Community IT Innovators Nonprofit Technology Topics

Securing Google Workspace for Nonprofits with Steve Longenecker pt 2

Community IT Innovators Season 7 Episode 48

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 25:22

In Part 2 of the Securing Google Workspace for Nonprofits webinar podcast, Carolyn Woodard and Steve Longenecker, Director of IT Consulting at Community IT, move from foundational configurations into the question every nonprofit eventually asks: do we need to pay for a higher tier of Google Workspace to get real security?

The short answer is: probably not right away. Steve walks through the third-party tools that should come before a tier upgrade for most nonprofits: formal security awareness training, third-party backups, advanced email protection, and cloud monitoring. 

He explains when a paid Google Workspace tier does make sense, particularly for organizations handling financial or healthcare data, legal holds, or complex app integrations. 

The conversation closes with a lively Q&A session drawn from attendee questions and poll results, covering oversharing in Google Drive, data loss prevention, password strength visibility in the admin console, and how to give staff secure, convenient ways to do their jobs without creating unsecured workarounds.

Haven't listened to Part 1 yet? Find it in your podcast feed.

This episode covers:

  • Why third-party tools for security awareness training, backups, and advanced email protection are the right next layer for most nonprofits, before considering a paid Google Workspace tier.
  • When upgrading to a paid tier does make sense: handling sensitive financial or healthcare data, e-discovery and legal holds via Google Vault, or managing frequent third-party app integrations.
  • Nonprofits still receive significant discounts on paid Google Workspace tiers -  you just won't get them for free.
  • You can find out which staff members have and haven't set up two-step verification before you enforce it so no one gets locked out unexpectedly.
  • Making security convenient matters as much as making it mandatory: if IT makes it too hard for people to do their jobs, staff will find workarounds.

Resources Mentioned:

_______________________________
Start a conversation :)

Thanks for listening. 


Carolyn Woodard

Hello everyone. Thank you for joining us at the Community IT webinar, Securing Google Workspace for Nonprofits with Steve Longenecker. My name is Carolyn Woodard. I am the outreach director for community IT and the moderator today.

Steve Longenecker

I'm Steve Longenecker, and I'm the director of IT Consulting at Community IT.

Carolyn Woodard

All right, now I want to move on to our next quiz / poll, which is which security risk hits closest to home at your organization? And this one is multiple choice, so you can choose all that apply. And the first option is weak or shared passwords. Staff clicking on phishing links. You may already have had that. Oversharing files in Google Drive. And by that, Steve, we mean like when you say this link is everyone can use this link.

Steve Longenecker

Maybe. I mean that might be one risk, or that um uh uh files that are shouldn't be shared externally or shared externally. I mean there's a lot of different ways that you can overshare that you can overshare. Um I I do think um, you know, anonymous links can be can be a risk um depending on who where where they're posted and how they're used.

Carolyn Woodard

All right. Um former employee accounts are still active. Uh not sure where our gaps is, that's a valid answer. Um, if you have something other and you don't mind putting it in chat, uh we'd love to hear if there's something that we didn't um capture here that you are worried about at your organization and not applicable if this is, you know, you have perfect security. So um someone yeah,

Carolyn Woodard

Someone put in chat. Yeah. The staff insist on using personal email uh and not taking security seriously. That is um, you know, you can try doing more of the training and um uh you know trying to bring everyone along on the security journey of why it's so important and what the risks are, but it takes prioritization and it can be really hard. And especially if it's somebody that's very set in their ways, um, that can be hard. Um

Carolyn Woodard

Someone put in the chat forwarding an org email to a personal account. I'd love to hear a little elaboration on that because I'm not sure.

Steve Longenecker

Um I think what they there is it's it's sort of a uh some detail on the first person's concern about insisting when using personal accounts. Personal email. So you can you can set up an automatic forwarding on your organizational email. Therefore, you don't have to really worry about your organizational email because you can just get it in your in your Gmail or Hotmail or AOL account or whatever. Yeah.

Carolyn Woodard

Uh someone says conducting work on their phone. People conducting work on their phone. And um yeah, the

Carolyn Woodard

The person who said forwarding the org email to a personal account, if you're in higher education, it creates compliance issues, I'm sure, like healthcare as well. So, okay, I'm going to end the poll. Uh we've had pretty good participation and um share it,

Carolyn Woodard

Steve. Can you see that?

