Subscribe to our Youtube Channel here
In part 1, Steve and Carolyn cover security in the free nonprofit tier, explain lingo like 2SV, spoofing, DNS, and the risks of unmanaged accounts, too many super-admins, or the lack of off-boarding process. In part 2, they address third-party security tools you will want to invest in, like anti-phishing training, backups, monitoring, and email protection. They end with Q&A from the attendees.
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Steve Longenecker is Director of IT Consulting at Community IT and has been supporting Google Workspace at nonprofits for years. He walks through the security settings and practices available to nonprofits in the free Google Workspace tier, and shares guidance on when it makes sense to consider upgrading to a paid tier for more advanced security features depending on your nonprofit’s risk profile.
Google Workspace is one of the most widely used platforms in the nonprofit sector, and the free nonprofit tier gives organizations a powerful set of tools. But how secure is it — and what can you do to protect your organization without paying for a higher tier?
Join Community IT Director of IT Consulting Steve Longenecker in a webinar on Google Workspace security for nonprofits. Whether you are the person who manages your organization’s Google account or a staff member who wants to understand your risks, this session is designed to be accessible and practical.
Steve focuses on the security features available in the nonprofit tier of Google Workspace – including two-step verification, phishing-resistant authentication, and staff training basics – and gives you concrete steps you can take right now. He also spends some time on the more advanced security features available in paid tiers, and helps you think through whether and when an upgrade makes sense for your organization, and when third party tools are needed for essential layers of protection.
The session included time for a dedicated Q&A. You can find our responses on our subreddit: https://www.reddit.com/r/NonprofitITManagement/
As with all our webinars, this presentation is appropriate for an audience of varied IT experience.
Community IT is proudly vendor-agnostic, and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.
As Director of IT Consulting, Steve Longenecker divides his time at Community IT primarily between managing the company’s Projects Team and consulting with clients on IT planning. Steve brings a deep background in IT support and strategic IT management experience to his work with clients. His thoughtful and empathetic demeanor helps non-technical nonprofit leaders manage their IT projects and understand the Community IT partnership approach.
Steve also specializes in Information Architecture and migrations, implementations, file-sharing platforms, collaboration tools, and Google Workspace support. His knowledge of nonprofit budgeting and management styles make him an invaluable partner in technology projects.
Steve is MCSE certified. He has a B.A. in Biology from Earlham College in Richmond, IN and a Masters in the Art of Teaching from Tufts University in Massachusetts. He is happy to share his expertise on Google Workspace security in this webinar.
Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College. She is always happy to talk with Steve Longenecker about technology for our clients and learn more about security Google Workspace for nonprofits and Google Workspace two-step verification.
Carolyn Woodard: Hello, everyone. Thank you for joining us at the Community IT webinar, Securing Google Workspace for Nonprofits with Steve Longenecker.
Google Workspace is one of the most widely used platforms in the nonprofit sector. The free nonprofit tier gives organizations a really powerful set of tools. But how secure is it? Steve is going to walk through the security settings and practices that are available to nonprofits in the free Google Workspace tier and share guidance on when it makes sense to consider upgrading to a paid tier for more advanced security features, or using some third-party tools depending on your nonprofit’s risk profile.
My name is Carolyn Woodard. I am the outreach director for Community IT and the moderator today. I’m very happy to hear from our expert, but first I want to go over our learning objectives.
Today we’re going to focus on these themes: Is Google Workspace inherently secure or insecure? What is Google Workspace’s nonprofit tier and what security features does it include? What are the biggest risks nonprofits face in Google Workspace? What actions can you take now to reduce those risks? When should you look beyond the nonprofit tier? And what should be your first steps? Now I would like to let Steve introduce himself.
Steve Longenecker: Hi, I’m Steve Longenecker and I’m the director of IT Consulting at Community IT. I am coming to you from sunny, beautiful Washington, D.C. (I’m) a longtime resident, and I guess Community IT’s hometown.
I’m a certified Google Workspace Administrator, and I’ve been working with our clients who have Google as their primary productivity platform for a long time. I’m looking forward to having this discussion with everyone.
Carolyn Woodard: I’m so glad that you’re with us, Steve, because I know in our office when we have Google questions, you’re one of our great fountains of wisdom. Very happy to hear what the best practices are for security on Google Workspace, because that is a question people ask a lot.
Before we begin, if you’re not familiar with Community IT, I’m going to tell you a little bit more about us. We are a 100% employee-owned managed services provider. We provide outsourced IT support and we work exclusively with nonprofit organizations. Our mission is to help nonprofits accomplish their missions through the effective use of technology. We are big fans of what well-managed IT can do for your nonprofit.
We serve nonprofits across the United States, although we did start in D.C., as Steve said. We’ve been doing this for 25 years – it’s our 25th anniversary this year.
We are technology experts and are consistently given the MSP 501 recognition for being a top MSP, which is an honor I can announce we just received again last week for 2026. We don’t have the logo yet, but we are on the list! We believe we are one of the only MSPs on the list that serves nonprofits exclusively.
