Here are five basic, fundamental security measures that you can address to provide your not-for-profit with a minimum standard of adequate protection.
1. Implement multi-factor authentication on Microsoft 365/Google Workspace and sensitive internet facing systems
One of the first and most valuable changes your organisation can make is to enforce multi-factor authentication (MFA) for all accounts. Enabling MFA reduces your cyber security risk and should be implemented as soon as possible to add an extra layer of security.
“One simple action you can take to prevent 99.9 percent of attacks on your accounts.”
Melanie Maynes - Senior Product Marketing Manager, Microsoft Security.
Also, eliminate or minimise shared user accounts and manage them effectively (e.g., using a password vault). You should review system access on a scheduled basis.
To view how Microsoft 365 or Google Workspace addresses MFA read our guides:
- What every not-for-profit should expect from Microsoft 365
- What every not-for-profit should expect from Google Workspace.
2. User Education
Employees who don’t know what they should be doing are more likely to make innocent mistakes – you don’t know what you don’t know! Ensure that the end-user security policy is socialised with and understood by staff, covered at induction, and included in an annual training refresh.
Without staff training, email can be a point of vulnerability. Phishing continues to be the most common and highly effective means of compromising information. If something looks wrong, staff should feel encouraged to call it out rather than ignore it.
We recommend starting with this 30-minute, beginner-level self-paced module on cyber security essentials. You can complete it at your convenience: Cyber security essentials. We also offer a series of free webinars that your staff can attend. At the conclusion of the webinar, the presentation and a link to the recording are emailed. You can see our upcoming webinars on this topic here: Cyber Security webinars.
3. Information classification and security
Identify your important information stores and confirm your backup regime is appropriate and works correctly. This often includes a simple data recovery test on an annual or more regular basis. For example, consider systems like finance, email, files, HR, client data, etc. To get started, read the guide Information security policy for not-for-profits.
4. Device and network management
Ensuring your devices are secure is extremely important. By devices, we mean laptops, phones, tablets, servers, and network infrastructure (such as switches, routers, etc.).
Vendors often identify vulnerabilities and release security patches to fix them. However, patches rely on you installing them to ensure your environment stays secure.
- Windows PCs should have antivirus protection (Windows 10/11 includes Windows Defender; it is enabled by default if no other antivirus product is active).
- Ensure you only use vendor-supported operating systems and applications.
- Device OS and applications are reliably patched through manual or auto-update processes. Windows and Mac propose OS updates as they become available, and many applications will notify users of available updates. Users should allow updates to proceed in a timely fashion.
- Change default infrastructure admin passwords to a strong, secret password.
5. Policies, risk management and compliance
Policies, risk management and compliance ensure we prioritise and address the most critical threats promptly, then shift focus to continual improvement over time. Our Why cyber security is so important and Cyber security: What it is and why it matters guides, provide useful information and guidance on this topic.
As a foundation, you should ensure:
- End-user security, information security, and privacy policies exist within your not-for-profit (our Privacy guidelines for not-for-profits, Information security policy for not-for-profits, and DIY end user security policy guides can help get you started in this space).
- Third parties with access to the organisation’s information are also keeping information safe.
- Cyber security risks and protections are discussed at the executive level at least twice annually.
- There is a designated role or roles within the organisation with information security and privacy responsibilities, authority, and accountability.
Status message
Thanks for rating this guide.