s not a silver bullet, and it’s not going to relieve you of responsibility to make good decisions about your policies and practices.
Francis, anything to add to that?
Francis Johnson: No, I think you called it out. I know that, dependent on what you currently have just for your organization and your current insurance broker, you might want to check to see if they have some level of insurance from a cybersecurity perspective already. Some of them have them in the overall [organization] insurance policies. So, I would say start there, and see how you could either add to that or go out and look for something else. But yeah, some folks might not even know that they have some level of protection in their current policies.
Jeanne Bell: I want to also say that your comments, Francis, your very helpful comments about being on camera or not led to a number of comments and questions about Zoom fatigue—camera fatigue. So, I wonder, even though it might be basic for some but not for others, do you have some basic suggestions, even technical suggestions about turning off your camera, turning off your camera view? Other ideas that either of you have for people to either do themselves or guide their staffs on?
Francis Johnson: Yeah, I think, just to go back to the story, I guess I didn’t flesh it out too much in terms of how we went back and forth. So, we came up with a level of compromise a little bit, because they were really hard in on, “Every meeting, video,” and we were like, it’s probably not going to go over well, and you don’t want to impose that type of policy, or guideline, or direction on your staff. And so, there were a few things that we suggested, or came to some agreement with. For example, maybe starting the meeting everyone on camera, and essentially allow people to turn off as the meeting goes on. Because, not only just allowing people in your space, it’s also looking at video, and it affects your actual, you know, the in-camera fatigue, etc. So, being able to turn off your camera during a meeting, especially ones that go on hours, two-hour video meetings…for me, there’s so many things that go wrong with that, per se, from my perspective.
So, there are compromises there. If you’re trying to convince your leadership on that, I think it’s just a matter of coming up with a compromise. Because I think ultimately, as I mentioned, there was some good intention there, and it was more around making sure that the team still feels some level of connection. But there’s ways to do that without forcing cameras on every single meeting. And you know, meeting every day for the week, that’s just you know, that there’s a physical toll to that that the leader of your organization might not be totally understanding at this point. But I think, yeah, I think ultimately, if there’s no budging, you have to come up with some level of compromise. And the one we came up with might not have been great, but I think ultimately some of the staff members appreciated the fact that they could turn off their cameras and not necessarily be judged for it, or get a little note about, oh, you need to turn your camera back on, etc. I think it should be essentially a leeway for being able to turn off your camera, especially if things are happening in your space that you would rather not everyone on the call see.
Karen Graham: There’s also some well-being aspect to this. Just sharing some information with your team about encouraging them to stand up and stretch. In fact, we’ve all been on this webinar for an hour, so if—I’m not gonna stand up right now, but if you are listening in, seriously, just stand up for five minutes. And keep listening, you know? You can do that. Or look off your screen, off into the distance, for 30 seconds. That stuff can really help. On the technology side, you can make people aware of blue-light filters on their screens, and that can reduce eyestrain. Things like that can help too.
All right, seventh-inning stretch. We’re kinda rounding the bend to the end of this here. I want to talk a little bit about a leader’s role. And to help you think about this, let’s talk about The Office. Maybe some of you are familiar with that show. Right? So, you know the character Michael Scott is the really, really terrible boss. Let’s imagine that Michael Scott is developing tech policies for Dunder-Mifflin. How’s he going to do this? He’s not going to consult anyone. He’s going to hand the policies down from on high, right, if you know this character. He’s going to create a bunch of policies that make absolutely no sense. They cause a lot of extra work for people. There are probably many reports to file. And the policies are also going to be set up in a way that encourage Dwight to spy on everyone.
And one more thing: Michael’s not going to follow any of these policies himself. He’s going to exempt himself from all of them.
Okay, so this is how not to do it. Then, here is not-Michael-Scott. This is what this leader is doing. So, some of the things that you need to do are to understand the risks that your organization is facing. And this is not just for executive directors or managers, but it’s also for board members. A board member has to understand the fiduciary responsibility, especially in the organization, and how that connects to technology policies. You also should have an understanding of what your organization is and isn’t doing and know your own policies. You can set the tone by tying policies to your mission, and to your success as an organization, and the best interest of the people you serve. You can make your policies accessible, and that means making them easy to find and understand. Accessible to different kinds of abilities and learning styles, so maybe not just a written document, but maybe you also present your policies in alternative formats that make them more accessible to people. And making sure that everyone knows about them, as well. So that’s about communication and training.
And then, making the policies humane is important, but at the same time, holding people accountable to following them, and considering equity. This was something that was actually an addition, after talking through this with Jeanne. We had a conversation about, if you apply policies equally to every single person and every situation, that might not be truly equitable even though it’s equal. Right? So how do you apply your policies in a way that you avoid unfair assumptions and power imbalances? That’s an issue for you to wrestle with as a leader, and the answers to how exactly you do this in your organization, how you do any of these things, are not all the same. It’s gonna depend on your situation.
Just to give you a little example of balancing the humanity of a policy with having control and enforcement, the Animal Rescue League of Boston had this policy for long, complex passwords, and the staff were kind of like, ugh, it’s too hard, it’s too complicated. And so they dialed it back a little bit, because they knew that they would get better compliance if they relaxed the policy. So they brought it back to 10 characters, which is still considered a strong password. They also did this all-staff training. This is also a great example of training that’s engaging and memorable. There’s an actual picture from their training with this sassy security cat, which I just found very creative. So, it was a memorable way for people to become familiar with the new policies.
