We use 365 for email and one drive along with the other folders for sharing. Our vendor has recommended Barracuda Essentials Complete for spam protection and extra backup of our one drives for each church staff member. The product will archive all emails and also prevent accidental or intentional deletion of files. Does your church use these products or others? Do you backup 365 files? We save everything on the cloud now.
I have a few churches I manage M365 for. We don’t add more spam protection as we find Defender for Office 365 that comes with M365 Business Premium sufficient, we are in the minority though so I’d tune Defender for Office 365 first and then see if you still need more, but we do and always advise backing up the M365 tenant: Exchange Online, SharePoint, OneDrive, and Teams. There are quite a few tools out there for that. I like Dropsuite, but it isn’t available direct, you do need a service provider for it. Most of the usual suspects also have some type of M365 backup: Veeam, Cloudberry, Synology, Qnap, Acronis, so on and so forth.
If your vendor also manages your M365 tenant, as long as it is reasonably priced you should just go with their recommendation, you get the best experience with vendors if you standardize on their “stack.” Usually they are coming in and thinking “the best way for us to solve these problems for our 50+ clients is to have them all utilize this software stack that we have high expertise in all the components of” and, in theory, that standardization is how they elevate the user experience while keeping costs down. If their stack is just really a lot of questionable choices, change service providers to one that fits better.
We have 365 basic and I don’t think it includes the advanced security but I could look to see how much is added to the free cost. Ideally, we would get this free too. We are changing from an expensive vendor so I was trying to match what they were doing but still not sure if should backup 365 further or even add extra spam protection other than what Microsoft offers in 365. We do have the Watchguard M270 with a security license and are using panda endpoint security and panda patch management. We self-manage and go to our IT provider on a paid basis as needed. We have 10 employees with four of these part-time.
You should definitely apply for your 10 donation seats of M365 Business Premium because that covers a lot of issues you’ll run into and it does include Defender for Office 365 for better spam and phishing protection than you would otherwise get in Business Basic donations or the Office 365 E1 donations.
Veeam free edition will backup 10 M365 seats and could be an okay starting point if you have a destination you can back up to. Backing up to Azure is probably not ideal, but you can use the $3,500 in credits to run Veeam comfortably and backup to another storage provider.
I personally wouldn’t bother with Panda, I’d use Intune (included with those Business Premium donations) to control Windows Defender and Windows Update for Business and consider moving up to Defender for Endpoint in the future. There are worse options than Panda, it’s just not really high on anybody’s list these days either… also, why pay for it in the future when Windows Defender is scoring top marks?
Similarly, I find UTMs becoming a relatively moot part of a church’s security posture because staff in churches have typically been very mobile which makes them prime candidates for a zero trust modern workplace implementation. Since you already have it, no point getting rid of it, but it just doesn’t help all that much when staff are trying to access data from home, Starbucks, the waiting area of the hospital, the funeral home, so on and so forth. That’s just to say, I wouldn’t count it in a long-term strategy, rather, look toward using those M365 BP donations to implement Conditional Access and hit a zero trust strategy wherein you protect data regardless of whether the staff are connecting from the office or not. You also will get to cut those UTM licensing fees.
Thanks Isaac, I will check on expanding our Tech Soup 365 to include extra security. The managed service provider I fired was so expensive, that I feel like we are saving so much money now, but I still don’t want to waste money on unneeded software. I will also look into your other advice too. We currently have 10 separate POE Injectors so also looking at a POE switch to consolidate.
You shouldn’t need to go through TechSoup for the M365 donations, in fact, I would generally avoid them when possible, just go direct through the Microsoft Nonprofit Portal by going here:
https://nonprofit.microsoft.com/en-us/getting-started
And then signing in with your M365 tenant. You might need to assign your user in M365 as a nonprofit portal user, but I’ve noticed it’s inconsistent as to whether or not you need to do that.
I wouldn’t necessarily consider it expensive for a service provider unless it broke around $2,000 a month for full AYCE AISP type plans. If they are well run and experienced then often their bare minimum would be around $1,500 for a 10 seat office in order to make the margins they need for a healthy service provider. Even at those types of rates, it’s almost always still more affordable than a hire up through around 30 to 50 staff once all the benefits and software expenditure are tallied up. 
We will still use a service provider but will pay on a hourly (30 or 60 minute) basis. We were paying the equivalent of 10.5 hours a month for a flat fee versus now where we will just pay as needed. The savings has allowed us to update our firewall to Watchguard M270 and to clean up our IT room with the Aruba Jl686A#ABA (930 48G Class4 PoE 4SFP/SFP+ 370W Switch) that will be installed next week.
Isaac, you have given me some great ideas on software and also Microsoft products.