The organisation relied heavily on Microsoft 365, cloud-based CRMs, and a WordPress donation portal, but like many NFPs, faced tight budgets and a small internal IT team. Email security gaps, including a misconfigured SPF record and the absence of DKIM and DMARC policies, left them vulnerable to phishing attacks. Their Microsoft 365 environment also had excessive admin permissions and legacy authentication enabled, reducing account security. Public-facing systems were equally exposed, with a known plugin vulnerability in their WordPress donation portal that allowed unauthenticated file uploads. To compound these risks, reused staff credentials were found circulating on the dark web, increasing the likelihood of unauthorised access.
The organisation implemented a series of targeted improvements to reduce risk without overextending resources. Email security was strengthened by properly configuring SPF, DKIM, and DMARC policies in line with ACSC guidance. Legacy authentication was disabled, and Conditional Access and MFA were rolled out across Microsoft 365. The vulnerable WordPress plugin was patched, and web traffic to the donation portal is now filtered through a web application firewall (WAF). To support a long-term cultural shift, the organisation introduced staff security awareness training, reinforced by regular simulated phishing campaigns to keep teams alert.
With these improvements in place, the organisation is better equipped to defend against the types of threats increasingly targeting the not-for-profit sector. Cyber resilience is now embedded into their operations, protecting donor data and service continuity while staying aligned with best practice frameworks. Importantly, these changes were achieved without disrupting services or putting pressure on internal teams, showing that security and sustainability can go hand in hand.
Reach out to chat about your goals, challenges, or just to get a fresh perspective on your IT. Our team is ready to listen.
