How to Protect Your Not-for-Profit with the Essential 8 Controls in 2024

"Bremmar really brings together the strategy element, project element and managed service element all in one. They also have solid knowledge of the Aged Care sector which is pretty niche."

How to Protect Your Not-for-Profit with the Essential 8 Controls in 2024 

Cyber security threats become more prevalent as Not-for-Profits increasingly rely on technology to manage their operations. Fortunately, the Australian Signals Directorate (ASD) created a set of cyber security controls called Essential 8 to help Australian businesses and nonprofits mitigate the most common cyber threats and navigate the digital space more securely. 

Since November 2023, these controls have been updated to suit the current landscape better and improve response times to diminish risks. In this article, Zubair Khan, Bremmar’s Cyber Security Technical Consultant, will explain the Essential 8 controls, how they work, why they benefit Not-for-Profits and how the changes make the controls even more helpful. 

The Essential 8  

The controls consist of different maturity levels, each becoming more robust than the last. “By implementing these controls, human services organisations can significantly reduce their risk of becoming victims of cyber attacks”, explains Zubair. “Although the Essential 8 framework is not currently mandated for all organisations, it is highly recommended that nonprofits of all sizes implement at least Maturity Level 1 of the controls to start their cyber security journey”, he affirms. “The Essential 8 Maturity Level 2, on the other hand, is a mandatory requirement for all Australian non-corporate Commonwealth entities subject to the PGPA Act (as per PSPF Policy 10)”, completes Zubair.

According to the Microsoft Digital Defense Report 2023, basic security hygiene, such as Multi-Factor Authentication (MFA), protects organisations against 99% of attacks. However, applying and enforcing the cyber security policies correctly is crucial to guarantee stakeholder buy-in. “Having MFA on one application and not the other, for example, does not complete the control of implementing MFA”, explains Zubair.   

Still, according to Microsoft’s report, fewer than 15% of Non-governmental organisations have cyber security experts on their staff. That’s why partnerships with companies such as Bremmar, with more than 15 years of experience in the NFP sector, are critical to organisations trying to protect their data.  

  • Patch applications: applications should be updated with the latest security patches to fix any vulnerabilities attackers could exploit. 
  • Patch operating systems: Operating systems must be updated with the latest security patches to fix any vulnerabilities attackers could exploit.  
  • Multi-factor authentication: This control requires users to provide more than one piece of evidence to verify their identity when accessing systems or online services. 
  • Restrict administrative privileges: Organisations must limit the number of users with administrative rights on systems and ensure they only use them when necessary. 
  • Application control: This control prevents the execution of unapproved or malicious programs on systems.  
  • Restrict Microsoft Office macros: The use of macros in Microsoft Office documents should be restricted to prevent malicious code from running on systems. 
  • User application hardening: This control configures web browsers and PDF viewers to block or limit the functionality of features that attackers could use to compromise systems. 
  • Daily backups: This control ensures that data is backed up regularly and stored securely to enable recovery in case of a cyber incident. 

Changes to the Essential 8 in 2024  

The Essential 8 controls will undergo some changes in 2024 as part of the Australian Government’s new 2023-2030 Cyber Security Strategy (published in November 2023).

“The cyber security threat landscape is ever evolving, and there are always more risks and attackers. As a countermeasure, the Australian Cyber Security Centre (ACSC) is continuously publishing changes and updates to improve the controls”, says Zubair.  

Some of the recent changes revisit the use of the MFA control, requiring the type of authentication to include something you have and something you know. “A mobile device plus a passphrase, for example, fits the control”, explains the consultant. “Another significant change is the frequency at which vulnerabilities must be addressed in the organisation”, he completes.  

 The timeframe for patching vulnerabilities in high-risk software has changed from one month to two weeks for Maturity Level 1. However, according to the ASD, when vendors assess a vulnerability to be of a critical nature – both on applications and operating systems – (e.g. it facilitates authentication bypasses that grant privileged access or facilitates remote code execution without user interaction), organisations should patch, update or otherwise mitigate vulnerabilities within 48 hours.

Swift actions are critical in minimising the impact of security incidents. However, the consultant emphasises that the organisations must, in parallel, create a roadmap to implement the controls properly. “Organisations should decide on which maturity level to aim for – the minimum being Maturity Level 1 for most – as it is also a commercial decision – the cost to maintain and implementation should be balanced against certain risk factors”, affirms Zubair.

Such changes aim to improve the effectiveness and efficiency of the Essential 8 controls and align them with the six cyber shields that will be implemented by the Australian Government until 2030.   

Cyber Security Shields to be implemented by 2030.

1 – Strong businesses and citizens
Citizens and businesses are better protected from cyber threats and can recover quickly following a cyber attack. 

2- Safe technology
Australians can trust that their digital products and services are safe, secure and fit for purpose. 

3- World-class threat sharing and blocking
Australia has access to real-time threat data and can block threats at scale. 

4 – Protected critical infrastructure
Australia’s critical infrastructure and essential government systems can withstand and bounce back from cyber attacks. 

