By ProServeIT on October 29, 2019

Cybersecurity Strategy Plan for nonprofit organization (6 Steps)


We’ve said it before, and we’ll say it again: building a holistic IT security strategy must be top of mind for all nonprofit organizations. It’s a sad fact, but nonprofit organizations are a juicy target for threat actors – low-hanging fruit, so to speak. This is because, historically speaking, nonprofit organizations often don’t have the budget to put towards securing their organization from outside threats (more about this later).

Suffice to say, nonprofits need to make security a priority. So, in this blog, we’re going to show you six steps to build a holistic IT security strategy for your nonprofit, so that you can focus more on what matters – your mission.

Want to see a more high-level overview of increasing security for your nonprofit? Check out this blog for decision-makers instead!


The 6 Steps You Need to Build a Holistic IT Security Strategy

Step 1: Build Your Integrated Security Solution to Ensure a Speedy Response

Attackers are now using a variety of ways to go after their targets, and their attacks are getting increasingly more advanced. So, it’s important to not only deploy the security measures that will keep you protected, but you need to also ensure that your nonprofit can detect and respond to the those attacks in a timely manner.

The average large organization uses up to 75 distinct security products, but a lot of the time, those products don’t talk to each other. This lack of integration makes it harder to see what’s happening within your network. It’s far better to build an integrated security solution, like Microsoft 365 Business, that will provide that holistic approach to security that you’re looking for.

Step 2: Apply Security Controls Across a Growing Number of Endpoints

Here’s a reality of today’s working environment. With the rise of technology, we’re seeing a major shift towards remote working capabilities. Employees and volunteers are being expected to work anywhere, on any device. Unfortunately, those devices aren’t always sanctioned by your organization – there are several “Bring Your Own Device” (or BYOD) scenarios that have ended up landing an organization in hot water, so to speak.

Being able to secure that growing number of endpoints – say, by authenticating and managing users as they access your organization’s assets – is key to protecting your organization. Identity Access Management (IAM) tools, like Windows Hello, Touch ID, Credential Guard, Azure Active Directory, or other tools available through Microsoft 365 Business, can eliminate the need for multiple credentials by giving your staff and volunteers a single identity that they can use to access Cloud and on-premise resources.

Another way of protecting yourself could be as simple as enabling Multi-Factor Authentication (MFA), which requires that your users present multiple points of confirming who they are, such as their password and a secondary authentication method like their fingerprint or an access code that’s texted to their device. 

Step 3: Expedite Your Response to Fast-Moving Threat Actors

Threat actors know that your organization has multiple entry points. So, they use a number of methods to breach your security perimeter, from phishing scams, to social engineering, to software exploits, and more. There are some tools out there that can help you maintain an “always-on” security approach, but that approach also has its vulnerabilities, namely that it assumes a focus on prevention, rather than detection and reaction.

One of the ways you can circumvent this, is to start assuming that a breach has either already occurred, or that one will occur soon. By adopting an “assume breach” approach to your security, you can choose solutions that will help you reduce the time it takes to detect and recover from a breach. Azure Sentinel (currently in public preview), Azure Advanced Threat Protection, Office 365 Advanced Threat Protection, Windows Defender Advanced Threat Protection, and other such tools are great ways to help you detect and respond to breaches faster.

Step 4: Securely Move Your Organization to the Cloud

Moving to the Cloud is a decision that is not to be taken lightly. Every organization planning to move either some, or all, of their workloads to the Cloud needs to set their own timeline that works for them. It’s a big decision, with compliance requirements, local regulations, and other migration challenges all playing a major part in how and when you adopt the Cloud in your organization.

If you’re not sure of whether or not the Cloud is the right move for you, a hybrid Cloud approach – where some of your systems and processes remain on-premises, but others move to the Cloud – is perfectly acceptable, and offers a measured approach to your Cloud migration. By adopting a hybrid Cloud strategy, you can take a more leisurely route to becoming fully-Cloud, and it allows you to move things over at your pace. It is quite possible to have a fully integrated hybrid IT environment, where the Cloud becomes an extension of your existing systems.