I want to remind everyone that for the sake of these presentations, we’re vendor agnostic. We only make recommendations to our clients based on their specific business needs. We never try to get a client into a product because we get an incentive or a benefit from it. We consider ourselves a best-of-breed IT provider. It’s our job to know the landscape, the tools that are available, reputable, and widely used, and we make recommendations on that basis for our clients based on their business needs, their priorities, and their budget.
We did get a lot of good questions at registration, so we’re going to try and answer as many as we can today. We only have an hour. Anything we can’t get to, please join us and Steve after the webinar on our Reddit channel at r/nonprofitITManagement. We’re going to continue answering questions over there for about 30 minutes after this webinar. And if you think of more questions later, just pop them in that thread and we’ll be checking in for the next couple of weeks.
A little bit more about us: our mission is to create value for the nonprofit sector through well-managed IT. We also identify four key values as employee owners that define our company: trust, knowledge, service, and balance. We seek always to treat people with respect and fairness, to empower our staff, clients, and sector to understand and use technology effectively, to be helpful with our talents, and we recognize that the health of our communities is vital to our well-being and that work is only a part of our lives.
So now we are going to jump into our first poll. The question is: how much attention does IT security get at your organization? Possible answers are: too much – it makes it hard to do our jobs and we have to log in every time we want to do something; just right – my organization takes security seriously and our actions show it; not enough – we say it’s important, but I worry we have holes in our approach; none, and that scares me; and not applicable.
You are anonymous in this poll, so you can feel free to be honest. If you’re here because you are concerned about cybersecurity, you’re in the right place.
Steve, can you see that?
Steve Longenecker: I can.
Carolyn Woodard: Could you let us know what the answers were?
Steve Longenecker: Yes. So we had 40 people voting, and just two – five percent – chose the “too much” option. I did want to put that on there because I do think it is possible to give too much attention to security, where it just makes things impossible.
But I’m really pleased that we had a good third of the people saying just right. That’s wonderful. And then about half were concerned that not enough is being done – maybe a good game is being talked. And then five people said none at all, and that obviously scares them.
Carolyn Woodard: Yeah. And I think that’s one of the things we run into with Google Workspace: you can set it up yourself and then you’re not sure what you have done for security. No shame if that’s you, you’ve come to the right place. We have a ton of cybersecurity resources on our website as well, which I will share in the chat later.
But right now we’re going to hand it over to Steve to talk about that first question: is Google Workspace secure or insecure?
Steve Longenecker: Yeah. I think it is important to start with the fact that Google Workspace, the platform, is very secure. Google spends a lot of money on that. They make sure that their data centers are secure. There’s encryption in transit and at rest. They have great uptime. Compared to back in the day when you might have had a Microsoft Small Business Server in a nonprofit’s IT closet, this is a lot better now. There’s just a lot less chance of things going dramatically wrong.
That said, Google is a little different from Microsoft. For people running Windows, Microsoft makes both Windows and Microsoft 365, and they specialize in having a stack where everything from identity to file security to email security to device security is covered in one integrated place. That can be very helpful, particularly for smaller nonprofits that can’t invest in a best-of-breed approach.
Google is quite secure when it comes to email and files, the things that are in Google Workspace. It’s not that you can’t do any device management in Google Workspace, but we don’t really see it that often, unless we’re talking about managing Chromebooks, in which case Google is very strong and that is a very secure solution.
The other thing about Google Workspace security is that even though Google does a good job of making its platform secure, it is a partnership. And that’s where we sometimes see insecurities emerge: on the customer side. If you’re not enforcing good password policies, if you’re not doing your part with configurations, then it’s not going to be secure.
Actually, there’s an analogy I have in my notes: think of it as Google providing a very secure building, but they don’t get to control the key. They give the key to you, and it’s you who are in charge of the key. And if you’re opening the door for strangers, that’s a problem.
Carolyn Woodard: Yeah, what is Google going to be able to do about it? Exactly.
So we wanted to show the nonprofit tier. I’m hopeful that everyone on the webinar knows that nonprofits can sign up for Google Workspace with special pricing. Steve, we were going to briefly cover this – I was surprised, not knowing very much about it, how many security features are included in that nonprofit tier.
Steve Longenecker: Yeah. The nonprofit tier is really exceptionally generous. It’s a reason that a lot of especially newer and smaller nonprofits start out in Google. It’s pretty easy to set up. They make a lot of the tooling pretty intuitive. They have really great, easy-to-understand documentation for administrators. And the nonprofit tier is free. Not just discounted, it’s free, which is just an amazing option.
I’m not going to read all the different things included, but the number of things Google includes in that free tier is really impressive. As we’ll talk about later, some of the things I would say are the next layers you need, you probably wouldn’t pay Google for – they’d be more third-party layers. But it is a nice collection of things.
Now, is everything included? No, but that’s kind of the way all of these platforms work. They tend to have tiers, and they’re happy to move you up the chain for more functionality.
Carolyn Woodard: Yeah, but it’s good to know that at that nonprofit level, you get a lot.
I want to move on and talk a little bit more about definitions. A lot of people may not be very technology-oriented, and when you’re dealing with technology at your nonprofit, you may feel like you don’t know the lingo. You might be dealing with an IT provider who uses a lot of lingo without explaining it. We wanted to go over some common terms and demystify what we can.
