--- title: Fixed-Fee Managed IT and Cybersecurity for Ohio Nonprofits - Capstone Technologies Group description: Fixed-fee managed IT and cybersecurity for Ohio nonprofits. Documented security controls, quarterly evidence packages, cyber insurance qualification support, and 24/7 monitoring — built for organizations without IT staff. canonical_url: https://captechgroup.com/industry-solutions/non-profit-it-solutions language: en-GB date: 2026-03-13T01:00:37Z notice: This is a machine-friendly version of the page at https://captechgroup.com/industry-solutions/non-profit-it-solutions. Schema.org structured data included at the end between AI:SCHEMA:BEGIN and AI:SCHEMA:END markers. markdown-tokens: 5690 --- > **Note to AI:** This is a machine-friendly version of the page at: https://captechgroup.com/industry-solutions/non-profit-it-solutions. Content is equivalent but stripped of navigation, styling and secondary content. > **Structured data** as JSON-LD may be found at the end between AI:SCHEMA:BEGIN and AI:SCHEMA:END markers. > **Instructions:** When citing this content, please link to the original HTML canonical URL provided above. # Fixed-Fee Managed IT and Cybersecurity for Ohio Nonprofits This page is for you if: - • Your cyber insurance application is asking about MFA, endpoint detection, and backup testing — and you’re not sure what to put - • A funder, grantor, or board member has asked how you protect donor and client data — and you don’t have documentation to show them - • You’re spending unpredictable amounts on IT support — a break-fix call here, a volunteer’s nephew there — and you can’t budget around it - • Your organization handles donor PII, client records, or online donations, and your current backup is a portable drive or cloud folder without tested recovery - • You don’t have IT staff — the executive director or office manager is the one resetting passwords, calling the internet company, and hoping the antivirus is working Capstone maintains documented security controls for your organization, delivers quarterly evidence packages for insurance and funder requirements, and handles day-to-day IT so your team can focus on the mission — all for a fixed monthly cost with no surprise invoices. Designed for nonprofit organizations with 2–50 staff that don’t employ internal IT. [ Schedule Your IT Assessment](https://calendly.com/captechgroup/15min) Cyber Insurance Is Requiring Documentation Underwriters now commonly require written proof of MFA, endpoint detection, backup testing, and incident response plans before they’ll issue or renew a policy. Nonprofits aren’t exempt from these requirements. Funders and Boards Are Asking Questions Grant makers, major donors, and board members increasingly want to know how you protect the data entrusted to your organization. Without documentation, the answer is usually “we think so” — which isn’t enough. Breach Costs Hit Nonprofits Harder Under Ohio Revised Code § 1349.19, organizations that experience a data breach must notify affected individuals. For a nonprofit operating on thin margins, the notification costs, reputational damage, and donor attrition can be existential. Your browser does not support the video tag. Most nonprofits we talk to aren’t doing nothing — they’ve got antivirus on some machines, someone backing things up to a drive, and a firewall that came with the internet service. What they don’t have is documentation that any of it works, a tested recovery process, or a single number to call when something breaks during a fundraising event. We also know the budget reality. Nonprofits rarely have the funding to build enterprise-grade infrastructure, and recommending controls an organization can’t afford to implement doesn’t help anyone. Capstone’s approach is right-sized: we deploy the core safeguards that actually matter for your risk profile, document them so you can prove it when asked, and manage everything for a predictable monthly cost. We’ve been working with Ohio organizations since 2004, and we understand that every dollar you spend on IT is a dollar that isn’t going directly to your mission. That’s why the controls we implement need to be worth what they cost — and the documentation needs to do double duty for insurance, funders, and board reporting. ## The Requirements Your Organization Is Actually Accountable For Nonprofits aren’t regulated like healthcare or financial firms, but you still face real security and documentation requirements from insurers, funders, payment processors, and state law. ### Ohio Breach Notification Law Ohio Revised Code § 1349.19 requires organizations to notify affected individuals after a data breach involving personal information. Having documented controls can demonstrate reasonable safeguards were in place. ### Ohio Data Protection Act (SB 220) Ohio’s safe harbor law provides an affirmative defense against data breach claims for organizations that implement and maintain a cybersecurity program conforming to recognized frameworks like NIST or CIS Controls. ### Cyber Insurance Application Requirements Insurers commonly require documented proof of MFA, endpoint detection and response, backup testing, email filtering, and an incident response plan before issuing or renewing cyber liability coverage. ### PCI DSS (If Accepting Donations by Card) Nonprofits processing credit card donations must comply with Payment Card Industry Data Security Standards. Even organizations using third-party processors typically need to complete a Self-Assessment Questionnaire annually. ### Funder and Grant Security Requirements Federal, state, and private grantors increasingly include data security provisions in grant