Steve Longenecker

Yes. Uh so I'm gonna read it not in order of the list, but just in the order of uh most popularity.

Steve Longenecker

So the the most popular was the staff clicking on phishing links, was uh chosen by 50% of our staff. Of course, you can choose more than one thing, so um, this isn't gonna add up to 100, I don't think. But uh that makes sense. And it is like one of the places where not only maybe is it like a likely thing, but it's also like the risk is high in terms of what the payoff could be. It could be really bad news if it happens. Uh,

Steve Longenecker

And then we had uh weak or shared passwords and oversharing of files in Google Drive. That was chosen by a third of our respondents. Um, both of them were chosen by a third of our respondents. Um,

Steve Longenecker

Former employee accounts are still active, was chosen by 16, I'm sorry, by 16%.

Steve Longenecker

And then we had about a third, 29%, saying they're not sure where the gaps are.

Steve Longenecker

And then we we did get some others that were chatted there.

Carolyn Woodard

Yeah. And that's, I mean, that's fair, right? That you don't know what you don't know about what might be unsecure. So hopefully this webinar is helping you with that. Um,

Carolyn Woodard

So our next question is what if you want more? Um, do you need to move to the paid tier of Google Workspace to get those extra features?

Steve Longenecker

So the Google Workspace does have extra features. And we we in that uh earlier slide, we had some of the ones um listed that are like uh paid tier only, things like data loss prevention and e-discovery and so forth. And and you may need those, and we have um a slide coming up to speak to that.

Steve Longenecker

But I did want to highlight that in in our view, um the next layers that you would probably want to add may not even be available or best available from Google Workspace, even at the very top tiers.

Steve Longenecker

So, for example, one of the things that that our uh CTO and security expert Matt Eshelman views as like a fundamental component of good layered security as a formal security awareness training program where there's accountability and data collected, and you know, we this is not just an informal training, you know, at a staff meeting ad hoc. And if you missed that staff meeting, you missed it. Like this is like a formal training program.

Steve Longenecker

That's not something that I'm aware Google offers. Like we offer that to our clients through a system called KnowBe4, and I like it a lot. I think it's a good system. There's many. I I don't, I'm not endorsing know before above the other ones, but that's a third-party system. And I would say before I started thinking about the higher tiers of Google, I'd want to have that. Um,

Steve Longenecker

Similarly, backups are an overlooked part of security. But when things go wrong, you can be really glad, like if there was a breach and someone deleted a bunch of stuff uh as part of a breach, or you know, the classic um uh thing where uh all your files are encrypted ransomware, and you can't you can't um recover your files without paying the ransom. If you have a backup, you don't need to recover the files because you have a backup. I would say that we would say that backups from a third party are part of the the value of good backups is not to rely on Google for that. Um

Steve Longenecker

Google does have retention schemes, and at the higher tier, you can you can put some e-discovery like protections on on files being backed up. But in a perfect world, you're not relying on Google at all. You have it in a completely separate platform. So that would be another third-party service that you could buy. Um

Steve Longenecker

Google does a great job with their native email protection, but if you want like we would say it's worth getting um a third-party backup, advanced email protection, sorry, an advanced email protection from a third party. Um,

Steve Longenecker

And then finally, you can configure in at the higher tiers of Google essentially the same things that a managed cloud detection and response can do. Things like uh we talked about uh log one alerts. You can configure those. You can you can get into the weeds and say, hey, if someone tries to log in to this account from a country other than the United States, we want to lock them out. And you know, you can do you can set up all of these rules, and that is available in a higher tier of Google Workspace.

Steve Longenecker

But to me, it makes more sense to use, like, and this is a service that, again, we would offer to our clients, but it's not saying you need to buy it from us. I mean, there's lots of places that would sell this. But a managed cloud detection and response layer on top of Google Workspace where someone else is doing all of that for you probably makes more sense. You might pay $5 per user per month or or $6 per user per month. You know, something, not nothing, but having that uh layer from a third party might might uh be better than than bumping up um your your Google workspace tier.

Carolyn Woodard

But sometimes you might be interested in that. And we laid out a couple of cases, so you want to have a lot of different things. Yeah. Yeah.

