Cartoon showing a hacker using phishing to steal login information and control office workers' emails and files.

School’s Out. Your Risk Just Quietly Went Up

July 07, 2026

School's Out. Your Risk Just Quietly Went Up

Right now, work doesn't feel dangerous.

It just feels busy.

Emails get answered between conversations. Payments get approved between meetings. Files get opened in between everything else competing for attention.

Nothing feels reckless.
But this is when most security incidents actually start.

Not during a major failure.

During a normal moment that moves too fast.

For most nonprofits, the issue isn't whether someone will click the wrong thing.

It's how far that one action can go once it happens.

The Access Snowball Effect

This is the simplest way to understand your real risk:

Click → Login → Inbox control → Internal trust → System access

One action turns into access.
Access turns into control.
Control spreads through systems that were never designed to contain it.

That's where the real exposure lives.

How This Actually Unfolds in a Microsoft 365 Environment

Here's the pattern we repeatedly see across nonprofit organizations:

A staff member receives what looks like a normal email. A vendor update. A shared document. A request that matches something already in progress.

They click. They log in.

From there:

Phishing email captures valid credentials
The attacker signs into Microsoft 365 with no resistance

Inbox rules are created silently
Security alerts and replies are hidden automatically

Internal emails start getting sent
Colleagues trust the message because it comes from inside

Access expands into SharePoint and OneDrive
Donor data, financial records, and internal documents are now exposed

Nothing breaks. Nothing crashes.

It just moves quietly through systems that are already connected.

Where This Usually Breaks

Last quarter, a finance user approved what looked like a routine vendor change request.

Within 15 minutes:

The attacker had access to the mailbox
They could see active vendor conversations
They sent follow-up emails that looked legitimate

No obvious warning triggered fast enough to stop it.

The problem wasn't the approval.

It was the level of access behind it.

What We See Across Nonprofit Environments

In most environments we review, the issue isn't missing tools.

It's uncontrolled access.

Accounts can reach too many systems
Permissions accumulate over time
Security settings exist, but aren't fully enforced

The result is the same:

One compromised account becomes a multi-system entry point

This is why organizations that feel "mostly secure" still experience meaningful incidents.

If You Fix Only 3 Things This Month

Do not try to fix everything at once.

Prioritize what actually reduces impact:

MFA on email and financial systems
Without this, credential theft becomes immediate access

Admin privilege review
Most tenants have excess admin roles that expand blast radius

Email protection with impersonation detection
This reduces the number of risky decisions your team has to make

These three actions alone change whether an incident spreads or stays contained.

What This Looks Like as an Implementation Checklist

This is your minimum standard—not your long-term roadmap:

Enforce a password manager (1Password, Bitwarden, etc.)
Disable all shared credentials

Require MFA on: Email (Microsoft 365)
Financial systems
Admin accounts

Use Conditional Access to restrict risky sign-ins
Require MFA for unfamiliar locations or devices

Audit the last 30 days of sign-in activity
Look for unusual locations or repeated failures

Configure Microsoft Defender for Office 365: Impersonation protection (executives, finance, vendors)
Link and attachment scanning
External sender tagging

Limit access to systems: Separate finance, donor data, and admin permissions
Reduce "everyone has access" setups

Create a simple internal verification path: If something feels off, staff can quickly confirm before acting

This is what "guardrails" actually means in a real environment.

What To Do This Week (Day-by-Day)

If you need execution clarity, follow this sequence:

Day 1: Enforce MFA on email and financial platforms
Day 2: Review and reduce admin privileges
Day 3: Configure impersonation protection in email security
Day 4: Audit risky sign-ins and flag anomalies
Day 5: Remove shared credentials and enforce a password manager
Day 6: Review user access across SharePoint, OneDrive, and finance tools
Day 7: Walk through one real account and map its full access

By the end of the week, you will know exactly where your risk exists.

The 10-Minute Exposure Test

Run this internally with leadership and IT together.

Pick one real account and answer:

What systems does this account access?
Does it have saved credentials?
Can it approve payments or vendor changes?
Can it reset passwords or access admin tools?
Is MFA enforced everywhere?

This exercise exposes your actual risk—not your documented policies.

If This Already Happened, Here's What To Check Immediately

If you suspect or confirm a compromise, speed matters.

Start here:

Revoke active sessions for the account
Remove all suspicious or unknown inbox rules
Audit recent sign-ins and device access
Reset credentials and enforce MFA immediately
Review sent emails for internal or vendor communication
Notify finance and any affected vendors if transactions are involved

This is where response discipline determines whether an incident stays small or expands.

Who Owns This

This cannot sit with one person.

Leadership
Owns running the exposure test and prioritizing action

IT / Admin
Owns MFA enforcement, access control, and security configuration

Staff
Owns the "verify before acting" behavior in real-time work

When ownership is unclear, gaps stay hidden.

The Lens You Are Being Judged Through

If something happens, the question won't be:

"Why did someone click?"

It will be:

"Why could one account access that much?"

Boards, donors, and auditors assume mistakes will happen.

They expect your systems to account for that.

That's the standard.

Before "Busy" Turns Into Impact

Nothing feels urgent today.

That's when most organizations wait.

But risk builds quietly inside normal operations until one moment connects everything.

You don't need perfect behavior to stay secure.

You need systems that assume people are busy—and limit what happens next.

Schedule your 10 minute discovery call. We'll walk through one user account in your environment and map exactly what it can access today. 911 IT will help you confirm whether your risk is contained or already spreading.