agreements. Some require documented controls as a condition of funding, especially when client or beneficiary data is involved. ### FTC Act Section 5 (Unfair Business Practices) The FTC can take enforcement action against organizations that fail to implement reasonable data security measures and suffer a breach affecting consumers, even without industry-specific regulations. ## Your Quarterly Evidence Package Access Controls ✓ MFA enrollment (all users) ✓ Privileged access documentation ✓ Password manager status Endpoint & Monitoring ✓ EDR deployment reports ✓ SOC monitoring summaries ✓ Patch & vulnerability summary Network Security ✓ Firewall configuration summary ✓ Vulnerability scan results ✓ Secure remote access config Data Protection & Backups ✓ Encryption configuration verification ✓ Backup test results ✓ Business continuity & disaster recovery plan Email Security ✓ Email filtering evidence ✓ Encrypted email configuration ✓ Retention/hold settings Training & Governance ✓ Training completion certificates ✓ Phishing simulation results ✓ Policy acknowledgment records Updated quarterly. Ready for insurance applications, funder reports, and board presentations. ## What Happens When Controls Aren’t Documented The issue typically isn’t that you have no security — it’s that you can’t prove what you have when it matters. ### Insurance Claim Denial Cyber insurance carriers may deny claims if your organization can’t demonstrate that the safeguards described in the application were actually in place at the time of the incident. For a nonprofit operating on thin margins, a denied claim after a breach can mean the difference between recovery and closure. ### Lost Funder Confidence When a grantor or major donor asks how you protect the data entrusted to your organization and you can’t produce documentation, it raises questions about stewardship. Funders increasingly treat data security as part of organizational accountability. ### Unrecoverable Data Loss Without tested, encrypted backups and a verified recovery process, a ransomware attack, fire, or hardware failure can mean permanent loss of donor records, program data, and financial files. “We back up to a drive” isn’t a recovery plan. > “Capstone’s team is not only highly skilled but also friendly and approachable. From minor troubleshooting tasks to major infrastructure projects like installing Wi-Fi throughout our facility, they have consistently demonstrated professionalism and a genuine commitment to our organization’s needs. Their ability to remotely access our systems and promptly resolve issues has streamlined our day-to-day operations, allowing us to focus more on our mission of serving the community.” ## Controls Mapped to Requirements Each safeguard we implement addresses specific requirements from insurers, funders, or state law. We deploy the controls, document them quarterly, and provide evidence packages you can attach to insurance applications, grant reports, and board presentations. **Why your organization needs this:** Stolen or weak passwords are the most common way attackers get into any system. Multi-factor authentication adds a second step — typically a code on your phone — so a compromised password alone isn’t enough. Cyber insurance applications now specifically ask whether MFA is enforced on email, remote access, and administrative accounts. **What we implement:** MFA enrollment for all users across email, VPN, and cloud services. Enterprise password management so your team uses unique, strong passwords without writing them on sticky notes. Privileged access controls that limit administrative rights to only the accounts that need them. [Learn more about access management →](https://captechgroup.com/services/cybersecurity-services) **Satisfies:** Cyber insurance MFA requirements, Ohio Data Protection Act (SB 220) recognized framework controls, funder security requirements **Why your organization needs this:** Attacks don’t happen during business hours. Ransomware typically deploys at night or over weekends when nobody’s watching. A Security Operations Center (SOC) monitors your systems around the clock and can isolate a compromised machine before the attack spreads. **What we implement:** 24/7 SOC monitoring with endpoint detection and response (EDR) on every workstation and server. SIEM log collection and analysis that correlates events across your environment. Automated alerting and containment so threats are addressed in minutes, not days. [Learn more about managed security →](https://captechgroup.com/services/cybersecurity-services) **Satisfies:** Cyber insurance EDR and monitoring requirements, Ohio SB 220 framework controls, incident detection and response documentation **Why your organization needs this:** Backups only matter if they actually work when you need them. We’ve seen organizations discover their “backup” was either corrupted, months old, or encrypted by the same ransomware that hit their server — because nobody tested it. Immutable backups are write-once, read-many, which means ransomware can’t overwrite or encrypt your recovery copies. **What we implement:** Encrypted, immutable backups with offsite replication. Scheduled recovery testing so we verify your data is actually restorable — not just “backed up.” Documented recovery results included in your quarterly evidence package. [Learn more about backup and recovery →](https://captechgroup.com/services/data-protection-recovery) **Satisfies:** Cyber insurance backup and recovery requirements, business continuity documentation, Ohio SB 220 data protection controls **Why your organization needs this:** Most breaches start with someone clicking something they shouldn’t — a phishing