Steve Longenecker

So this is the acknowledgement that that the free tier doesn't work for everybody, right? So um if you're a nonprofit that handles a lot of financial data or or healthcare data, you might be might be benef benefiting from bumping up a tier. Um if you if you need to do a lot of e-discovery or legal hold holds, that's something that comes in with a product in the platform called Google Vault. I think you can actually buy it separately, but it's also included, I think it starts at the Google for Business Plus level. Um and it's really nice. Um, but you can, but that is that is not something that you get out of the free tier. Um,

Steve Longenecker

And then the other thing that we would say is that if you do a lot of third-party app integrations with APIs and so on, the free tier doesn't really do a great job of providing the management hooks for that. Like it allows you to set them up, but then you don't really have a lot of insight into them. And so if you're doing it a lot, and this is the I think the people that are in these situations probably know they're in these situations. So I don't necessarily think this is like the slide that's the take-home message, and that everyone's gonna like, oh, thank goodness Steve mentioned that since we're, you know, getting sued all the time, we should probably have, you know, a higher tier of Google. Like, you know that already, but um, but it is acknowledging that the free tier is not gonna, it's not a one-size-fits-all. There are times when you need to be up a up a couple levels.

Carolyn Woodard

But you can be. I mean, that's the thing. I think a lot of clients come to us thinking that, well, now I'm at this level of sophistication. I have to get off of Google Workspace and find something more serious and more secure. And there are giant corporations, big companies, big nonprofits, health systems, with Google Workspace. So that's right, it can work for you. Yeah.

Steve Longenecker

Absolutely, absolutely. And and the nonprofit discount, it's it's it it you don't you still don't pay the retail price for these products, right? So, like if if a if an enterprise license is, you know, $30 per user per month, and I'm just I don't have that number in my head, but if that's what it is, you might only be paying $100 again. Don't hold me to those prices, but you get a significant discount. Um you just don't get it for free anymore.

Carolyn Woodard

So there's a couple of questions in chat, but I'm gonna save them for our QA slide, which is coming up so that we can get over this uh workspace, Google workspace security best practices. And some of this is pretty, I don't know, common sense, but um I want to make sure that we wrap it up.

Steve Longenecker

Yeah, it's good to have this, you know, opportunity to just take talk about the take-home messages. Um yeah,

Steve Longenecker

Starting out with the fact that, as we said at the very beginning, um Google does a great job of securing their infrastructure, but you need to do your part to make sure that your configurations and settings and that your people are contributing to security, um, whether that's through uh, you know, you're doing trainings for them and uh checking checking uh their the security, the the configurations and so forth. Um but the the nonprofit tier is good. Um do start with something.

Steve Longenecker

And I would say, you know, MFA2SV, if if that's not done, just make that your top priority. Um

Steve Longenecker

Training can be one of your top priorities as well. Um

Steve Longenecker

And then consider these third-party tools as the next layer before you start talking about like whether you need to go to business plus or enterprise for most um nonprofits, I would say.

Steve Longenecker

And then, yes, there are times when uh the free tier is not sufficient and and some layers of of third-party tools don't make as I mean, you might still have those, but you at the end of the day are gonna be valuing what let's say Google Enterprise provides.

Carolyn Woodard

Um I want to make sure we get to some QA. Um, so I'm gonna go through this slide a little bit quickly. This is a slide that we use on our regular cybersecurity webinars that we do, which if you need that information, uh all of our previous webinars are under uh webinars on our website, communityit.com. So you can find all of the videos there. Um but I thought it was interesting.

Carolyn Woodard

This is kind of our generic what you should do to protect your organization slide. And it really uh lines up very nicely with what you should do in Google Workspace. There's just a couple of extra little quirks and turns in there. So I'm so happy, Steve, that you could um help us, you know, dive in a little bit on some of those things that we need to make sure to be aware of if you're using Google Workspace.

Carolyn Woodard

I'm gonna put these resources in the chat so that you all have them. Um, here's some resources on our our website and uh some that are specific to Google as well, um, where you can find more support, more information.