5 – Sovereign capabilities
Australia has a flourishing cyber industry, enabled by a diverse and professional cyber workforce. 

6 – Resilient region and global leadership
Australia’s region is more cyber resilient and will prosper from the digital economy, continuing to uphold international law and norms and shape global rules and standards in line with its shared interests. 

Implementing the Essential 8 controls can provide many benefits for Not-for-Profits, maintaining a pristine reputation being one of the major ones.   

“The biggest risk to organisations is their reputation. Suppose an attacker gains access to the system and obtains notifiable data. In that case, the business must notify customers that it has been breached, which could damage their image and result in financial loss”, explains Zubair.   

Following the controls results in Improved security posture, Enhanced compliance, Increased customer trust and Reduced costs and losses due to a cyber attack.

To start their Cyber Security journey and implement the Essential 8 controls, Not-For-Profits can follow a few simple steps, such as assessing their current cyber security situation. Bremmar’s self-assessment tool can be a valuable resource, as organisations receive a report summarising their maturity level across all areas of the Essential 8 model. 

“We can assist organisations in implementing and maintaining these controls. Our team has experience in each area and is focused on keeping up to date with changes from the ACSC while helping you achieve the maturity layer you need continuously”, says Zubair.  

Contact us if you want to learn more about the Essential 8 or need help implementing the controls! 

Free Essential 8 security assessment
Take our free assessment to get a summary report of your compliance level and secure your not-for-profit organisation.

Further reading

Are outdated manual processes holding your business back?

Transform the way you digitise your business processes.

How to build a comprehensive security suite with your existing M365 licensing.

Organisations with Bremmar's Digital Edge

Ready to get secure?

Book a discussion with a consultant today

Protect your organisation with Bremmar’s Cyber Security Solutions

"The current IT initiatives with Bremmar have had a big impact on us achieving our purpose here at Lifeline WA. The enablement it has had to all employees to allow them to get on with their roles and concentrate on the services they deliver is important to us. And reducing the amount of paper that's going around the office, reducing the amount of process and procedure that we have. Any automation that's been put in has been key to achieving that."

Mitigating Cyber Risks in Human Services: Bremmar’s Holistic Security Approach 

The number of cyber attacks has been rising worldwide. Cyber Security has become the focus of the news and a central topic in organisations from different sectors. 

According to the Microsoft Digital Defence Report, Not-for-Profit organisations are the second most cyber-targeted industry. With the ever-evolving digital landscape, organisations must adapt to new trends and standards, and address any cyber security gaps that may arise due to a lack of knowledge. 

The Australian Cyber Security Centre (ACSC) recognised the threat and created the “Essential 8 Security Framework”. This framework is a valuable guide for all Australian businesses, for profit and not-for-profit, in safeguarding their data and systems from potential attacks by establishing a strong defence against cyber threats. 

The NFP, Aged Care and Disability Care industries handle highly sensitive client data, creating specific industry challenges and requirements around cyber security. To address the particularities of these sectors, Bremmar developed two products that cater for the specific demands and pain points of the human services sector and can be scaled depending on the size of the organisations – also helping organisations to leverage their Microsoft 365 licence to comply against the Essential 8 framework. 

Microsoft 365 Security Partnership and Security Standard 

Microsoft 365 Security Partnership 

Bremmar offers tailored and holistic IT services to Not-for-profits, Disability organisations and Aged Care providers, from consultation, strategy, IT support, productivity solutions and cyber security. Through Bremmar’s unique offering, the Microsoft 365 Security Partnership, clients have access to industry and security consultants on a quarterly basis to implement and progress a range of solutions to assist their in-house IT team or Managed Services Provider in filling in Cyber Security gaps. 

“The Cyber Security Partnership journey starts with a Microsoft 365 Secure Score Report, which is about the Security of their Microsoft 365 environment. We also perform an Essential 8 compliance assessment to see where the organisation stands at certain point in time”. Explains Brenton Harris, Bremmar’s Managing Director. “We print off those reports and then have a workshop with the client once a quarter to help them assess and improve their cyber security leveraging their existing Microsoft 365 platform”, he adds. 

Clients on the Microsoft 365 Security Partnership are also eligible for a Quarterly Vulnerability Scan. “This is a tool we deploy on all endpoints where we scan the organisation’s computers and survey infrastructure to identify app vulnerabilities and find holes/gaps. As a result, we often end up with an overall picture of where all the organisation’s cyber security gaps are”, explains Brenton. 

“From there, clients can choose extra add-ons to the Microsoft 365 Security Partnership. We call these extras services, packages, which are projects with a set scope, timeframe and deliverables that are recommended at the beginning of the organisation’s journey, for example, rolling out Microsoft Defender – the antivirus product from Microsoft – in only two weeks. The goal of these extra services (packages) is to make clients’ cyber security more robust in a short timeframe.  “, he completes. 

