four smiling people in an office setting, three standing, one sitting

Office 365 Security Features to Help Secure Your Nonprofit

When you set up your nonprofit's cybersecurity plan, it's important to consider the various ways your organization is vulnerable to cyberattacks and other security threats. TechSoup and Tech Impact presented a webinar recently to outline sources of threats and ways to mitigate them. This is a summary of that presentation.


Threats to your organization's systems and data come from two key sources.The first is from external hackers: individuals or organizations that send phishing attempts to try to infiltrate your nonprofit's network. These hackers may be looking to ransom your systems for cash or to access information on donors, staff, or program recipients. The other main threat to your organization is actually from your internal staff. Whether inadvertently or maliciously, users at your organization may allow some of your sensitive data to be exposed.

It's crucial to use a combination of technological solutions, staff training, and robust data access policies to make sure that your organization is secure against both external and internal cybersecurity threats.

This post guides you through key security areas and considerations for organizations that use Microsoft Office 365. It will also take a look at which licenses might be best for your nonprofit.

drawing of five people in an office setting, three seated, two standing, in background a computer screen with security symbols on it

Key Cybersecurity Concepts to Consider

There are six key areas where your network security could be at risk:

  1. Device security
  2. Account security
  3. Data loss controls
  4. Item-level encryption
  5. Network controls
  6. Malware controls

You can manage the first four areas directly within Office 365. The last two, network controls and malware controls, should be handled by your IT professionals. They should make sure that you have a firewall at your office, that operating systems on your devices are up to date, and that you have antivirus installed on all your devices.

Device Security

Objective: Ensure that only secure devices can access cloud-hosted data and systems at your nonprofit.

With Office 365, you are able to configure settings to ensure that only designated, secured devices can access shared data. Typically, organizations will restrict Office 365 access to organization-owned devices (laptops, tablets, etc.). However, in this BYOD era, administrators are also giving staff access to cloud systems from their personal devices, like mobile phones. An Office 365 administrator can configure access and permissions settings for those devices to ensure both a high level of security and adherence to compliance standards.

Account Security

Objective: Reduce the likelihood that staff accounts can be hacked.

Office 365 includes multifactor authentication to secure your organization's accounts. Simply put, multifactor authentication requires that when users log in to their accounts, they must confirm their credentials through an additional step. This step could be an email or text code that they must also enter when they log in to their Office 365 account. Office 365 will also monitor for unauthorized access attempts or for access from unknown devices, both of which can be viewed by the Office 365 administrator.

Data Loss Controls

Objective: Prevent staff from inadvertently or intentionally transferring sensitive data to the wrong recipients.

Office 365's data loss controls consist of settings to monitor sensitive information when it is sent externally. For instance, you can set Office 365 to send an alert to users if they attempt to include sensitive information in an email — like a social security number. These controls are customizable. Administrators can decide which information should be blocked from external sharing.

Item-Level Encryption

Objective: Prevent users from sharing content unless permitted by the organization.

You can use Office 365's sensitivity controls to encrypt individual items — files, folders, and so on. Users can protect sensitive data regardless of its location, even on USB flash drives. The controls also make sure that the information contained in an email message or document is not permitted to be transferred outside of the organization.

Which Office 365 License Do I Need?

For each of these key security areas, the levels of concern depend on what type of organization you have and who you serve. If your organization works with HIPAA, banking, or other kinds of information that are subject to compliance regulations, this will affect your security concerns. Political organizations with established opposition may also be at greater risk than other nonprofits. Here, we'll go over what types of licensing we recommend depending on your organization.

And remember, you can mix and match your Office 365 licenses depending on the security needs of your different staff members. Some staff members, such as program or HR directors, may have greater need for data access and security settings than others.

All Nonprofits

We recommend the following three actions for ALL nonprofits looking to put in place general security protections.

  1. Upgrade to Windows 10 as your operating system across all Windows devices. In today's world, Windows 10 Pro will give you the most security functionality, and it has the most up-to-date security patches. If your computer has a TPM chip in it, it'll allow you to use disk-level encryption, which is great for laptops.
  2. Install Microsoft's Enterprise Mobility + Security E3 license for at least the users in your organization who deal with sensitive information like financials or human resources data. You can request up to 50 licenses for free through TechSoup.
  3. Get Office 365 Business licenses for your staff (or Office 365 E3). Most organizations are unlikely to be concerned with users sharing sensitive content in files or emails. The Office 365 Business licenses will satisfy most nonprofits for data-loss controls and item-level encryption. For volunteers, get F1 licenses.

Organizations with Regulatory Requirements

For organizations with an added layer of regulatory requirements, the level of licensing needed will be slightly greater. This includes organizations that are regulated by HIPAA, FIRMA, Banking, GDPR, and so on. We recommend Office 365 E3 licenses, which will allow you to set up appropriate data-loss and item-level-encryption controls. As with organizations without regulatory requirements, you should also install the Enterprise Mobility + Security E3 license.

Organizations with Established Political Enemies

Some organizations have missions that could lead to their receiving political threats. Examples are political advocacy nonprofits, independent nonprofit news organizations, and LGBTQ rights organizations. If this applies to you, we recommend that you obtain an increased layer of security across your licenses. You'll definitely want to step up to Enterprise Mobility + Security E5, which will enable advanced threat intelligence.

If attacks are attempted, EMS E5 will help you to understand who is behind them. It will also allow you to set up cloud app security. At a minimum, you should install Office 365 E3, although Office 365 E5 will give you advanced controls for data loss prevention.

Compromising on security protections can be devastating for your organization. When in doubt, it doesn't hurt to "level up" your licensing or install a higher level of licensing than is outlined. You can also create a custom mix of Office 365, Windows, and Enterprise Mobility + Security licenses to build a security solution that works best for your nonprofit.


Additional Resources: Microsoft Office 365