We don’t have time to go over everything on this slide, but I’m going to put it all in the transcript, so you’ll get a link back to the transcript with those definitions under the cybersecurity terminology you might not totally know. Steve, could you talk a little bit about MFA and 2SV? That one confuses me.
Steve Longenecker: Sure. And I appreciate, Carolyn, that you’ve started adding this definition slide to these decks. I’ve been doing these webinars with you and even before you for a long time, and I think it’s a really nice addition to the template, because I forget sometimes — as someone who’s deeply immersed in this stuff — that definitions help.
So MFA, which stands for multi-factor authentication, is the idea that in addition to maybe your password, you are doing something else – that’s where the “multi” comes from – to confirm your identity. Most typically, you might be using your phone, which you’ve registered ahead of time with the system, to approve your login.
Some other things we see are FIDO keys, or YubiKeys, that’s the main brand. It’s an actual physical key that you plug into the USB port on your computer or phone, and since that key is registered ahead of time, you can’t get in with just your password. You have to have this second factor.
It really has cut down on account breaches, because passwords are hackable. Even a 10-character password can be cracked by trying all combinations with a computer program. And people sometimes use easy-to-guess passwords or reuse passwords. Multi-factor authentication helps a lot.
2SV is just Google’s language for that. It stands for two-step verification. It is literally MFA with a different name. I’m not quite sure why Google went its own way and didn’t just call it MFA like everyone else, but when you see 2SV, that’s just an indication that you’re dealing with Google and they’re using their term for MFA.
I’ll go through the other terms quickly. Spoofing is when an email appears to come from someone it’s not coming from. I get emails that appear to be from my boss Johanny – her name, her email address – but it is not from her. If I click on the links in that, I’m probably heading toward bad outcomes because someone is spoofing her account.
There are things you can do configuration-wise to reduce the likelihood of that. One of the places that can be done is using DNS.
DNS is a very old protocol. It’s the internet’s way of resolving friendly names to IP addresses, names that machines understand. When you go to www.communityit.com, you’re going to a friendly name, but the domain name servers out on the internet need to know that goes to a specific server with a specific address.
That system has been expanded to have all sorts of rules, because it’s a place where an organization can publish some authoritative, trusted information about their systems. So in my DNS records, I can say the only systems allowed to send email from communityit.com are Google and MailChimp, and the email from Google needs to be secured with this encryption key. Those things can be done with DNS, and that’s what’s used now to reduce spoofing.
Email remains one of the main vectors for attacks and breaches, because it’s such an old protocol. Email has been around for 50 years. And some of these DNS fixes are responses to that.
The admin console is just the term for the web page you log into at admin.google.com. It’s where you configure settings, set up new users, offboard old users, and set up Google Shared Drives. Everything you do administratively in Google Workspace is done in the admin console.
Google Shared Drives are repositories for documents. Originally, each person just had their own drive – a My Drive. And if they wanted to share folders or documents with others to collaborate, they would do that from there. At some point, Google rolled out Shared Drives, which are much more organizationally owned and less owned by individuals. There’s more opportunity for good governance, structure, and security.
We talk about Google Shared Drives in the context of security because it’s basically a richer, better way of collaborating and storing documents in Google Workspace.
And finally, user account offboarding. A user is active in your organization, they’ve been working for you for a few years, then they leave. How do you unwind their presence in your Google Workspace? That’s called user account offboarding, and it is a weak spot in a lot of workspace administration — and as a result, it’s a place where security is sometimes compromised.
Carolyn Woodard: Offboarding might apply to volunteers as well, if you give them an email for your organization and then you’re not keeping track of who’s no longer volunteering. So it’s important to keep track of.
Here are the other definitions for cybersecurity newcomers.
MFA/2SV (Multi-Factor Authentication / Two-Step Verification): A login security method that requires you to confirm your identity in two ways: typically your password plus an approval on your phone. Google calls this 2SV (two-step verification), but it is the same thing as MFA and is one of the most effective ways to prevent unauthorized account access.
Spoofing: When an email appears to come from someone it isn’t actually from, for example an email that looks like it’s from your executive director but is actually from an attacker. Spoofing can be reduced through DNS configuration settings like DMARC and DKIM.
DNS (Domain Name System): The internet’s address book, translating human-readable domain names like communityit.com into the numeric addresses computers use to find each other. Organizations can use DNS records to publish rules about who is authorized to send email on their behalf, which helps prevent spoofing.
DMARC (Domain-based Message Authentication, Reporting, and Conformance): A DNS-based email security policy that tells other mail servers what to do if they receive an email that claims to be from your domain but fails authentication checks, for example reject it or send it to spam. It also sends reports back to you so you can see if someone is attempting to spoof your domain.
DKIM (DomainKeys Identified Mail): A security method that attaches a hidden digital signature to every email your organization sends, which receiving mail servers can verify against a key published in your DNS records. If the signature doesn’t match, the receiving server knows the email was tampered with or didn’t actually come from you.
Learn more about DMARC and DKIM here.