Security Standard 

Bremmar’s Security Standard, on the other hand, is a more comprehensive solution focused on delivering compliance and security cadence to the organisation from the initial engagement.The process starts with Bremmar assessing the organisation’s cyber security compliance against the Microsoft 365 Secure Score Report and the Essential 8 Framework. These reports give Bremmar a deeper understanding of where the security gaps are so solutions can be rolled out upfront.  

“With the Security Standard, we come in and we roll out all the projects we need upfront and then we deliver compliance on an ongoing basis”, explains Brenton. “The biggest pain point organisations have is becoming compliant quickly, the second is the energy it takes to assess the reports and make decisions – and there are many meetings to decide what to do first. With the Security Standard, we help the client achieve compliance in a short timeframe”, Brenton completes. 

The journey to a secure and compliant organisation  

The Security Standard journey starts with Bremmar educating clients and stakeholders about cyber security and the risks of ignoring compliance, setting ongoing reporting schedules and creating a well-developed response plan to mitigate damage in case of a compromise. 

The first step is to raise awareness about specific risks the organisation faces. To tackle this, the Bremmar team hosts workshops and aims to explain the potential consequences of cyber attacks and the risk of sensitive data breaches to stakeholders, from frontline workers to board members. 

“The boards of Not-For-Profits, for example, have been driving hard for cyber security compliance”, explains Brenton. “As directors of the organisations, they have a high level of liability if something goes wrong”, he completes. 

Once the clients understand the significance of cyber security, they need to designate a cyber security “champion” – Someone within the organisation responsible for overseeing and coordinating all cyber security efforts and ensuring that the necessary measures are in place. 

Bremmar then assists clients evaluate their internal capabilities and determine whether they have the necessary expertise and resources to manage their cyber security effectively. If there are gaps in their skillsets, they may consider engaging an external provider like Bremmar to supplement their capabilities and provide specialised cyber security services. 

The next step is to assess the client’s current cyber security state by: 

  • Thoroughly evaluating their existing cyber security measures. 
  • Identifying any vulnerabilities or weaknesses
  • Determining areas that require improvement. 

This assessment provides a baseline for the client’s cyber security posture and helps in identifying specific areas that need attention. 

From there, it is vital to leverage frameworks and tools. Clients can benefit from adhering to established cyber security frameworks such as the Australian Essential 8 and the American National Institute of Standards and Technology (NIST), which provide a set of recommended security controls to mitigate common threats.  

Clients should also establish a regular reporting mechanism that provides visibility into their security status, identifies emerging threats, and tracks the progress of security initiatives. This reporting enables informed decision-making and timely remediation of any cyber security issues. 

Response planning is an integral part of any cyber security journey. Clients need to develop a comprehensive response plan that outlines the steps to follow during a cyber security incident. This plan should include procedures for detecting, containing, and recovering from security breaches and communication protocols to ensure effective response coordination. 

“It is vital to determine who gets the phone call at night, for example, when the mailbox gets hacked. Is it the CFO, or is it someone else? And do they know how to handle that situation? Should they turn everything off? The accountable person needs a process in place and to be aware of what to do. We can help them make those crucial decisions and create that process”, explains Brenton. 

By following these steps in Bremmar’s Security Standard journey, clients can establish a solid foundation for cyber security efforts. They can proactively address their vulnerabilities, align their practices with industry standards, and continuously monitor and improve their security posture. This journey enables clients to protect their valuable assets, maintain the trust of their stakeholders, and mitigate the potential risks posed by cyber threats. 

At Bremmar, we understand the human services sector’s unique challenges and offer tailored services to help drive business success. Let us help you streamline your IT operations and enhance your organisation’s cyber security. 

In the security standard journey, clients embark on a systematic process to enhance their cyber security measures:  

  • Education and Awareness: The journey begins with educating clients about the importance of cyber security and creating awareness about the risks they face. Understanding the potential consequences of cyber threats motivates clients to take action and prioritise cybersecurity.

  • Assessment and Gap Analysis: Clients comprehensively assess their current cyber security state. This involves evaluating their security measures, identifying vulnerabilities and weaknesses, and conducting a gap analysis to determine improvement areas.

  • Framework and Best Practice Adoption: Clients leverage established cyber security frameworks, such as Essential 8, to align their practices with industry and best practices. These frameworks provide a roadmap for implementing effective security controls and mitigating common threats.

  • Skill Set Evaluation: Clients evaluate their internal skill sets and resources to determine if they have the necessary expertise to address their cyber security needs. If gaps are identified, they may seek external assistance from cyber security specialists like Bremmar to augment their capabilities.

  • Ongoing Reporting and Monitoring: Establishing a robust reporting mechanism is crucial for clients to monitor their cyber security posture continually. Regular reporting provides visibility into security metrics, identifies emerging threats, and tracks the progress of security initiatives. This enables informed decision-making and timely remediation of vulnerabilities.

  • Response Planning and Incident Management: Clients develop a comprehensive response plan to handle cyber security incidents effectively. This includes defining incident response procedures, establishing communication channels, and conducting regular drills to ensure preparedness in the event of a breach.