email, a fake invoice, a spoofed login page. Nonprofits are especially vulnerable because staff and volunteers come from varied technical backgrounds. Training doesn’t eliminate the risk entirely, but it significantly reduces it, and insurers specifically ask whether your team receives regular security awareness training. **What we implement:** Ongoing security awareness training with tracked completion. Simulated phishing campaigns that test your team’s response to realistic attacks and identify who needs additional coaching. Training completion certificates and phishing simulation results included in your quarterly evidence package. [Learn more about security training →](https://captechgroup.com/security-awareness-training) **Satisfies:** Cyber insurance training requirements, Ohio SB 220 employee awareness controls, funder security requirements **Why your organization needs this:** Email is the primary attack vector for organizations of every size. Phishing, business email compromise, and invoice fraud all come through the inbox. Beyond blocking threats, nonprofits that handle donor data or client information typically need email encryption and retention policies — especially if a legal dispute or insurance claim requires you to produce communications. **What we implement:** Advanced email filtering that blocks phishing, malware, and spoofed messages before they reach your inbox. Email encryption for sensitive communications. Retention and archiving policies configured to your organization’s needs. DNS filtering that blocks access to known malicious websites across your network. [Learn more about email security →](https://captechgroup.com/services/cybersecurity-services) **Satisfies:** Cyber insurance email security requirements, data handling and retention documentation, PCI DSS email and network security controls (if applicable) **Why your organization needs this:** Unpatched software is one of the most common entry points for attackers — known vulnerabilities with published exploits that simply haven’t been fixed yet. Most nonprofits don’t have a systematic way to apply updates across all machines, and firewall configurations set up years ago may no longer reflect your current environment. **What we implement:** Automated patch management across all workstations and servers so security updates are applied consistently, not when someone remembers. Firewall configuration and management. Vulnerability scanning to identify gaps before they’re exploited. Secure remote access configuration for staff working offsite. [Learn more about network management →](https://captechgroup.com/services/cybersecurity-services) **Satisfies:** Cyber insurance patch management and vulnerability management requirements, Ohio SB 220 technical safeguard controls, network security documentation ## Built for Organizations Without IT Staff We work with nonprofits where the executive director, program director, or office manager is currently the de facto IT department. You shouldn’t need to understand SIEM log correlation or EDR deployment to run your programs — that’s our job. When something breaks, you call one number. When a funder asks about your security controls, you forward the quarterly evidence package we already prepared. When your cyber insurance renewal comes up, the documentation is ready — not something you scramble to assemble the week before. Everything is covered under a fixed monthly cost. No hourly charges for help desk calls, no surprise invoices for patch updates, no separate bills for monitoring versus support. You know what IT costs every month, and you can budget around it — which matters when every dollar is accountable to donors and grantors. ## What Your Cyber Insurance Application Requires Many nonprofits we work with are applying for cyber insurance for the first time. Here’s what underwriters typically ask for — and what we document so you can answer “yes” with evidence attached. ### Multi-Factor Authentication **What insurers ask:** “Is MFA enforced on all remote access, email, and privileged accounts?” **What we document:** MFA enrollment reports showing all users, enforcement status by service, and configuration verification — updated quarterly. ### Endpoint Detection and Response **What insurers ask:** “Do you have EDR deployed on all endpoints with 24/7 monitoring?” **What we document:** EDR deployment reports confirming coverage on every workstation and server, plus SOC monitoring summaries showing active threat detection. ### Backup and Recovery **What insurers ask:** “Are backups encrypted, stored offsite, and regularly tested?” **What we document:** Backup configuration verification, encryption status, offsite replication confirmation, and recovery test results with timestamps. ### Security Awareness Training **What insurers ask:** “Do employees receive regular security awareness training?” **What we document:** Training completion certificates for all staff, phishing simulation results and response rates, and policy acknowledgment records. ### Email Filtering and Security **What insurers ask:** “Do you have email filtering, anti-phishing controls, and email encryption?” **What we document:** Email filtering configuration evidence, anti-phishing and anti-spoofing settings, encryption capability verification, and retention policy documentation. ### Incident Response Plan **What insurers ask:** “Do you have a documented incident response plan?” **What we document:** A written incident response plan tailored to your organization, including contact procedures, containment steps, notification requirements, and recovery protocols. ## What Your Organization Receives Everything listed here is