What Gets Measured Gets Managed: M365 Security Assessment for a NSW Not-for-Profit

Company:

A NSW Not-for-Profit Organisation

Industry:

Not-for-Profit

Location:

New South Wales, Australia

Services Offered:

M365 Security Assessment & Monthly Reporting

Microsoft 365 Security Assessment & Monthly Reporting for NSW NFP

A New South Wales not-for-profit with around 500 Microsoft 365 users (286 Business Basic, 200 Business Premium, 12 Business Standard) needed confidence that its Microsoft 365 security controls were actually working — not just configured once and forgotten.

Handling sensitive personal information and operating under the Australian Privacy Act and Notifiable Data Breaches (NDB) scheme, the organisation faced real compliance and reputational risk if a breach went undetected.

They had already implemented:

  • Multi-Factor Authentication (MFA)
  • Conditional Access (including country blocking and risky sign-in policies)

But they lacked:

  • Structured security reporting
  • A measurable baseline
  • Ongoing visibility for leadership into whether controls were effective

---

The Challenge

Like many not-for-profits, the organisation had a familiar problem: security controls were set up once and never revisited.

At the time of the initial assessment:

  • Microsoft Secure Score: 47.83% of maximum
    • More than 467 additional points were available
    • In practice, this meant over half of Microsoft’s recommended security controls were not in place

Specific issues highlighted the risk behind the number:

  • 17 external admin email forwarding rules
    • Each a known indicator of possible account compromise or data exfiltration
  • 7 internal admin forwarding rules
    • Flagged for review due to elevated privilege
  • Microsoft Teams fully open
    • All external organisations allowed
    • Guest access enabled
    • No domain restrictions
  • Risky user sign-in event
    • Anonymous IP address
    • Had occurred and gone unreviewed
  • 140 security recommendations sitting unaddressed
    • More than 467 Secure Score points achievable
  • No monthly reporting framework
    • Leadership had no visibility of these issues

For an organisation bound by the NDB scheme, this lack of visibility meant a real risk of an undetected breach leading to mandatory OAIC reporting and reputational damage.

---

What Technowand Delivered

Technowand implemented an ongoing Microsoft 365 Security Assessment & Monthly Reporting service, covering:

  • Identity and access
  • Email security
  • Endpoint management
  • Data protection

Don't Let Your Tech Hold You Back!

If your systems are struggling and your team's feeling it, you don't have to settle. Let Technowand help you modernize, secure, and scale without the stress.

Let's Talk

Related Case Studies

Do You Know Your Essential Eight Maturity Level? ACT Not-for-Profit Gets Its Answer

Measuring What Matters: M365 Security Assessment for a Queensland Health Organisation