Organisations with Bremmar's Digital Edge

Ready to get secure?

Book a discussion with a consultant today

Cyber Security and the Essential 8 Security Framework for Not-For-Profit Organisations

With cyber attacks on the rise, cyber security is at the forefront of every business operator’s mind and, according to the Microsoft Digital Defence Report 2022, not-for-profit organisations (NFPs) are the second most cyber-targeted industry. The report suggests NFPs are particularly vulnerable to cyber attacks because organisations often don’t have the resources to implement robust security measures.

Fortunately, the Australian Cyber Security Centre (ACSC) has developed the Essential 8 Security Framework as a guide to help all Australian businesses protect their data and systems from cyber threats. Let’s look closer at this framework and how Microsoft 365 and Azure can help your organisation achieve affordable data security.

What is the Essential 8 Framework?

As mentioned earlier, the Essential 8 Security Framework, sometimes called the Essential Eight or ASD Essential Eight, was developed by the Australian Cyber Security Centre (ACSC) to guide organisations in protecting their computer systems and data from cyber threats.

The framework outlines eight key security strategies organisations should implement to reduce their risk of a successful cyber attack. These best practice cyber security controls are:

  1. Configuring Microsoft Office macro settings
  2. Application whitelisting
  3. Patching applications
  4. User application hardening
  5. Patching operating systems
  6. Restricting administrative privileges
  7. Multi-factor authentication (MFA)
  8. Daily backups

Ultimately, these eight strategies have three primary objectives: preventing cyber attacks and limiting attack impact and data availability.

Why is it relevant for not-for-profit organisations?

If you manage an NFP, you’re already aware of your organisation’s growing reliance on technology for day-to-day operations. Whether it’s online banking, managing donor information, coordinating fundraising activities or running your social media campaigns – it all takes place on computers and mobile devices, which are open to cyber attacks. Unfortunately, opportunistic cybercriminals know that NFPs hold confidential and sensitive client data and are perceived as an easier target because of the sector’s limited resources to implement cyber security measures. Consequently, hackers are more likely to target not-for-profit organisations because of the large volume of mobile devices used by frontline workers which gives attackers’ better chances of accessing data or systems without detection.

Considering the impact of a cyber breach to NFPs, which ranges from reputational damage to compromising clients, implementing the Essential 8 Security Framework protocols to protect against potential cyber threats is essential. Ultimately, the Essential 8 Framework provides your organisation with the basics to ensure your data is secure from malicious cyber attacks.

“Also, what many not-for-profit organisations don’t realise,” says Brenton Harris, Managing Director of Bremmar, “is that many grants available to not-for-profit organisations require a minimum level of cyber security to be in place to qualify.”

Get your free Essential 8 Security Assessment Report

Protect your valuable customer data from cyber-attacks with Essential 8 security framework. Assess your baseline today. Take our free assessment to get a summary report of your compliance level and secure your not-for-profit organisation.

Assess your level of compliance against the Essential 8 Framework with this tool developed specifically for Not-For-Profits
Take our free assessment now!

How can Microsoft 365 and Azure help achieve the Essential 8 Framework?

Microsoft 365 (M365) and Azure provide a comprehensive suite of cyber security tools to protect your organisation’s data.

With Microsoft 365, for example, you can implement multi-factor authentication, one of the key components of the Essential 8 Framework. This provides an extra layer of security by requiring users to enter a code sent to their mobile device or email address in addition to their username and password.

However, Microsoft 365 Business Premium licensing comes with many other security features to help you achieve the Essential 8 framemework:

On the other hand, Azure allows you to take advantage of advanced security features such as threat detection, which can detect and alert you of suspicious activity on your network. Azure also provides a secure cloud-based platform for storing and managing data and tools for monitoring user access and activity. M365 and Azure each offer advanced analytics that allows organisations to understand potential threats better before they become serious issues.

As an NFP, you will have access to Microsoft licenses and security tools at a discounted price.

“As an NFPdigital transformation consultancy, we love nothing better than helping clients save costs by taking full advantage of their available software.” 

“If you have a Microsoft 365 Business Premium license, you already have access to all the tools you need to comply with the Essential 8 Security Framework level 1 (most basic). Microsoft also offers USD3.5k in donations towards NFP Azure subscriptions,” explains Brenton.

What else can NFP’s do to boost your cyber security?

Further to implementing the Essential 8 Framework and cyber security tools, your

organisation should consider other measures like:

  • Establishing a security owner within the organisation
  • Knowing where you stand right now
    • a) Understand full scope of what needs protecting
    • b) Ensure you prioritise the biggest risks first
    • c) Use our online Essential 8 Assessment for NFP
  • Leveraging security frameworks & tools, such as NIST
  • Evaluating what external security help you require
    • a) Evaluate in house capability
    • b) Evaluate capability of existing partners
    • c) Consider engaging a cyber security partner
  • Training volunteer staff on cyber security best practices.