Carolyn Woodard

As I said, Google is so consumer oriented and they don't assume that everyone that's using Google Workspace is an admin and it you know has a tech background. So they have a lot of very accessible information if you're looking for more, you know, how to do some of the things on the admin console. Um, so you can have those uh all those resources are in chat. So

Carolyn Woodard

I'm gonna move right on to the QA. And um, Steve, we have a couple in chat and a couple in QA. So let me um just go back quickly. And um,

Carolyn Woodard

Here was one on how can you or how can you prevent organizational Google Drive documents from automatically saving to or appearing in a user's personal Google Drive if they access company links while logged on to their personal Google account. Is that possible? I mean, it seems like if you have an organization account, you download that document, you can then upload it to your personal account, unless there's a policy against that.

Steve Longenecker

When you are for the most part, the model, and it's not just for Google, it's you know, with most models, when you have given someone access to a file, you're you are giving them access to the file and you're relying on them to, you know, then that's maybe where training and um uh privacy policy. Uh accountability, not accountability, uh training and and people being good stewards, you know, trying to appeal to the that whole nonprofit um ethos that like you need to do this for the good of the mission, you know, follow the rules kind of thing.

Carolyn Woodard

I mean you could take a screenshot of it, you know, if you're looking at it.

Steve Longenecker

Yeah, yeah.

Carolyn Woodard

And we can, if there's a deeper answer, we can give that over on Reddit. Um

Carolyn Woodard

There was another question here. Is there a way in Google Workspace admin to check if users have a weak password?

Steve Longenecker

That's a good question. Yeah, I think that there is. Um I haven't looked at that for a while, but I'm pretty sure that you can uh

Carolyn Woodard

It'll give you just not what their password is, but a reading.

Steve Longenecker

It doesn't not tell you the password, no, but it can it can apprise you of of and you can also see in the in the admin portal who has a configured 2SV and who has not. Um and that's that's kind of an important part of enforcing it is you need to know kind of, okay, when I turn on enforcement, who am I gonna lock out? Okay and you can and you can see that, yeah.

Carolyn Woodard

Um here's a question. How can we promote file and information security through Google Mail? I'm aware that sharing confidential information in an unsecured Gmail as an attachment can have security concerns.

Steve Longenecker

It can, yes. And uh, you know, I think training is one of the things.

Steve Longenecker

There is all sorts of at the higher tiers, you can do a lot of the that's called a data loss protection. You can you can set rules around some of this stuff, like you know, preventing things from being attached to emails and so on.

Steve Longenecker

But honestly, it's like to some extent, um you can't you people need to do things because they've been ex they've been convinced that it is, you know, they need to do follow that it's that it's important for the good of the organization to follow these rules. Um

Steve Longenecker

I do think though that another angle on and this might go back to the uh original poll where a couple people, two people I guess, said that maybe their organization took security so seriously that it prevented them from doing their jobs. So, in some ways, that question about hey, you know, what if if people are emailing, like emailing an attachment in a Gmail may not be as secure as like sharing a link of the file or sharing it in some more secure manner. Well, then we need to make sure that our users are able and trained on how to do those more secure ways. Like if they're emailing attachments because they believe that's the best way for them to get their job done and they want to get their job done, that the motivation there is the right motivation.

Steve Longenecker

So we need to figure out as IT administrators, okay, but that's not that's not very secure. So what can we do? What alternatives do we have that you can still get your job done? So maybe, you know, Google shared drives, save the files there and allow this one shared drive to have members, you know, that are not in your organization, but they're like the outside consultants.

Steve Longenecker

So maybe there's a finance shared drive and the finance uh, you know, the outsourced accountant is a member of that shared drive, and therefore your um your internal finance person isn't constantly emailing sensitive financial documents to these consultants. Instead, the consultants just go right to that shared drive where the stuff is, you know, uh securely um saved.

Carolyn Woodard

Yeah, no, that sounds like good advice. Um

Carolyn Woodard

We have time for one more, and then there's so many more questions in the chat. So we're definitely gonna have those over on Reddit after this. Um and you can always get in touch with me as well, you know, through the website or you know, on LinkedIn, uh, or you know, however you want to get in touch with me if you have another question or your question wasn't answered and you really need the answer. Um,

Carolyn Woodard

Sorry to the person who wanted to talk about workspace in Gemini. Uh we are gonna have um a uh webinar in the fall that's about cybersecurity. We will talking, be talking a lot about AI then, and we did a webinar on cybersecurity and AI specifically in February. So you might want to go back and check that one. Um I know that we mentioned Gemini, but we didn't get deep into it. Um but

Carolyn Woodard

I thought this question was interesting. Um do you recommend using Google Drive app or using the web browser?

