Microsoft Ignite is going on this week. That means they are making a flood of product announcements. I will cover some of those in upcoming posts. (Hello, Teams additions!) Today I want to review Microsoft’s recent announcement about a security program for nonprofits.
But First, Here is an Update on Microsoft 365 Nonprofit Subscriptions
Before I cover the security program announcement, I want to follow up on last week’s post. I wrote a lengthy article last week covering all the details about the changes to nonprofit subscriptions Microsoft is enacting. I have an update on one question I had about nonprofit subscriptions. Microsoft’s Tech for Social Impact group confirmed for me that the nonprofit Office 365 E3 and E5 subscriptions will continue to be available in 2022. If you think you will need more of these licenses in 2022, it looks like you will be able to get them.
And let me talk about one more thing, since I do not think I covered this in my last post. The Enterprise Mobility + Security (EMS) E3 nonprofit subscription has been eliminated going forward. If you have EMS E3 licenses you can continue to use them. You just cannot buy new licenses.
What is in the Security Program Announcement?
Microsoft announced these capabilities as part of their security program for nonprofits.
- Availability of AccountGuard, to inform nonprofits if they have been hacked by nation-state actors.
- Free security assessments for nonprofits
- Free training paths for nonprofit IT administrators and end users
- Commercial availability of Microsoft’s Nonprofit Cloud (OK, this was an Ignite announcement)
I am going to dig into the first two of these security program announcements.
AccountGuard for Nonprofits
The first security program announcement concerns AccountGuard. This is a service where Microsoft notifies an organization if their accounts, or Outlook.com and Hotmail accounts of their employees, are compromised or attacked by nation-state actors. Microsoft first made this service available last year to organizations involved with government elections.
What is new here is that Microsoft is making this service available to any qualified nonprofit. The service is offered “at no additional cost.” I interpret this as meaning “no cost beyond the security SKU you must subscribe to.” I can see AccountGuard being valuable for civil society organizations, democracy organizations and organizations working to shift energy consumption and production away from fossil fuels.
If you are interested in the AccountGuard program, go here to begin the qualification process.
Before I discuss the next security program announcement, let me explain why I think it could be transformational.
Addressing the “Last Mile” in Effecting Change
I have been talking for a while with grantmaking organizations and nonprofit technology providers (such as Tech Impact) about how to extend cybersecurity services (and IT more generally) to the nonprofits at the forefront of delivering social services and trying to make the world a better place.
We know the issue here. You are a nonprofit trying to get homeless people housed. You work hard getting philanthropies to give you grants so you can deliver your services. Because you are passionate about your mission, you spend every dime you have on delivering services. Now, you might be technically proficient. Or you might not. In either case, the last thing you want to spend money on is new laptops or a Security Incident Event Monitoring service.
Money for IT services is considered an operating expense, as “overhead.” Grants do not pay for that (at least, not much). So, you have grantmaking organizations over here, willing to give more money to nonprofits, but without a clear vehicle to do so. You have nonprofits over there who would love to improve their cybersecurity but cannot afford to do that. Nothing in Microsoft’s announcement is going to suddenly fix this dilemma.
Free Security Assessments for (Your) Nonprofits
Perhaps, though, this is where we can start. I am excited about this security program announcement.
OK, but what is it?
Microsoft is offering free security assessments to nonprofits. The security assessments are provided by a contractor to Microsoft. They take up to five days to complete.
What will these security assessments do? Microsoft is a little vague on this, but talks about looking at endpoints, infrastructure, network, data, etc. They promise to give nonprofits a report covering deficiencies and a remediation plan.
Sure, this security program offer smells like a sales pitch. That is because it is. But that does not mean there is no value here for a nonprofit. They will learn where they have security deficiencies. They just must expect that the solutions are all going to be from Microsoft.
Do You Want to Partner with CGNET to Help Your Nonprofits?
“OK,” you say. “This free security assessment might be kind of a sales pitch, but there is some value there. How can I get our nonprofits involved?”
Let me start by giving you the technical answer. Nonprofits can sign up for a free security assessment by going here and filling out the form. Done and dusted, right?
Not so fast, bucko. Here at CGNET, we have been involved in situations where a foundation asks us to help a nonprofit they are funding. We work hard to put a proposal together that will solve the nonprofit’s problem at the lowest possible cost. The result? The nonprofit balks at the cost. I recall trying to help a local housing group solve their volunteer pickup scheduling. We found a solution that would cost $2,000 instead of $10,000. That was still too much for the housing group.
CGNET’s Security Program Call to Action
Here is my security program call to action. If you are working with a nonprofit and think they can benefit from one of these free security assessments, hit me up. I can work with them to sign up for the assessment. Or I can sign them up myself. Either way, the next step is to prepare to hire CGNET to help the nonprofit fix the problems that the security assessment finds. (And if you want to fund some other partner to help the nonprofit, that is fine too.) If we cannot close the assess-and-remediate loop this way, I fear the nonprofit will just shrug their shoulders and move on without remediation.
However, if we can get a nonprofit assessed and remediated, we can know that we have strengthened them and their ability to deliver the good we were hoping for in the first place.
That is my pitch. Now I would like to know: are you in?