Similarly, it is now best practice to ensure a data breach response plan is part of your policies and procedures. All Australian businesses with an annual turnover of $3 million must report data breaches or cyber attacks to impacted customers and the Australian Information Commissioner (OAIC) within 72 hours.

By taking the time to implement the Essential 8 Framework and other cyber security measures, protecting your NFP against malicious cyber attacks is possible.

Get professional help

At Bremmar, we understand your unique challenges as a not-for-profit when protecting your organisation’s digital assets from cyber threats. That said, we specialise in helping all our clients navigate the complex world of new technologies and ensure their data is well protected. 

“The good news is if you already have Microsoft 365, you have the tools to comply with the first level of the Essential 8 Security Framework,” says Brenton.

Unlike other IT service providers, Bremmar has extensive experience providing tailored solutions designed specifically for not-for-profits. So, talk to us when you want to learn where your organisation stands against the Essential 8 Security Framework, including a full report on your compliances and risks.


The Essential 8 Security Framework is an important tool for your not-for-profit organisation in protecting its data from cyber threats. Microsoft 365 and Azure provide a comprehensive suite of security tools to help organisations comply with the framework.

Other measures to boost cyber security including assigning a security owner within the business, knowing where you stand from a security standpoint right now, evaluating if you need external help  and training volunteer staff on cyber security best practices.

Finally, it is essential to have a comprehensive incident response plan in case of any data breaches or cyber attacks.

At Bremmar, we understand the unique challenges you face as an NFP and are here to help you navigate the complex world of new technologies and ensure that your data is well protected. We aim to make it easier for you to implement cyber security best practices so you can focus on doing what you do best – making a positive impact in our world. 

Free Essential 8 security assessment
Take our free assessment to get a summary report of your compliance level and secure your not-for-profit organisation.

Further reading

Are outdated manual processes holding your business back?

Transform the way you digitise your business processes.

How to build a comprehensive security suite with your existing M365 licensing.

How to protect your Not-for-Profit from cyber threats

By the time you’ve finished reading this article, one business will have been the victim of a cyberattack. That’s the findings from the Australian Cyber Security Centre’s (ACSC) latest report which received over 67,500 cybercrime reports in the last financial year, an increase of nearly 13 per cent from the previous financial year. That equates to one cyber attack every eight minutes.

And if you think it’s just the big players these cybercriminals are targeting, you’d be surprised to hear just how widespread this problem is. No sector of the Australian economy was immune to these attacks, and small and medium-sized businesses are just as vulnerable, sometimes more exposed due to low levels of understanding, less resourcing, or underestimation of risk. According to the Microsoft Digital Defence Report, released in 2021, NFPs are the second most targeted industry for attacks, just after Government. 

Top 3 most common cyber security threats for SMEs

  1. Ransomware involves encrypting company data so that it cannot be used or accessed, and then forcing the company to pay a ransom to unlock the data. According to ACSC, ransomware attacks have increased by nearly 15 per cent compared with the previous year.
  2. Malware is a malicious code that hackers use to access an organisations’ network, then steal or destroy data. Malware usually comes from malicious website downloads, spam emails or from connecting to other infected machines or devices.
  3. Scam emails or phishing attacks (pronounced “fishing”) are designed to trick individuals out of their money and information. These emails often look like they were sent from individuals or organisations you know or should trust.

Prevention and proactivity are key when it comes to cybersecurity

Failure to prepare for a cyberattack is costing small and medium-sized organisations big. From financial losses and downtime to reputational damage and even legal action as a result of a data breach, there are a number of ways that cybercrime can impact your organisation.

Having incident response, business continuity and disaster recovery plans in place is an important strategy to prepare for a cyber security incident. Just as important is testing these plans to ensure they’re robust enough to stand up to an attack.

5 simple ways to prevent cyber threats

Build a multi-layered approach to security

There’s no one-size-fits-all approach to security. A good security strategy should be built with a multi-layered approach using different solutions. This can become challenging and complex to navigate internally, especially because products available are constantly changing.

If your business operates through the Microsoft 365 platform, you’ll already have a baseline level of security. Our recommendation is to solidify that baseline by leveraging existing software, configuring settings like MFA and conditional access, and then slowly build up your business maturity level with targeted initiatives that are not included in Microsoft 365, such as extra backups.

If you think you’re not leveraging Microsoft 365 or would like to discuss your Security Strategy, Microsoft Tech for Social impact is offering a free Security Assessment for NFPs. Register your interest here until the end of April.

Update your devices and systems

Turn on automatic updates for your operating systems and applications. If automatic updates are unavailable, regularly check for updates from vendors and install them as soon as possible.

Use Multi-Factor Authentication

Multi-Factor Authentication (MFA) requires the user to provide two or more verification factors to gain access (e.g. a one-time password sent to your phone). Make sure you have MFA enabled by default on any corporate networks, devices or systems.

Train staff in good cyber security habits

Are your end-users the weakest link in your cyber defences? 41% of IT professionals report phishing attacks at least daily. You can have the best technology in place, however, if your staff are not well trained, that investment goes to waste.

