School's Out. Your Risk Just Quietly Went Up
Right now, work doesn't feel dangerous.
It just feels busy.
Emails get answered between conversations. Payments get approved between
meetings. Files get opened in between everything else competing for attention.
Nothing feels reckless.
But this is when most security incidents actually start.
Not during a major failure.
During a normal moment that moves too fast.
For most nonprofits, the issue isn't whether someone will click the wrong
thing.
It's how far that one action can go once it happens.
The Access Snowball Effect
This is the simplest way to understand your real risk:
Click → Login → Inbox control → Internal trust → System access
One action turns into access.
Access turns into control.
Control spreads through systems that were never designed to contain it.
That's where the real exposure lives.
How This Actually Unfolds in a Microsoft 365 Environment
Here's the pattern we repeatedly see across nonprofit organizations:
A staff member receives what looks like a normal email. A vendor update.
A shared document. A request that matches something already in progress.
They click. They log in.
From there:
Phishing email captures valid credentials
The attacker signs into Microsoft 365 with no resistance
Inbox rules are created silently
Security alerts and replies are hidden automatically
Internal emails start getting sent
Colleagues trust the message because it comes from inside
Access expands into SharePoint and OneDrive
Donor data, financial records, and internal documents are now exposed
Nothing breaks. Nothing crashes.
It just moves quietly through systems that are already connected.
Where This Usually Breaks
Last quarter, a finance user approved what looked like a routine vendor
change request.
Within 15 minutes:
The attacker had access to the mailbox
They could see active vendor conversations
They sent follow-up emails that looked legitimate
No obvious warning triggered fast enough to stop it.
The problem wasn't the approval.
It was the level of access behind it.
What We See Across Nonprofit Environments
In most environments we review, the issue isn't missing tools.
It's uncontrolled access.
Accounts can reach too many systems
Permissions accumulate over time
Security settings exist, but aren't fully enforced
The result is the same:
One compromised account becomes a multi-system entry point
This is why organizations that feel "mostly secure" still experience
meaningful incidents.
If You Fix Only 3 Things This Month
Do not try to fix everything at once.
Prioritize what actually reduces impact:
MFA on email and financial systems
Without this, credential theft becomes immediate access
Admin privilege review
Most tenants have excess admin roles that expand blast radius
Email protection with impersonation detection
This reduces the number of risky decisions your team has to make
These three actions alone change whether an incident spreads or stays
contained.
What This Looks Like as an Implementation Checklist
This is your minimum standard—not your long-term roadmap:
Enforce a password manager (1Password, Bitwarden, etc.)
Disable all shared credentials
Require MFA on: Email (Microsoft 365)
Financial systems
Admin accounts
Use Conditional Access to restrict risky sign-ins
Require MFA for unfamiliar locations or devices
Audit the last 30 days of sign-in activity
Look for unusual locations or repeated failures
Configure Microsoft Defender for Office 365: Impersonation protection
(executives, finance, vendors)
Link and attachment scanning
External sender tagging
Limit access to systems: Separate finance, donor data, and admin
permissions
Reduce "everyone has access" setups
Create a simple internal verification path: If something feels off, staff
can quickly confirm before acting
This is what "guardrails" actually means in a real environment.
What To Do This Week (Day-by-Day)
If you need execution clarity, follow this sequence:
Day 1: Enforce MFA on email and financial platforms
Day 2: Review and reduce admin privileges
Day 3: Configure impersonation protection in email security
Day 4: Audit risky sign-ins and flag anomalies
Day 5: Remove shared credentials and enforce a password manager
Day 6: Review user access across SharePoint, OneDrive, and finance tools
Day 7: Walk through one real account and map its full access
By the end of the week, you will know exactly where your risk exists.
The 10-Minute Exposure Test
Run this internally with leadership and IT together.
Pick one real account and answer:
What systems does this account access?
Does it have saved credentials?
Can it approve payments or vendor changes?
Can it reset passwords or access admin tools?
Is MFA enforced everywhere?
This exercise exposes your actual risk—not your documented policies.
If This Already Happened, Here's What To Check Immediately
If you suspect or confirm a compromise, speed matters.
Start here:
Revoke active sessions for the account
Remove all suspicious or unknown inbox rules
Audit recent sign-ins and device access
Reset credentials and enforce MFA immediately
Review sent emails for internal or vendor communication
Notify finance and any affected vendors if transactions are involved
This is where response discipline determines whether an incident stays
small or expands.
Who Owns This
This cannot sit with one person.
Leadership
Owns running the exposure test and prioritizing action
IT / Admin
Owns MFA enforcement, access control, and security configuration
Staff
Owns the "verify before acting" behavior in real-time work
When ownership is unclear, gaps stay hidden.
The Lens You Are Being Judged Through
If something happens, the question won't be:
"Why did someone click?"
It will be:
"Why could one account access that much?"
Boards, donors, and auditors assume mistakes will happen.
They expect your systems to account for that.
That's the standard.
Before "Busy" Turns Into Impact
Nothing feels urgent today.
That's when most organizations wait.
But risk builds quietly inside normal operations until one moment
connects everything.
You don't need perfect behavior to stay secure.
You need systems that assume people are busy—and limit what happens next.
Schedule your 10 minute discovery call. We'll walk through one user
account in your environment and map exactly what it can access today. 911 IT
will help you confirm whether your risk is contained or already spreading.