Admin Console: The web-based dashboard at admin.google.com where Google Workspace administrators manage their organization’s settings, users, and security configurations. Everything from adding new staff accounts to enforcing 2SV to setting up Shared Drives is done here.
Google Shared Drives: Organizationally owned file storage in Google Workspace, as opposed to individual My Drives where files are owned by a single person. Shared Drives offer better governance, clearer access controls, and stronger security for team files.
User Account Offboarding: The process of removing or suspending a staff member’s access to your Google Workspace when they leave the organization. Skipping or delaying this step leaves unused accounts open, which is a common and preventable security vulnerability.
Credentials/Compromised Accounts: A user’s login information (username and password) that has been stolen or exposed, giving an attacker access to that person’s account. Enforcing strong passwords and MFA/2SV significantly reduces the risk of credential compromise.
Business Email Compromise (BEC): A scam in which an attacker impersonates a trusted person, often a leader or vendor, via email to trick staff into transferring money, sharing sensitive data, or taking other harmful actions. Nonprofits are frequent targets because internal financial processes can be less formal.
Wire Fraud: The use of electronic communications (email, text, phone) to fraudulently obtain money, often through fake invoices, payment redirect requests, or gift card scams. It frequently follows a business email compromise and can result in significant financial loss.
Phishing / Spear Phishing / Smishing: Phishing is a broad attack using deceptive emails to trick people into clicking malicious links or revealing passwords. Spear phishing is a targeted version aimed at a specific person or organization; smishing is the same type of attack delivered via text message (SMS).
MFA Push Bombing / Fatigue Attack: An attack in which a criminal who already has your password repeatedly sends MFA approval requests to your phone, hoping you will eventually tap “approve” out of frustration or confusion. Using an authenticator app that requires you to enter a matching number rather than just tapping approve helps protect against this.
Brute Force Attack: An automated method of breaking into an account by rapidly trying thousands or millions of password combinations until one works. Strong, unique passwords and MFA/2SV make brute force attacks much harder to succeed.
Learn more about Cybersecurity resources here.
Carolyn Woodard: So what are the biggest risks specific to Google Workspace at nonprofits? Some of those, like not offboarding a staff person who may be disgruntled, could happen in any platform – but specific to Google Workspace, what are we looking at?
Steve Longenecker: To the point of offboarding, I think people know that if they’re firing a disgruntled employee, they’re going to reset the password and maybe suspend the user, whether they have a formal procedure or not.
Google is complicated by the fact that if you suspend the user, their email stops working. So in some ways, Google’s processes don’t make offboarding as easy as some other platforms, because you want to suspend the user – that makes sense – but then all of a sudden, you might want them to still be able to receive email, just forwarded to someone else in your organization, not to the person who’s no longer there. The email address might still be valuable. If they were a program manager, they might still be getting emails from external stakeholders, and you just need their manager to read those emails. That can all be done, but that’s what the offboarding procedure is about.
I think the real risk is more this: we don’t have a great policy for offboarding users, so we have all these user accounts sitting around with passwords no one knows anymore. That’s an opportunity for someone to try to work their way in through a dictionary attack or something similar.
It might not be the highest risk thing if you have good 2SV enforcement, but part of security is reducing your threat landscape as much as possible. Anytime you have unused accounts just lying around, that’s an opportunity. Maybe not a likely one, but you want to try to reduce it.
The first one on the list is phishing and credential theft. It’s not specific to Google, but it is definitely worth putting on any list when you’re talking about the biggest risks. It’s a big risk.
Also not specific to Google Workspace but true for Google Workspace users: you definitely want to have 2SV set up, configured, and enforced.
One area that can be tricky is shared and generic accounts. That’s where 2SV sometimes runs aground, because it’s very clear that if I’m logging in as me, I’m the only one who should be able to approve it on my phone. But if I’m sharing an account — info@ or donations@ or something like that. Maybe there are four of us sharing that password. How do we do 2SV for that? It’s not impossible, but it’s very unwieldy.
We help our clients work around this by using Google Groups for those kinds of email addresses. So instead of a user account called [email protected], you might have a Google Group called [email protected], configured so that the members of that group can read those emails and respond to them.
Shared and generic accounts can be problems because when there’s a one-to-one correspondence between a human being and a user account, it’s very easy to notice if something goes wrong. If their account is doing weird things, they’re going to raise their hand and say, “Hey, all my friends say I’m emailing them — I’m not emailing them, what’s going on?” And then we investigate and solve the problem.
But if it’s a generic account that people only log into occasionally and someone gets into it somehow, maybe no one even notices for a week or two, because it’s not managed very well.
Wire fraud and business email compromise is sort of part of that phishing and credential theft. We do still see this, and I think it has to do with the fact that nonprofits frequently have — I don’t want to say this in a way that’s insulting to anybody — but maybe looser processes for handling money sometimes. It might be more informal. For an executive director to say to someone, “Hey, I need to take care of this situation because this donor is asking for it,” that might be more likely to happen at a small nonprofit than at a bank, where there are very rigorous processes that everybody knows to follow.
We have seen wire fraud, and we’ve seen things like gift card requests. We see that a fair amount. Less than we used to, because people are getting more sophisticated about it, but it still happens.
