I recently conducted a current state review of another Not for Profit’s IT infrastructure. What I found was similar to other organisations that outsource their IT support to external parties – unnecessary cybersecurity risks.
Almost all Not for Profits (NFPs) outsource their IT help desk function to external Managed Service Providers (MSPs), and yet too often they buy too little support.
Their contracts usually include basic services for things like the provisioning of laptops for new employees and break-fix issues when something quits working. Unfortunately, if that’s all you ask them to do, it’s not enough if you want to mitigate cybersecurity risks.
So, to help you understand what you should invest in, here’s a list of other licenses and services your NFP should be paying for to reduce these risks:
5 Additional Services/Licenses that your MSP should be providing your NFP:
- Microsoft Business Premium Licenses or higher – if you are only paying for Business Standard Licenses or below without the extra security packages, the devices cannot be properly managed for cybersecurity risks. While the difference in price can be expensive, it’s critical to have the extra functionality to keep your organisation safe.
- Essential 8 Audit and Level 1 Implementation – If you’re not sure how cybersecure your organisation is, a great place to start is an Essential 8 Audit, a standard that the Australian Defence Signal Directorate established with Microsoft. Afterwards, I recommend that organisations implement the requirements just to get to Level 1. These measures will not cover all possible cybersecurity threats, but it is a good start if your org uses Microsoft products, as you can also control the use of non-Microsoft applications with it.
- Security patching and updates to your devices – When’s the last time your WiFi router’s software was updated? What about your printers? We often think about desktops and laptops, but we forget that these other devices can be an easy way for a hacker to sneak into your network if the software is not up to date.
- Replacement of unsupported devices – Your MSP might have replaced all your expired Windows 10 devices by now, but what about your other devices that plug into the network or internet? Once again, they are an easy entry point into your organisation if not up to date.
- Threat Detection – So… if someone were to accidentally click on a phishing email or a hacker gets into your network somehow, how would you know? Well, there’s a higher likelihood that you would notice if someone were actively managing and monitoring the alerts as they come in. And MSPs are way more cost-effective at doing this than an internal IT staff member because they can perform this function for multiple clients at the same time.
- Data Backup – Do you know how long Microsoft or your CRM provider backs up your data, if at all? Most orgs cannot answer this question, but backup is one of your most important risk mitigations in case of a cybersecurity incident. So, don’t avoid this critical investment. MSPs are well equipped to help you set up, manage and test your backups.
Many MSPs will offer more services than those above, and sometimes it may feel like just another sales pitch if offered when, in reality, they are trying to help you mitigate your risks.
So, if you don’t understand the advice or the importance of a decision, ask more questions or ask someone else. Otherwise, you’re exposing your organisation to unnecessary cybersecurity risks.
I regularly help Not for Profits with IT investment decisions, including those around cybersecurity. Let me know if you need some help with this.
P.S. If you found this article helpful, you might want to read these too:
P.S. If you found this article helpful, you might want to read these too:
- 5 Risks of AI Adoption in Not for Profits
- Is it finally time for your NFP to invest in Microsoft Copilot?
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today, she helps NFPs with strategic IT decisions, especially around investments and risk mitigation.