Your staff and policies play a crucial role in the success or failure of your IT protection efforts. Build a workforce of trained, phishing-aware employees that provide your business with a human firewall against cyber threats. A good place to start is by doing staff security awareness training and simulations. This has been a popular service for Bremmar clients and you can find more information here. 

Back up your cloud against accidental loss or deletion of files

With more and more businesses depending on Microsoft 365 and G-Suite for business operations, the risk of potential data loss is impossible to ignore. Although Microsoft and Google store data on their servers, they don’t take responsibility for human errors such as accidental loss or deletion of files. With people working from home and increasingly relying on collaboration tools like Teams and SharePoint, protecting data in the cloud is more important than ever.

Where to go from here?

Bremmar, in collaboration with Microsoft Tech for Social Impact (TSI), is currently offering a free security assessment and roadmap for Not-for-Profits to help you quantify how Microsoft 365 can help your organisation save costs and improve digital security.

This offer uses a tool that is usually valued at $1400 dollars, and it provides a snapshot of your current security, reviews your environment for vulnerabilities, and finds gaps to address those vulnerabilities. The findings are presented in a workshop with Bremmar where, together, we’ll help you define your 3 security priority initiatives.

Nominate my organisation for the assessment now!

If you’re not ready for the assessment, please check our Security Packages for NFPs or email to request a copy of our Security for NFP Leadership webinar recording!

Key takeaways: Security for Not-for-Profits – A briefing for leadership

 On 23/03/22, Bremmar and Microsoft Tech for Social Impact (TSI) collaborated on a webinar about Security for Not-for-Profit leaders.

During an information-packed presentation, NFPs from around Australia received practical steps on how to increase the security of their organisation by leveraging existing Microsoft 365 licensing.

Brenton Harris, Bremmar’s Managing Director and key presenter, ran attendees through the Essential 8 mitigation strategies recommended by the Australian Cyber Security Centre (ACSC) and explained key Microsoft 365 Business Premium products that cater for the baseline security recommended by the ACSC.

The content was easy to follow and non-technical, leaving attendees with lots to consider when implementing or improving their organisation’s security efforts. Here are the key takeaways of the event.

  1. Clarity on the security situation that NFPs are faced with at the moment.
  2. Tangible steps you can take to protect your organisation in line with Government Essential 8 framework
  3. How to leverage Microsoft 365 (and discounted NFP licensing) to deliver on the essential 8 framework
  4. Learn about a zero cost Security Assessment / Roadmap from Bremmar in collaboration with Microsoft TSI

The threat landscape for not-for-profits

The impact of security breaches for NFPs can be extremely severe as many non-profits collect and store data of vulnerable customers which are protected by law as confidential. When there is a data breach, that poses a risk for the individuals whose data was disclosed and for the nonprofit that will now potentially be subject to liability for the breach. 

Key data breach impacts to NFPs:

  • Reputation and trust
  • Resources spent on crisis management
  • Information breach
  • Information loss
  • Business interruption
  • Costs to recover
  • Legal costs
  • Fines and penalties (if applied)

Main NFP security statistics

The Digital Technology in the Not-for-Profit Sector report, released in November 2021 by InfoExchange, which interviewed of 650 NFPs in AU / NZ highlights:

  • 50% of NFPs haven’t MFA implemented
  • 50% of NFPs don’t have effective organisational info security plans

At the same time, the Microsoft Digital Defence Report, released in 2021, also states:

  • 70% no vulnerability assessment to understand risk exposure
  • NFPs are the second most cyber targeted industry
  • NFPs are a prime target, with access to sensitive data

Considering the importance of security for NFPs, the numbers above are alarming.

What are the highest security priorities for your organisation?

 Attendees were asked the question and shared their experiences:

The Essential 8 mitigation strategies recommended by the Australian Cyber Security Centre (ACSC)

What do they mean?

  • App Control: Restricting what apps can be opened by users.
  • Patching Apps: Making sure apps are up to date and any known security holes are patched.
  • Macros: Limiting impact that could be caused by a malicious macro.
  • App Hardening: Selecting the optimal web browser for your organisation and ensuring only secure versions of apps can be run (i.e., PDF readers and email clients). 
  • Patch OS: Having a supported OS with the latest updates.
  • MFA: Don’t be only reliant on passwords. Add an extra step of identification when logging in – particularly when using a different device/location.
  • Restrict Admin Privileges: Avoid providing more access to users than needed.
  • Daily Backups: If all else fails, make sure you can at least get critical data and operating settings back.

Download the essential 8 action checklist now!

How can Microsoft 365 help with the Essential 8 baseline security?

Microsoft 365 has become a strong, comprehensive, and viable security option for NFPs, especially since Microsoft Defender for Endpoint and Microsoft Defender for O365 were added to the stack at no extra cost.

Not-for-profits can now cover all their basic security requirements through an integrated platform that is constantly updated and delivers centralised reporting.