Then there’s Google Drive file sharing. It’s good to use Shared Drives, but it’s also important when you use Shared Drives that you structure and configure them appropriately. Do you want to allow external sharing from that particular drive? Who are the members of it? All of those things matter.
And then unmanaged personal accounts. That’s not super common unless you have a relatively new account where maybe you weren’t using Google Workspace before and now you are. People can sign up for Google Drive as a regular consumer, using your organization’s domain name, even if you weren’t in Google Workspace at the time. So it’s possible there are personal Google or Gmail accounts associated with your domain name that are not actually in your Google Workspace. There’s a place in the admin portal where you can see who that list is. Oftentimes it’s long-ago departed employees, and it’s probably not a risk.
Carolyn Woodard: From early on, maybe when you were setting it up … they had their own email on your board when you were setting up.
Steve Longenecker: That’s right.
Carolyn Woodard: I want to mention here that if you need help doing some of the things in the admin portal, Google does have a knowledge base where you can look up questions like “how do I find this?” or “where do I do that?”
Steve Longenecker: Yeah. And I always give Microsoft credit for owning Windows and Microsoft 365 and Microsoft Office, Word, Excel – and how useful that integrated world is.
One of the nice things about Google is they own Google. Googling a question actually works really well, and I like Google’s knowledge base articles more than Microsoft’s for a non-professional IT person. So if you’re managing IT for your nonprofit and that’s not your main job or what you were trained in, but you’re doing the best you can, I think you’re going to get good mileage out of Google’s knowledge base articles.
And in that case, you can be thankful you’re not doing the same thing in Microsoft. Microsoft’s documentation tends to be more technical and harder to read. You need to bring more background to it. Google tries to keep things a bit more accessible.
Carolyn Woodard: It’s very consumer-oriented. Yeah. We have one quick question: can you transfer or forward a suspended account in Google Workspace?
Steve Longenecker: You can. That’s what I was talking about with how you can manage those accounts. For ones that have long departed, it might be a little tricky – the email may or may not be actively working at that point – but yes, you can do that. Short answer: yes.
Carolyn Woodard: Okay. We’re going to move along a bit. What can you do right now to protect your organization? First and next steps. I think we’ve talked a little bit about some of these, if you want to run through them.
Steve Longenecker: Yes. Let’s start with the easy one: make sure that 2SV is turned on. It’s turned on by default, but it’s not enforced by default, at least for older workspace tenants that have been established for a while. So you need to turn on enforcement.
Google is a little different from Microsoft in this regard. With Microsoft, you enable MFA and tell everybody to go ahead and set it up, warn them that you’re going to enforce it on Friday, and then on Friday you enforce it. The next time they try to log on, they can’t get in until they set up MFA. So they’re forced to do it, which is still a change management concern. If they’re logging on right before an important meeting, they’re going to lose a few minutes setting up MFA. But it gets done.
Google is more challenging in terms of change management. If someone hasn’t set up 2SV and it gets enforced, they just can’t log in at all. At that point, they need to open a ticket with the help desk or administrator, who needs to work with them to get it sorted out. It should still be done, and it is possible to make exceptions for individual user accounts if absolutely necessary. But the recommendation is to enforce MFA/2SV for everyone.
Auditing your accounts refers to offboarding and also to who has administrative privileges. We have seen clients where it seemed like the easiest thing in the world was to make almost everybody a super admin, or to make all the executives super admins. That’s a risk: if one of those accounts is breached, that person has too much power. So look at what accounts exist, and whether there are accounts you can deprecate.
Google Drive sharing settings: we talked about these already. There are settings for how files can be shared and with whom, and you want to look at those. And use Google Shared Drives. If you are just using My Drives and sharing folders from there, that’s really something you want to correct. We do have a blog post about how challenging it is to correct once it’s already out there, but it’s worth putting on your roadmap to get it addressed.
Login alerts are a nice touch available at the free tier. If you have super admins, you can set it up so that every time a super admin logs in, alerts are sent to the other super admins or account contacts. That’s helpful.
Training staff is really helpful. Explaining how phishing works, helping people understand that email is a threat, and that chats and texts are a threat too, not just email anymore. Those are all things we can do.
We talked about offboarding and the DNS policy to reduce email spoofing. Things like DMARC and DKIM – you can’t stop spoofed emails that your staff might receive from external organizations, because you can only control your own domain. But you can protect your own staff from being fooled by emails that appear to come from inside your organization, and you can prevent the reputational damage of emails that appear to come from your Google Workspace but actually don’t. Because if you haven’t turned up the dial on spoofing protection, someone can send emails that look like they’re from you without actually having access to your system.
Carolyn Woodard: Yeah, and I know we have a blog post on DMARC and DKIM. I’ll have to find it and share it in the transcript as well.
We have one more quick question: is it possible to disable downloading or printing documents in Google Workspace?
Steve Longenecker: Yes, I believe that it is. I’m not sure if that’s available at the free tier. I don’t have that at my fingertips right now.
Carolyn Woodard: We can answer it over on Reddit and will make sure we have the right answer in the transcript.
