Big Security on a Small Budget: What I Learned From a Not-for-Profit Case Study

You don't need a six-figure SIEM to protect community data. You need the right basics, free tools, and people who care.

"Just get a firewall, and you'll be fine."

I've heard that line more times than I can count — usually from people running small organisations with no dedicated IT team, no security budget, and a growing pile of laptops nobody's quite sure how to manage.

I recently worked through a case study for a fictional not-for-profit I'll call E-Corp: a community organisation with outreach staff, donated equipment, and basically zero security infrastructure. Laptops stored in an unlocked storeroom. No patch management. Staff clicking through installer prompts like it was nothing. A flat network where anything could talk to anything.

Sound familiar? That's not an edge case. That's most small community organisations I've seen.

The assignment forced me to stop thinking like a student listing controls and start thinking like someone who actually has to defend an org with no money. Here's what I learned — and what I'd tell any small org leader who thinks security is a luxury they can't afford.

The real problem isn't budget — it's visibility

Most small orgs don't fail at security because they can't afford Palo Alto firewalls. They fail because they have no idea what's happening on their own devices.

When I mapped E-Corp's environment, the attack surface wasn't exotic. It was mundane:

• Unpatched operating systems (the #1 initial access vector for real attackers)
• Physical access to devices with no encryption
• No monitoring — so a breach could run for months undetected
• A non-technical workforce that's genuinely trying to help, but will approve a malicious prompt if it looks official

These aren't theoretical risks. They're the exact conditions ransomware groups and opportunistic attackers look for.

The good news? The fixes don't require enterprise money. They require frameworks, discipline, and a handful of free tools.

Layer 1: Patch everything, automatically

This sounds boring. That's because it works.

Unpatched vulnerabilities remain the most common way attackers get in — not zero-days, not nation-state hackers, just known bugs nobody bothered to fix. For E-Corp, I recommended automated patch management through whatever platform they already had access to. Microsoft Intune, for example, is heavily discounted under charity licensing programmes. If you're running Windows in a small org, check whether you qualify.

The principle is simple: humans forget to update. Automation doesn't. Set it, enforce it, and stop treating "we'll get to it next week" as a security strategy.

Layer 2: MFA is non-negotiable

If you do one thing this week, make it this: turn on multi-factor authentication for email and every cloud service your org uses.

Email is the skeleton key to most small org breaches. Compromising one inbox and an attacker can reset passwords, impersonate staff, and pivot into everything else. MFA stops the vast majority of credential-stuffing and phishing attacks cold.

It's free on Google Workspace and Microsoft 365. There's no excuse.

Layer 3: Encrypt the devices you can lose

E-Corp kept laptops in an unlocked storeroom. That's an extreme example, but the underlying risk is universal: portable devices get lost, stolen, or left on trains.

Full-disk encryption — BitLocker on Windows, FileVault on Mac, native protections on iOS and Android — means a stolen laptop is a hardware loss, not a data breach. Enable it org-wide. Make it a policy, not a suggestion.

For mobile devices, enrol them in a Mobile Device Management (MDM) platform. Segregate work data into a managed profile, require screen locks, and support remote wipe. You don't need a Fortune 500 MDM suite; many affordable options exist for small teams.

Layer 4: Remove local admin rights

This one hurts feelings, but it matters.

Non-technical staff approving installer prompts is how malware gets in. If users can't install software without approval, you eliminate an entire class of attacks. Pair this with application control on servers — only approved executables run — and you've closed another common door.

Yes, someone will complain they can't install their favourite PDF tool. That's the trade-off for not getting ransomware.

Layer 5: Monitoring without the Splunk bill

Here's where it gets interesting for budget-conscious orgs.

Enterprise SIEM platforms like Splunk cost more than most not-for-profits spend on IT in a year. But the capability — aggregating logs, detecting anomalies, alerting on suspicious behaviour — doesn't have to.

I recommended Wazuh, an open-source unified SIEM and XDR platform. With no licensing fees, it handles:

• Host-based intrusion detection
• Log aggregation across endpoints
• File integrity monitoring
• Vulnerability detection

Pair it with LibreNMS for network monitoring (SNMP-based visibility into switches, access points, and firewalls), and you can host both on a single modest virtual server.

One administrator can triage alerts from a single console. You won't have a 24/7 SOC, but you will have situational awareness — the ability to see when something's wrong instead of finding out from a client three months later. That's the difference between security theatre and security that actually works.

Layer 6: Backups you can actually restore from

Modern ransomware doesn't just encrypt your files. It deletes backups, exfiltrates data, and waits.

The 3–2–1 rule still applies: three copies of your data, on two different media, with one copy offline and immutable. Most importantly, test your restores. A backup you've never restored from is a hope, not a plan.

The frameworks that tie it together

I didn't invent this stack from scratch. I mapped it to established frameworks:

• ACSC Essential Eight: Australia's benchmark for mitigating targeted intrusions. Start at Maturity Level One if you're beginning from zero.
• CIS Benchmarks: Auditable, consensus-based hardening templates for every major OS.
• NIST SP 800–123 and 800–124: Server and mobile device security guidelines.

These aren't academic exercises. They're free, practical checklists that tell you exactly what "good enough" looks like for your size and risk profile.

The human layer nobody budgets for

Technical controls only work when people understand why they exist.

E-Corp's workforce is community-facing and non-technical. They're exactly the population most likely to fall for social engineering. Mandatory annual cyber-awareness training isn't optional — it's part of the control stack.

Teach staff to recognise phishing. Teach them that urgency is a red flag. Teach them that IT will never ask for their password over email. Then test them. Simulated phishing campaigns are uncomfortable, but they are incredibly effective.

What I'd tell a small org leader tomorrow

If I sat down with E-Corp's leadership (or yours), I'd say this:

1. Stop waiting for the budget. Most of what matters is free or heavily discounted for nonprofits.
2. Start with visibility. You can't protect what you can't see.
3. Automate the basics. Patching, MFA, encryption — make these defaults, not decisions.
4. Use open source where it makes sense. Wazuh and LibreNMS aren't toys. They're production-grade tools used by organisations worldwide.
5. Train your people. The best firewall in the world won't stop someone from clicking "Enable Macros."

Security isn't a luxury for big companies. Non-profits hold community data — sometimes the most sensitive data of all. Names, health information, financial details, and stories people trusted you with.

Protecting that data doesn't require Splunk money. It requires caring enough to do the basics well.

What's the one security control your organisation keeps putting off? I'd genuinely like to know — drop a comment or connect with me here on Medium.