As you navigate the challenges of determining what systems and processes to move to the Cloud, determining what Cloud Solutions Provider (CSP) to look for, and more, remember that Cloud security is a shared responsibility. Your CSP needs to have state-of-the-art security and encryption in place, but it is your responsibility to make sure that the services you purchase are, in fact, secure. You should look for transparency when you’re planning a Cloud migration – the vendors you want to work with should be open and transparent, publishing detailed information on the security, privacy, and compliance of their services. They should also be willing to help you understand the various roles and responsibilities you’ll both play in the relationship, and where their responsibilities end and yours begin.

Step 5: Mitigate the Risks of Shadow IT

This one’s a little trickier, and, in fact, you may not even be familiar with the term “Shadow IT”. We want to go on record by saying that Shadow IT isn’t in and of itself, nefarious, as its name suggests. Rather, the harm that can come from Shadow IT is simply the fact that you don’t know it’s in your IT environment.

Shadow IT refers to systems or applications that are on your company’s IT network without your express authorization for them to be there. So, while not inherently evil, they are a risk to your business by the simple fact that nobody in your organization is aware of what corporate information or data is being passed through that system or application – nobody has eyes on it, so nobody is monitoring it for potential breaches, and governance is all but nil. 

Most of the time, Shadow IT is downloaded by your employees who are just trying to make their lives easier and work better. A likely scenario we often hear about is that someone implemented Dropbox or Google Docs so they could better collaborate with their colleagues. But, while there is no deliberate malicious intent behind their actions, Shadow IT like this exposes your organization to huge risks in IT and application management, security, and even compliance.

Blocking Shadow IT isn’t the answer – users will almost always find a way around that restriction, and sometimes, those workarounds put you at even more risk. Instead, why not look for solutions that allow you to monitor and assess for risk? For instance, if you notice that your employees are using Shadow IT to try and collaborate, think about implementing a set of productivity and collaboration tools (like Microsoft 365 Business), which would give them the ability to collaborate better, but also give you visibility into where your data’s being stored, how it’s being accessed, and who’s accessing it.

Balancing Information Protection with Productivity

Data: you’ve got it, threat actors want it. To drive productivity and innovation, though, your staff, volunteers, directors, and board members need to be able to access data, and that means your data is often leaving your control.

Further, as your organization grows and your mission grows, you may find yourself venturing into new locations and territories across international borders. Now you’re dealing with a whole new set of data security regulations (like GDPR), which has a significant impact on how you are able to store and manage data. However, as mentioned above, if you make security requirements too inconvenient for your staff and volunteers, they will find workarounds that circumvent your security protocols and put your organization at risk.

Information protection solutions, like Azure Information Protection, Office 365 Information Protection, Data Loss Prevention (DLP), Microsoft Cloud App Security, and others, are the answer to this issue. Automating data classification, encryption, authentication, and user rights are good ways to keep your data safe while still supporting your staff to be productive in their information sharing and collaboration. And Microsoft 365 Business, for example, can help you to identify, classify, protect, and monitor your critical data, no matter where it lives or how far it travels.


Microsoft 365 Business for Nonprofits – Helping Build a Holistic IT Security Strategy

One of the tools that can help, as part of a holistic security strategy is Microsoft 365 Business for nonprofits and registered charities. Providing your nonprofit with the right technology, Microsoft 365 Business incorporates the productivity and collaboration tools of Office 365 with enterprise-grade device management and top-of-the-line security capabilities.

Learn more about the benefits of Microsoft 365 Business and its security capabilities with our on-demand webinar.

Watch On-Demand Webinar!


The cyberthreat landscape that exists today is multifaceted, and unfortunately, nonprofits like yours are being targeted more and more. You need a holistic IT security strategy that’s going to protect your organization from multiple angles – from detecting breaches to limiting damage.

Is security an issue for your nonprofit? Are you unsure of what security measures you need to take in order to keep your nonprofit safe from threat actors? You’ve come to the right place! At Empower 2020, our Virtual Summit for nonprofits and registered charities, we’ll be addressing cybersecurity as one of our key topics for the day. Learn about things like:

  • The top cybersecurity threats/trends that you should be aware of.
  • The top five things you should do to improve your security posture.
  • Cost-efficient and effective tools that will help increase security for your nonprofits.
  • And more!

Want to learn more about this full-day virtual conference and how you can register for it now? Click here!

Published by ProServeIT October 29, 2019