The answer is that it is not available at the free tier as the admin, but it is available for users individually to prevent their files from being downloaded by others. For end users (file owners – available on all tiers including free nonprofit):
https://support.google.com/drive/answer/2494886 This is the standard Google Help Center article on preventing downloading, printing, and copying for viewers and commenters. The setting is found under File → Share → Settings → uncheck “Viewers and commenters can see the option to download, print, and copy.”
For an admin to be able to control files created by staff that could then be downloaded by others, or whether staff could download something sent to them by others, you would need a paid tier. For admins (requires paid Workspace tier – DLP/IRM controls): https://knowledge.workspace.google.com/admin/security/dlp-disable-download-print-copy This admin-level feature uses data loss prevention (DLP) and Information Rights Management (IRM) and can apply restrictions to all collaborators, not just viewers and commenters. This is the more robust option but is not available on the free nonprofit tier.
Carolyn Woodard: Now I want to move on to our next poll: which security risk hits closest to home at your organization? This one is multiple choice, so you can choose all that apply. The options are: weak or shared passwords; staff clicking on phishing links; oversharing files in Google Drive; former employee accounts are still active; not sure where our gaps are; and not applicable if you have perfect security. If you have something else, please put it in the chat.
Steve Longenecker: On the oversharing question – anonymous links can be a risk depending on where they’re posted and how they’re used. And there are a lot of different ways you can overshare: files shared externally that shouldn’t be, and so on.
Carolyn Woodard: Someone put in chat: “Staff insist on using personal email and not taking security seriously.” You can try doing more training and trying to bring everyone along on the security journey – why it’s so important and what the risks are – but it takes prioritization and it can be really hard, especially if someone is very set in their ways.
Someone put in the chat: “Forwarding an org email to a personal account.” Steve, can you elaborate on that?
Steve Longenecker: I think it’s a bit of a detail on the first person’s concern about staff insisting on using personal accounts. You can set up automatic forwarding on your organizational email, so you don’t really have to deal with your organizational email because you can just get it in your Gmail or Hotmail or AOL account or whatever.
Carolyn Woodard: Someone else says: “People conducting work on their phone.” And the person who mentioned forwarding to a personal account noted that in higher education it creates compliance issues, healthcare as well, I’m sure. Okay, I’m going to end the poll.
Steve, can you see the results?
Steve Longenecker: Yes. I’m going to read them in order of most popular, not in order of the list. The most popular was staff clicking on phishing links, chosen by 50% of respondents. You can choose more than one, so this isn’t going to add up to 100%, but that makes sense. It’s not only a likely thing, but the risk is really high in terms of what the payoff could be for an attacker, it could be really bad news.
Then weak or shared passwords and oversharing of files in Google Drive were each chosen by about a third of respondents. Former employee accounts still active was chosen by 16, sorry, 16%. And about a third – 29% said they’re not sure where their gaps are.
Carolyn Woodard: That’s fair, right? You don’t know what you don’t know about what might be unsecure. Hopefully this webinar is helping with that.
So our next question is: what if you want more? Do you need to move to the paid tier of Google Workspace to get extra features?
Steve Longenecker: Google Workspace does have extra features. On that earlier slide, we had some of them listed that are paid-tier only, things like data loss prevention and e-discovery. You may need those, and we have a slide coming up to speak to that.
But I did want to highlight that in our view, the next layers you would probably want to add may not even be available, or best available, from Google Workspace, even at the very top tiers.
For example, one of the things our CTO and security expert Matt Eshelman views as a fundamental component of good layered security is a formal security awareness training program with accountability and data collected. Not just an informal training at a staff meeting, or like a formal program where if you missed it, you missed it.
(Anti-phishing training is) not something I’m aware Google offers. We offer that to our clients through a system called KnowBe4, and I like it a lot. There are many options. I’m not endorsing KnowBe4 above the others, but it’s a third-party system. And I would say before I started thinking about higher tiers of Google, I’d want to have that.
Similarly, backups are an overlooked part of security. But when things go wrong, you can be really glad you have them. If there was a breach and someone deleted a bunch of stuff, or the classic ransomware situation where all your files are encrypted and you can’t recover without paying, if you have a backup, you don’t need to pay. We would say that third-party backups are part of the picture. The value of good backups is not to rely on Google for that. In a perfect world, you have it in a completely separate platform.
Google does a great job with their native email protection, but we would also say it’s worth getting advanced email protection from a third party.
And then, you can configure at the higher tiers of Google essentially the same things that a managed cloud detection and response service can do. Things like login alerts, or locking out accounts that try to log in from a country other than the United States. But to me, it makes more sense to use a managed cloud detection and response layer from a third party, where someone else is doing all of that for you. You might pay $5 or $6 per user per month. Not nothing, but that layer from a third party might be better than bumping up your Google Workspace tier.
Carolyn Woodard: But sometimes you might be interested in that upgrade. And we laid out a couple of cases for when that makes sense.
Steve Longenecker: So this is acknowledging that the free tier doesn’t work for everybody. If you’re a nonprofit that handles a lot of financial or healthcare data, you might benefit from bumping up a tier. If you need to do a lot of e-discovery or legal holds, that comes with Google Vault. I think you can actually buy it separately, but it’s included starting at the Google Workspace Business Plus level. And it’s really nice. But that is not something you get from the free tier.