Steve Longenecker

Um so quickly on the Gemini thing, I would encourage the person who asked that question, and we can answer it in the Reddit channel later, but you know, go ahead and and Google it. There's a lot of good stuff that you can do to control Gemini to some extent, um, including, you know, disabling it if that's what you need to do. Um

Steve Longenecker

The question about the Google Drive app, I do think I I mean it depends like a lot of a good consulting answer is it depends, right? I do think that if you have, you know, typical nonprofit operational requirements and security requirements, the Google Drive app on your on a PC, if you are taking steps to make sure that the PC is secured, maybe you have device management on the PC, it's a company-owned PC, um, you have good hygiene on the PC and everything, then um, it can be really nice and very convenient for the person to have the Google Drive app. Um

Steve Longenecker

If you're using Google Docs and Sheets, like you're not using Office uh versions of the of those, you're not using Word or Excel, but you're using Google Docs and Google Sheets, then the at some point the browser becomes just as convenient anyway, and probably you don't need to have uh the drive app. But I I if

Steve Longenecker

If I were helping a small nonprofit get set up, I would probably go ahead and deploy the Google Drive for the convenience of the users so that again, I'm not trying to make life difficult for my users, because if I make life difficult for my users, that's when they start doing crazy things to get around me to do their jobs. And I understand that they're just trying to do their jobs. So instead, I want to um give them the tools so that they can do their jobs within my restrictions. Um, and you know, we find that balance.

Carolyn Woodard

I'm sorry to hurry you along, um, but in the interest of time, if there are people who can stay over a minute or so, um we might go over a minute. I apologize. Um I went quickly through our learning objectives. I think you hit them all just wonderfully, Steve. Thank you so much.

Carolyn Woodard

I want to make sure to let people know that next month I'll be going back to AI topics. We'll be welcoming some experts to talk about where you go with AI at your nonprofit if you're past the experimenting phase. So, how do you get to an AI that is genuinely embedded in what your organization does and how you work? And we're gonna learn about an AI maturity model that they use at PTKO Consulting to help their clients implement AI intentionally.

Carolyn Woodard

So, if you're new on your AI journey, we have a lot of other resources on our site about getting started, looking at ethical frameworks, creating AI policy. We have a download that you can use, a template. And

Carolyn Woodard

I'm really excited about this upcoming webinar because there are a lot of webinars out there around the early stages. And we do have clients who have been using AI for over a year and want to know these next steps. Like, how do you take that next step?

Carolyn Woodard

So, our guests, Mimi and George, are going to share what best practices are out there. This is an evolving space. There aren't people, you know, nonprofits who have been using AI for very much longer than that. But if that is where you are on your AI journey, please join us again next month. That's at 3 p.m. Eastern Noon Pacific on Wednesday, July 15th. I just shared the registration page in the chat. It's on our website at community it.com.

Carolyn Woodard

Please don't forget as you exit today to take our short survey, it's six questions, six easy questions. Uh, one lucky winner chosen at random receives a $25 gift certificate, and it really helps us.

Carolyn Woodard

And then join us on Reddit, r slash nonprofit IT management for more QA. As I said, we had a bunch of questions in the queue. I'm sorry we couldn't get to all of them. There's some really good ones in there. So uh Steve is gonna come over on Reddit for another um, you know, 15, 20 minutes to answer some of those questions, and we will see you here next month, I hope, uh, with our next monthly webinar.

Carolyn Woodard

So thank you everyone for joining us. Uh, your your time is a gift. You spent an hour with us, we really appreciate it. Steve, thank you so much for sharing all your expertise and wisdom about Google Workspace. Uh, it's so easy to get into, but it's not super easy to make sure you're doing everything right. So we really appreciate your time today.

Steve Longenecker

Uh thank you, and thanks to all the people that were chatting and helping answer questions. Uh, I love the community spirit. Um, that was really great to see.

Carolyn Woodard

No, it was really great. So thank you again, everyone, and we will see you over on Reddit.