And I’ll leave you with this, too. This is just a checklist that you can keep. If you want to just go through a disciplined process of reviewing your policies, or if you need some structure for this, here it is. You’ll probably want to review the policy with your HR manager, or with a consultant if you have one. When you’re soliciting input from your team, some ideas are posting it for comment. You know, if you have a place where you have shared files, or a wiki, or something like that, you could post a policy for open comments. You could go over it in a meeting and discuss it. You also want to give people time to digest that.
So just having a meeting and having people look at the policy for the very first time in that meeting where they’re also supposed to react to it and discuss it is not as helpful as sending it to them in advance and giving them some time to think it over. And then finally, when you’re doing training, you don’t want to just talk at people. You want to confirm their understanding. And make it ongoing, so it’s not just happening at New Hire orientation, but you’re also doing a regular review with everyone.
So those are just a few of my tips for how to really make this part of your culture and what you can do as a leader. Let’s pause one more time for questions. I think we just have about six minutes left. And while we’re taking questions, I’m going to show this on the screen. We have a Nonprofit Technology Policy Workbook that is a free e-book, and it has a bunch of worksheets that will help you think through some of these questions for your own organization. So, I’ll leave that up as we’re talking about questions.
Jeanne Bell: Great. I wanted to lift up this question around the—maybe not the opposite, but a different kind of problem with Zoom fatigue, which is people not concentrating, and doing email and other things. And I’ve been noticing that that was starting when we started bringing laptops to meetings. I think nonprofits were later on that phenomenon, probably, than certain industry. I saw it in my own leadership where suddenly—or not suddenly, it felt kind of sudden—people were bringing laptops to staff meetings, in meetings where they weren’t really being asked to use a laptop. But they had it there. And of course, now they have their email on their phone, right? But I think looking at a laptop makes things more okay than looking at a phone, still, in an in-person meeting. And what’s getting transferred, of course, is we can see people on Zoom that are probably doing email, right? Are there policies around that? Or is that the new norm, and those of us who are outdated need to realize that people are going to multitask in a virtual world? What are some of the stances that you might encourage around that?
Karen Graham: What was the question, Jeanne? I was just looking at my email.
Jeanne Bell: Is there a policy around that? If we are—
Karen Graham: I was just teasing.
Jeanne Bell: Good one.
Karen Graham: Yeah, I got you on that one. I haven’t seen formal policies on that. I’ve just seen group norms around that. And I mean, honestly, what it tells me when my team are looking at email during a meeting is that the meeting is boring. And a meeting is not accomplishing what it’s meant to do if they’re not engaged. But yeah, Francis, have you seen policies on that?
Francis Johnson: No, no specific policies. I think it was more policies about conducting a meeting and basically making it more engaging. I feel like that’s what it comes down to. And so, I know what I do in my team—because I know they love to multitask—is to essentially engage them in terms of having them bring something to the meeting itself, so they are actually participating and not just hearing me talk. Which, you know, I’m sure they love. So, it really comes down to engagement.
Jeanne Bell: And then there’s—thank you—there been a number of questions about ergonomics. And of course, again, I think nonprofits were probably late to that movement when we were in person, and maybe some were starting to kind of take that more seriously and invest in it in the office space, and just when they were maybe getting that together, it went home. Or, for some employees. So, any thoughts on how to encourage staff around self-care, injuries? I know this isn’t an HR webinar, but you know, being mindful that people could be hurting themselves working for you at home, etc., is there anything we can do in that realm?
Karen Graham: Yeah, I love when I see organizations just making equipment from the office available to people at home. Delivering it to their houses, whatever, if that’s possible. That avoids having to double up on equipment—if people are just always working in one place or the other, then just transfer that stuff. But it can become, it can feel cost prohibitive if you don’t look at the whole picture. When you really think about, what is what is the cost of not providing that? Then maybe it starts to look a little bit more affordable. Yeah, I personally think it’s important. I don’t often see that in policies. Not yet. But maybe that will change.
Jeanne Bell: Yeah, somebody also mentioned a screen-time policy. So, there’s a whole thread here. And when we put together the resources, we might be mindful of that on the NPQ side, too. We can add some things. But you know, there’s been such a movement in nonprofit HR to focus on wellness beyond benefits. Beyond health benefits, that is. Now, this is kind of throwing another wrench in that, because we’re not creating a single environment for people.
Karen Graham: Yeah, absolutely. We’ve all got to take care of ourselves and each other right now. I mean, of course, that goes beyond technology. But it’s a double-edged sword, right? Technology can solve a lot of problems for us—it can be a great tool—but it also can be harmful. We just have to be aware of that and make sure that our policies are keeping that in mind as well, right?
Jeanne Bell: Right. Well, this is a good time to, I think, wrap up and let people know that this recording and these slides will be sent to you in two business days. There are a number of resources in the deck itself, and we’ll also include a link to the workbook that was just on the screen in the email that comes with that recording. So be looking out for an email from Nonprofit Quarterly with the recording, the slides, and the new updated guidebook that’s available to you.
And I want to thank you both, Francis and Karen, for your really thoughtful prep of this and delivery, both in terms of the slides but also being so responsive to our questions—and there were tons. And also a reminder that we’re going to get back together with Tech Impact on October 22nd and look at taking your finance office more virtual—or virtual; some people were halfway there. And that, of course, came up a little bit in our Q&A box, so I know a lot of people have questions about that. So that’s in development. We hope you’ll join us in October for that. And with that, I want to thank you both. And thank you all for joining us and being so engaged today.
Karen Graham: It was a pleasure. I appreciate all the questions.
Francis Johnson: Yeah, thank you.
Jeanne Bell: Great. A very brief evaluation is going to pop up in a moment. If you can, just answer those three or four questions and give us the feedback so we can keep honing this program. Take good care, everybody.