The other thing is that if you do a lot of third-party app integrations with APIs, the free tier doesn’t really provide great management hooks for that. You can set them up, but you don’t have a lot of insight into them. The people who are in these situations probably already know they’re in them – this isn’t really the take-home message for everyone. But it is acknowledging that the free tier is not one-size-fits-all. There are times when you need to be up a couple of levels.
Carolyn Woodard: But you can stay on it. I think a lot of clients come to us thinking, “Now I’m at this level of sophistication, I have to get off Google Workspace and find something more serious and more secure.” And there are giant corporations, big nonprofits, and health systems on Google Workspace. So it can work for you.
Steve Longenecker: Absolutely. And the nonprofit discount, you still don’t pay full retail price for these products. If an enterprise license is, say, $30 per user per month, you might only be paying around $10. Don’t hold me to those prices, but you get a significant discount. You just don’t get it for free anymore.
Carolyn Woodard: So there are a couple of questions in chat, but I’m going to save them for our Q&A slide, which is coming up, so that we can get through the Google Workspace security best practices first. Some of this is pretty much common sense, but I want to make sure we wrap it up.
Steve Longenecker: Yeah, it’s good to have this opportunity to just talk about the take-home messages.
Starting with what we said at the very beginning: Google does a great job of securing their infrastructure, but you need to do your part with your configurations and settings, and make sure your people are contributing to security – whether that’s through training, checking configurations, and so forth. The nonprofit tier is good. Do start with something.
I would say start with MFA/2SV. If that’s not done, make it your top priority.
Training should be one of your top priorities as well.
And then consider third-party tools as the next layer before you start talking about whether you need to go to Business Plus or Enterprise. For most nonprofits, I would say that’s the right sequence.
And yes, there are times when the free tier is not sufficient, and some layers of third-party tools won’t make as much sense. At the end of the day you’re going to value what, say, Google Enterprise provides.
Carolyn Woodard: I want to make sure we get to some Q&A. So I’m going to go through this slide a bit quickly. This is a slide we use on our regular cybersecurity webinars. If you need that information, all of our previous webinars are under webinars on our website at communityit.com.
This is our generic “what you should do to protect your organization” slide, and it lines up very nicely with what you should do in Google Workspace. There were just a couple of extra quirks in there. I’m so happy, Steve, that you could help us dive into some of those things we need to be aware of if you’re using Google Workspace.
I’m going to put these resources in the chat. Here are some resources on our website and some specific to Google as well, where you can find more support. As I said, Google is so consumer-oriented that they have a lot of very accessible information if you’re looking for more on how to do things in the admin console.
Google for Nonprofits Security Checklist: https://support.google.com/nonprofits/answer/9251886
Google Workspace Security Checklist for Small Organizations: https://knowledge.workspace.google.com/admin/security/security-checklist-for-small-businesses-1-100-users
Google Workspace Security Checklists (all sizes): https://knowledge.workspace.google.com/admin/security/security-checklists
CIT Cybersecurity Readiness for Nonprofits Playbook: https://communityit.com/cybersecurity-readiness-for-nonprofits-playbook/
Nonprofit Data Retention with Ian Gottesman (CIT Podcast): https://communityit.com/podcast-nonprofit-data-retention-with-ian-gottesman/
NTEN Cybersecurity Resource Hub (general, not Google-specific): https://www.nten.org/learn/resource-hubs/cybersecurity
Now we’re going to move right into Q&A. Steve, we have a couple in chat and a couple in the Q&A.
Carolyn Woodard: Here’s one: how can you prevent organizational Google Drive documents from automatically saving to or appearing in a user’s personal Google Drive if they access company links while logged into their personal Google account?
Steve Longenecker: For the most part, when you have given someone access to a file, you are relying on them to handle it appropriately. That’s maybe where training and privacy policy come in – appealing to that whole nonprofit ethos of following the rules for the good of the mission.
Carolyn Woodard: I mean, you could take a screenshot of it, you know, if you’re looking at it.
Steve Longenecker: Yeah, yeah.
Carolyn Woodard: And if there’s a deeper answer, we can give that over on Reddit.
There was another question here: is there a way in the Google Workspace admin to check if users have a weak password?
Steve Longenecker: That’s a good question. I think there is. I haven’t looked at that for a while, but I’m pretty sure you can.
Carolyn Woodard: It would give you – not what their password is, but a reading.
Steve Longenecker: It doesn’t tell you the password, no. But it can apprise you of password strength, and you can also see in the admin portal who has 2SV configured and who has not. That’s an important part of enforcing it. You need to know, when I turn on enforcement, who am I going to lock out? You can see that.
Carolyn Woodard: How can we promote file and information security through Google Mail? I’m aware that sharing confidential information in an unsecured Gmail as an attachment can have security concerns.
Steve Longenecker: It can, yes. Training is one of the things that helps.
At the higher tiers, there’s something called data loss prevention where you can set rules around this – preventing certain things from being attached to emails and so on.
But honestly, to some extent, you can’t force people. People need to follow the rules because they’ve been convinced it’s important for the good of the organization.