Microsoft 365 provides a single pane of glass for security, and it is a cost-effective solution for NFPs as it makes some third-party tools, such as antivirus, redundant.

Where to go from here?

Bremmar, in collaboration with Microsoft TSI, is currently offering a free security assessment and roadmap for Not-for-Profits to help you quantify how Microsoft 365 can help your organisation save costs and improve digital security.

This offer uses a tool that is usually valued at $1400 dollars, and it provides a snapshot of your current security, reviews your environment for vulnerabilities, and finds gaps to address those vulnerabilities. The findings are presented in a workshop with Bremmar where, together, we’ll help you define your 3 security priority initiatives.

Nominate my organisation for the assessment now!


If you’re not ready for the assessment, please check our Security Packages for NFPs or email to request your copy of this event’s recording!

Cyber Security in flexible workplaces – Webinar key takeaways

On Wednesday, 30/09, and Thursday, 01/10, we hosted two online Brekkie Power-hours covering the topic Cyber Security in flexible workplaces. Both sessions were a complete success with lots of positive feedback from participants. Zubair, our Security guru, was in charge of the presentation and responsible for translating a technical and complex topic into plain English with actionable steps. Not an easy task, but he did a great job, as usual, so we think it’s worth sharing his tips and recommendations.

Security has evolved

In the past, when we talked about security, we’d normally refer to the firewall or anti-virus and the measures you had in place for everything related to infrastructure. Nowadays, security has evolved and there are many other factors to consider with people working remotely, on their own devices and in multiple cloud services. With so many gateways for attackers to target your organisation, organisations struggle to keep on top of the new and creative ways attackers use to get through and compromise your business.

5 basic layers of protection

We have identified 5 basic layers of protection that almost every business can relate to. Focusing on these 5 layers and covering the essentials of these layers are a great start to differentiate your organisation from an easy target.


Zubair covered each individual layer and divided the security measures between “well-known”, such as anti-virus and anti-spam, and “not so well-known” such as enabling conditional access. He also made the analogy of security to the door that you use to protect your business. If you own a business and you get broken into, the first thing you’re probably going to look at is how they got in or what was taken, so you the first step would be changing the type of lock, put up a steel door or get a better alarm system.

The same goes for Cybersecurity – It all depends on what you’re trying to secure, how much it’s worth and how much you would like to spend keeping it safe. In each of these layers, some protection measures may be similar to that steel door that may not be required for you, however, some of the items may be that basic lock you put on the door which is the minimum security requirement.

Security essentials and advanced options



  1. Anti-Spam / Anti-Phishing – consider whaling, phishing, and spear-phishing attacks
  2. Malware Attachment Scanning
  3. Unsafe Link detection
  4. Email Domain Security (SPF/DKIM/DMARC)

Not so well-known

  1. Malicious Outlook Rule Detection
  2. Controlling security and policies for the devices that corporate emails connect to (especially for personal devices)



  1. Web Threat Protection
  2. Web Content Protection

Not so well-known

  1. Browser Management
  2.  Plug-In Management – Do you manage browsers and add-ons that are used in your organisation?



  1. Having a Corporate Application Layer Firewall.
  2. Securing your remote access into your network (Secure Gateway)
  3. System updates and vulnerability management
  4. Data Redundancy and Resiliency – are all your cloud applications backed up?
  5. Network Policy and Access Rights Management – do you keep track of third parties that have access to your data?

Not so well-known

  1. Monitoring and mitigating Software Supply-Chain Attacks
  2. Cloud Application Security



  1. Anti-Virus and Threat Protection
  2. Operating System Patch Management – Can your IT Dept report on which computers are missing patches?
  3. Vulnerability Detection and Remediation

Not so well-known

  1. Application / Software Control
  2. Peripheral Control
  3. Access Control
  4. Data Protection



  1. Identity and Access Management (MFA) – This is the most effective way to improve your security.
  2. Conditional Access and Geo Blocking – Are there countries you will likely never login from?
  3. Password Management and Policy – Banning common passwords and implementing password complexity

Not so well-known

  1. Security Awareness Training – Do your users know how to spot a phishing email or how to avoid Business Email Compromise?
  2. User Risk and Sign-in Risk Management – Are your credentials on the dark web or part of a recent breach?

Download Zubair’s Security tips here!

Cyber Security with Microsoft 365

The Microsoft 365 suite offers powerful security for your environment as part of the flagship Microsoft 365 Business Premium Product, this includes conditional access, mobile device management and password protection. One of the key security components in the Microsoft 365 Business Premium is the Advanced Threat Protection for SharePoint, OneDrive, and Teams. This means that the software scans for malware in documents/files uploaded or shared in those apps. If you want additional security instead of paying for the expensive “all in one” license from Microsoft 365 E3 and E5, you can purchase only the Enterprise Mobility Suite (EMS) E5 license. This is an add-on that will:

  • Upgrade your conditional access to also monitor your users for compromises on the dark web.
  • Give access to cloud app security, which allows you to map out your users’ cloud usage for services like Dropbox and Salesforce, and create policies to manage the usage of these.

