SMART Enhances Security with a Security Audit

Background

The SMART Program (Schools, Mentoring, and Resources Team) is a 501(c)(3) nonprofit organization dedicated to providing educational resources and scholarships to students from underserved communities. Given the sensitive nature of student data, donor information, and operational records it manages, maintaining a secure digital environment is a top priority for SMART.

The Challenge

SMART operates without dedicated IT or cybersecurity personnel. The operations team, including the Director of Finance and Operations and the People and Culture Manager, manages IT responsibilities, with the Director of Finance and Operations serving as the self-taught Google Workspace Super Admin. This setup is common among nonprofits of similar size, where staff take on multiple roles, including IT management. While SMART was already taking security seriously, they recognized the need for an external review to strengthen their security posture further.

The Solution

A Google Workspace Security Audit was conducted for SMART, leveraging volunteer resources from Suitebriar, a Google Cloud Premier Partner. This audit provided a comprehensive review of security settings, policies, and best practices, identifying vulnerabilities and areas for improvement.

Key Focus Areas of the Audit:

  • Identity and authentication controls, including user provisioning and account recovery
  • Administrative access management
  • Data loss prevention (DLP) and file-sharing restrictions
  • Email security, including phishing protections and encryption
  • Incident response planning and security alert configurations
  • Evaluation of existing security tools, including Dashlane (organization-wide password management system)
  • Management of student accounts (hundreds of users across the organization)

The audit process followed a structured approach:

  • Assessment: A thorough evaluation of SMART’s Google Workspace security settings and policies.
  • Implementation Plan: A detailed action log prioritizing security enhancements.
  • Enablement: Training and documentation provided to SMART’s team for ongoing security management.

Key Findings and Improvements

  • Opportunity to Gain Enhanced Device Management: SMART had an opportunity to improve device management for MacBooks using a third-party software solution. The audit revealed several key security gaps:
  • Opportunity to Improve Access Controls: Several administrator accounts had excessive privileges, presenting a chance to optimize security settings.
  • Lack of Multi-Factor Authentication (MFA): Few accounts had MFA enabled, making them vulnerable to phishing and credential theft.
  • Unrestricted File Sharing: Google Drive sharing settings were not appropriately restricted, potentially exposing sensitive data.
  • No Formal Incident Response Plan: SMART lacked a structured approach for handling security incidents.
  • Opportunities for Improved Account Management: Some student accounts were inactive but still enabled, presenting an unnecessary security risk.

Following the audit, critical security improvements were implemented:

  • Enforced multi-factor authentication (MFA) for all users.
  • Restricted administrative access based on the principle of least privilege.
  • Configured data loss prevention (DLP) policies to safeguard sensitive student and donor information.
  • Strengthened Gmail security settings to block phishing attempts and unauthorized email forwarding.
  • Established an incident response plan to improve cybersecurity readiness.
  • Reviewed and optimized student accounts, suspending those that were inactive.
  • Reinforced security training, incorporating SMART’s existing KnowBe4 40-minute annual phishing awareness program.

Impact and Outcome

By leveraging expert resources, SMART significantly improved its cybersecurity posture. The Director of Finance and Operations now has a clearer framework for managing IT security, and the organization has a structured approach to protecting its digital assets.

Key Results: ✅ 

  • 80% reduction in administrative accounts with excessive privileges.
  • 100% of user accounts now protected with MFA.
  • Data sharing policies aligned with best practices to prevent unauthorized access.
  • Improved awareness and security training for SMART staff, complementing their existing KnowBe4 phishing awareness program

A Stronger, More Secure Future

SMART’s security enhancements have strengthened its ability to protect the sensitive data it manages—ranging from student records and scholarship applications to financial transactions and donor details. With a more resilient security framework in place, SMART can focus on its core mission of supporting education without the burden of cybersecurity risks.

This engagement ensured that SMART can operate confidently in an increasingly digital world.

Project Stakeholders

Alicia Orozco

Operations, People, and Culture Manager at SMART

Andrew Fantone

Volunteer
Professional Google Workspace Administrator at Suitebriar Inc.

Jennifer Brown

Senior Director of Finance

& Operations

Christopher Jones

Project Sponsor

CEO, Suitebriar Inc. 

Interim Executive Director, Mission Secure