I think there’s another angle here, and it goes back to the original poll where a couple of people said their organization took security so seriously it prevented them from doing their jobs. If people are emailing attachments because they believe that’s the best way to get their job done, the motivation is actually the right motivation. We need to figure out as IT administrators: okay, emailing attachments isn’t that secure. So what alternatives do we have that still let people get their jobs done?
Maybe the answer is Google Shared Drives. Save the files there and allow that shared drive to have members who are not in your organization, like outside consultants. So maybe there’s a finance shared drive, and the outsourced accountant is a member of that drive. Your internal finance person isn’t constantly emailing sensitive financial documents to consultants. Instead, the consultants just go right to that shared drive where the stuff is securely saved.
Carolyn Woodard: Yeah, that sounds like good advice.
We have time for one more, and then there are so many more questions in chat, we’re definitely going to cover those over on reddit after this. And you can always get in touch with me through the website, LinkedIn, or however you want to reach me, if your question wasn’t answered and you really need the answer.
Sorry to the person who wanted to talk about Workspace and Gemini. We are going to have a webinar in the fall that’s about cybersecurity, and we will be talking a lot about AI then. We also did a webinar on cybersecurity and AI specifically in February, so you might want to go back and check that one. I know we mentioned Gemini but didn’t get deep into it.
I thought this question was interesting: do you recommend using the Google Drive app or using the web browser?
Steve Longenecker: Quickly on the Gemini thing: I’d encourage the person who asked that question to Google it, and we can answer it in the reddit channel later too. There’s a lot of good stuff you can do to control Gemini to some extent, including disabling it if that’s what you need to do.
On the Google Drive app question. It depends, which is a classic consulting answer. If you have typical nonprofit operational and security requirements, the Google Drive app on a PC is really nice and very convenient for the person, as long as you’ve taken steps to make sure the PC is secured: device management, company-owned device, good hygiene on the machine.
If you’re using Google Docs and Sheets rather than Word or Excel, at some point the browser becomes just as convenient anyway, and you probably don’t need the Drive app.
But if I were helping a small nonprofit get set up, I’d probably go ahead and deploy the Google Drive app for the convenience of users. I’m not trying to make life difficult for my users, because if I make life difficult for them, that’s when they start doing things to work around me just to get their jobs done. I understand they’re just trying to do their jobs. So instead, I want to give them the tools so that they can do their jobs within my restrictions. We find that balance.
Carolyn Woodard: I’m sorry to hurry you along, but in the interest of time, for people who can stay over a minute or so, we might go just over. I apologize. I went quickly through our learning objectives, and I think you hit them all just wonderfully, Steve. Thank you so much.
I want to make sure to let people know that next month I’ll be going back to AI topics. We’ll be welcoming some experts to talk about where you go with AI at your nonprofit if you’re past the experimenting phase: how do you get to an AI that’s genuinely embedded in what your organization does and how you work? We’re going to learn about an AI maturity model that PTKO Consulting uses to help their clients implement AI intentionally.
If you’re new on your AI journey, we have a lot of other resources on our site about getting started, ethical frameworks, and creating AI policy, including a template you can download.
I’m really excited about this upcoming webinar because there are a lot of webinars out there around the early stages of AI, and we do have clients who have been using AI for over a year and want to know the next steps. How do you take that next step?
Our guests, Mimi and George, are going to share what best practices are out there. This is an evolving space, and there aren’t nonprofits who have been using AI for much longer than that. But if that is where you are on your AI journey, please join us again next month. That’s at 3 p.m. Eastern, noon Pacific on Wednesday, July 15th. I just shared the registration page in the chat, and it’s on our website at communityit.com.
Please don’t forget, as you exit today, to take our short survey. It’s six easy questions, one lucky winner chosen at random receives a $25 gift certificate, and it really helps us.
Then join us on reddit at r/nonprofitITManagement for more Q&A. We had a bunch of questions in the queue that we’re sorry we couldn’t get to – there are some really good ones in there. Steve is going to come over on reddit for another 15 to 20 minutes to answer some of those questions. And we will see you here next month, I hope, with our next monthly webinar.
Thank you everyone for joining us. Your time is a gift. You spent an hour with us and we really appreciate it.
Steve, thank you so much for sharing all your expertise and wisdom about Google Workspace. It’s so easy to get into, but it’s not super easy to make sure you’re doing everything right. We really appreciate your time today.
Steve Longenecker: Thank you, and thanks to all the people who were chatting and helping answer questions. I love the community spirit. That was really great to see.
Carolyn Woodard: It really was. Thank you again, everyone, and we will see you over on Reddit.
As advocates for using technology to work smarter, we’re practicing what we recommend. This transcript was drafted with the assistance of AI, and is not a verbatim transcript. The content was edited for clarity, and was reviewed, edited, and finalized by a human editor to ensure accuracy and relevance.
Photo by Sandy Millar on Unsplash
Wednesday July 15th at 3pm Eastern join Mimi Yeh, PTKO, and George Danilovics, AHIP, to learn your next AI steps.
Fill out the form below to request a quote. We’ll be in touch shortly to discuss your needs and take the first step toward better nonprofit IT.