When asking for a recommendation of which license your business should have, Zubair goes back to the steel door analogy. Most businesses get what they need from the Microsoft 365 Business Premium, however, if you want an extra and more advanced layer of protection, then you should consider the EMS E5 add-on. Important to remember that Not-For-Profit organisations get a large discount on Microsoft 365 licensing. If you’d like to know more about the options available, contact us and we can go through what licenses would work for you.

How Bremmar supplements Microsoft 365 security

We’d like to bring attention to the following:


Cyber security awareness training

  • Run a 3-month campaign to simulate phishing attacks
  • Get a report with a summary of who clicked and exposed the business to an attack
  • Receive simple training videos, emails, and infographics to educate your users

Microsoft 365 Security Assessment

  • Perform a complete Microsoft 365 security review – and beyond!
  • Get your Microsoft 365 secure score report
  • Know recommendations to improve your security and best practices

Microsoft 365 backup

  • Protect your business from data loss by human error (deletion of files)
  • Secure your business in case your data gets compromised by malware
  • Have peace of mind knowing that everything within Outlook, Teams, SharePoint, and OneDrive is backed-up. Same goes for G-suite.

How can we help you?

Bremmar are experts in remote working initiatives, security and digital collaboration processes. As accredited Microsoft Gold Productivity Partners, we can help you and your team leverage the power of the Microsoft 365 Stack to work smarter. We manage IT services for a number of NFP, Aged Care, Engineering, Mining and Construction organisations and understand the unique needs of these sectors. Why not set up an initial meeting to learn more? Call us on 1300 991 351 or email

Book a security consultation with Bremmar! ???

Book a security assessment

3 characteristics that define the modern workplace – Infographic

Today’s diverse and intergenerational workforce is most productive when it has adequate channels to collaborate in a seamless and effective way. There’s a catch, however: teams are far more diverse and remote than ever before, and each organisation requires its own distinct approach to digital collaboration. In other words, your workplace tools and applications must be customised based on your teams’ diversity, location, and work methods.

With this infographic, you’ll learn about the three main characteristics that define our modern workplace and gain insight into what drives productivity and efficiency in today’s organisations. After reading it, you’ll have a better understanding of current trends and can keep these in mind when creating or modifying your organisation’s work environment.

3 characteristics that define the modern workplace infographic

(Click to expand)

We’re here to help!

We’re here to help your business thrive in 2020. We’re experts in remote working initiatives and digital collaboration processes.

We can help you and your team enable critical applications in the cloud which is critical to get you ready for remote working. If you need any assistance with IT to enhance your business continuity planning, do not hesitate to contact us on 1300 991 351 or email

Get a Free Microsoft 365 Productivity consultation with Bremmar! 👇👇👇

Remote working productivity technology

Bremmar Security Alert: Zoom Security Flaw!


The increased popularity of the video conferencing tool called Zoom has put the software in the media spotlight.

We would like to communicate that security experts have raised a warning about a security flaw in the system that can pose a risk to your business and personal information. Keys issues are:

1- Your system security can be compromised by malicious links that are shared in Zoom meetings. This means that if you are in a video meeting and someone shares a malicious link in the chat, that link when clicked can possibly give attackers unauthorised access to your system.

2- Open public meetings with no password or participant control. This means that anyone that finds your meeting can join the meeting and share/post any content they would like, including the malicious links mentioned above. 


Bremmar recommends that companies evaluate their ongoing usage of Zoom until this flaw has been resolved. However, if you continue to use Zoom, please ensure that all your staff considers these measures:

1- If you are part of a meeting, don’t click on links that you don’t know or understand, especially if you don’t know the person who has sent it.

2- If participating in an open meeting that doesn’t require a password or asks the “owner” of the meeting to approve your participation, don’t click any links! You don’t know everyone that is part of the meeting so be extra vigilant.

3- Never create open public meetings. Always create meetings that require a password or that you have to approve for the participants to join in.


Bremmar kindly asks you to educate all of your staff on this issue. Security systems are in place, however, the main tool against this specific issue is employee education and awareness.

For more details, please read the below:

At Bremmar, we use and recommend Microsoft Teams as a teamwork hub and video conferencing tool. If you would like to explore this option, please contact your ISM or

If you believe you have clicked a malicious link, please contact your Bremmar support team for further assistance asap!

Phone: 1300 667 167

We’re here to help!

We’re here to help your business thrive in 2020. Bremmar is a Microsoft Gold Cloud Productivity partner with more than 10 years’ experience in a range of Microsoft solutions. We’re experts in remote working initiatives and digital collaboration processes. We can help you and your team enable critical applications in the cloud which is critical to get you ready for remote working.

If you need any assistance with IT to enhance your business continuity planning, do not hesitate to contact us on 1300 991 351 or fill in the form below.

Remote working productivity technology

Get an initial consultation with Bremmar!