Security Awareness Training for Nonprofit Grantees Case Study
The Challenge: Protecting a Grantee Network from Cyber Threats
A large national nonprofit funder distributes hundreds of millions of dollars annually to more than 130 grantee organizations across the country. When a business email compromise attack successfully redirected a significant grant payment to a fraudulent account, the organization’s leadership recognized a hard truth: the cybersecurity posture of their grantees was directly tied to their own.
The challenge was significant. The funder’s grantees are independent nonprofits — they don’t report to the funder, and many operate with little or no dedicated IT staff. Requiring expensive or technically complex cybersecurity controls wasn’t realistic. What the funder needed was a meaningful, achievable requirement they could fund themselves, paired with the right implementation partner to make it actually work.
They landed on security awareness training — specifically, requiring all grantee staff to complete anti-phishing and email safety training. Research consistently shows that short, frequent, realistic training — including simulated phishing emails that put staff in real-world scenarios — is far more effective at building lasting security habits than an annual compliance video. This approach, sometimes called continuous security awareness training, is now considered industry best practice and is increasingly required by cyber liability insurers.
The funder committed budget to cover the cost for grantees. Then they needed someone to run it.
The Solution: A Managed Training Program Across 130+ Organizations
The funder came to Community IT after finding that large cybersecurity training vendors weren’t equipped to handle what this engagement actually required: not just a software license, but hands-on setup, onboarding support, reporting, and ongoing management across a diverse network of organizations, many of which had no internal IT capacity.
Community IT implemented the KnowBe4 security awareness training platform across the funder’s entire grantee network — ultimately onboarding more than 9,000 users across 130+ organizations. Our role went well beyond deploying software. We handled the technical setup for each organization individually, working directly with grantee staff and their existing IT providers to configure the platform, establish user provisioning, and get training underway. For organizations using Azure Active Directory, we built automated provisioning workflows using SCIM and single sign-on, so user management could run with minimal ongoing effort.
We also served as the primary point of contact for grantees throughout the process — answering questions, scheduling training, and helping organizations understand what was required. Critically, we designed our reporting to give the funder visibility into completion status across the network without accessing individual grantees’ training data — respecting the line between funder accountability and grantee autonomy.
The Result: A Culture Shift Across a Grantee Network
Rolling out a new security requirement to more than 130 independent organizations is not a small undertaking, and we won’t pretend it was frictionless. Nonprofit IT teams are stretched thin, competing priorities are constant, and coordinating with third-party IT providers added complexity. The lesson we kept relearning: get to the minimum viable requirement first, and save the advanced features for later.
And the program worked. Grantees that had never had formal cybersecurity training now had it in place. Organizations that initially had high click rates on simulated phishing tests saw those rates fall significantly with consistent training. Perhaps most tellingly, the funder began to see their grantee executive directors ask more questions about cybersecurity – a sign that the security message had genuinely landed.
The engagement also reinforced a broader point about security awareness training: buying the tool is not the same as implementing it. The real investment is in the human work around it – scheduling, explaining, troubleshooting, and follow-through.
“Just because you have a product in place doesn’t mean that you’re using it effectively. It really does require focused and expert attention to make the system work.” — Matthew Eshleman, CTO, Community IT Innovators
Ready to Strengthen Cybersecurity Across Your Nonprofit Network?
Whether you’re a funder trying to protect the organizations you invest in, or a nonprofit trying to build a real security culture without a dedicated IT team, cybersecurity awareness training is one of the highest-impact steps you can take, and one of the most commonly stalled. The tool gets purchased. The requirement gets announced. And then the implementation sits, because nobody has the bandwidth to shepherd the staff through onboarding, answer the questions, manage the reporting, and keep it moving.
That’s exactly where Community IT comes in. We’ve built the processes to manage security awareness training programs at scale across diverse nonprofit networks — handling the technical setup, the grantee coordination, the user provisioning, and the ongoing reporting — so that funders can meet their accountability requirements and grantees can meet their training obligations without either party having to become KnowBe4 experts. If you’re a funder considering how to raise the security baseline across your grantee community, or a nonprofit looking to finally get a training program off the ground, we’re ready to help you figure out what’s realistic and get it done.
Community IT was able to help this client move from a reactive posture — responding to a breach — to a proactive, network-wide training program that gave both the funder and their grantees stronger footing. We are always ready to support our clients as they face their real-world needs and constraints, even when that means coordinating across dozens of independent organizations with different IT environments and varying levels of internal capacity. We use our IT and nonprofit expertise to guide organizations as they navigate their cybersecurity needs, as shown in this Security Awareness Training Case Study. You can be sure we are dedicated to the success of your mission and will help you find the solution that fits your organization and your budget.
As advocates for using technology to work smarter, we’re practicing what we recommend. This article was drafted with the assistance of AI, but the content was reviewed, edited, and finalized by a human editor to ensure accuracy and relevance.