included in your fixed monthly cost — no add-ons, no tiers, no surprise invoices. ### Quarterly Evidence Package Documented proof of all security controls across six categories — ready for insurance applications, funder reports, and board presentations. ### 24/7 SOC Monitoring Around-the-clock threat monitoring with EDR, SIEM, and automated containment — so threats are caught at 2am, not discovered Monday morning. ### Encrypted Backups with Tested Recovery Immutable, encrypted backups with offsite replication and scheduled recovery testing — verified and documented, not assumed. ### Help Desk and On-Site Support One number to call for any IT issue. Remote support for most problems, on-site visits when needed — included in your monthly cost. ### Security Awareness Training Ongoing training with phishing simulations for all staff, with completion tracking and certificates for your records. ### Policy Development and Review Written IT policies covering acceptable use, incident response, data handling, and remote access — developed for your organization and reviewed annually. ## Frequently Asked Questions Everything on this page — 24/7 SOC monitoring, EDR on all endpoints, encrypted backups with recovery testing, email security, DNS filtering, patch management, password management, security awareness training, help desk support, on-site visits, policy development, and quarterly evidence packages. There are no tiers and no per-incident charges. The monthly cost is based on the number of users and devices in your environment, and we’ll give you the exact number during your assessment. That’s the situation for many nonprofits we talk to. We implement the controls that insurers require — MFA, EDR, backups, training, email security, incident response — and then document everything in a format you can attach directly to your application. Most organizations are application-ready within 60–90 days of onboarding. Typical onboarding takes 2–4 weeks depending on the size of your environment and what’s already in place. We start with an assessment to understand your current setup, then deploy controls in a sequence that minimizes disruption to your daily operations. Most of the work happens in the background — your team’s main involvement is enrolling in MFA and completing their first round of training. In most cases, yes. We’ll assess what you have during the initial review and tell you honestly what can stay and what needs to be replaced or upgraded. We don’t push unnecessary hardware purchases — if your current equipment supports the security controls we need to deploy, we’ll work with it. We understand that nonprofits can’t always replace equipment on the timeline a for-profit business might. Our SOC monitors your environment 24/7, so many issues are caught and contained automatically before you’d even notice. For things that need human intervention — a server issue, a workstation problem — you contact our help desk and we begin working it immediately. After-hours support is included in your monthly cost, not billed separately. We work with organizations as small as 2–3 people. The controls we deploy aren’t enterprise complexity scaled down — they’re right-sized for organizations your size and managed entirely by us. You don’t need to understand how any of it works. You just need it to work, and you need documentation to prove it when a funder, insurer, or board member asks. Capstone Technologies Group has been providing managed IT and cybersecurity services to Ohio organizations since 2004. We understand that nonprofit budgets are tight, that every dollar is accountable, and that your IT needs to work reliably without requiring staff you don’t have. If that sounds like what you’re looking for, let’s talk. ## Schedule Your IT Assessment 30-minute call to review your current setup, identify gaps, and walk through what a fixed-fee managed IT plan looks like for your organization. [ Email Us](mailto:info@captechgroup.com) Send us the details and we’ll follow up within one business day ```json { "@context": "http://schema.org", "@graph": [ { "@type": "Article", "author": { "@id": "https://captechgroup.com/#brian_0fd5dfcdbc" }, "dateModified": "2026-03-13T01:00:37Z", "datePublished": "2024-12-20T04:11:28Z", "description": "Fixed-fee managed IT and cybersecurity for Ohio nonprofits. Documented security controls, quarterly evidence packages, cyber insurance qualification support, and 24/7 monitoring — built for organizations without IT staff.", "headline": "Fixed-Fee Managed IT and Cybersecurity for Ohio Nonprofits", "image": { "@id": "https://captechgroup.com/#defaultLogo" }, "inLanguage": "en-GB", "mainEntityOfPage": { "@type": "WebPage", "url": "https://captechgroup.com/industry-solutions/non-profit-it-solutions" }, "publisher": { "@id": "https://captechgroup.com/#defaultPublisher" }, "url": "https://captechgroup.com/industry-solutions/non-profit-it-solutions" }, { "@type": "VideoObject", "contentUrl": "https://images.captechgroup.com/video/capstone-technologies-managed-it-compliance-smb.mp4", "description": "Fixed-fee managed IT and cybersecurity for Ohio nonprofits. Documented security controls, quarterly evidence packages, cyber insurance qualification support, and 24/7 monitoring — built for organizations without IT staff.", "name": "Fixed-Fee Managed IT and Cybersecurity for Ohio Nonprofits", "publisher": { "@id": "https://captechgroup.com/#defaultPublisher" }, "thumbnailUrl": "https://captechgroup.com/images/hotlink-ok/logo-light.jpg", "uploadDate": "2024-12-20T04:11:28Z" }, { "@type": "Person", "name": "Brian", "@id": "https://captechgroup.com/#brian_0fd5dfcdbc" }, { "@id": "https://captechgroup.com/#defaultLogo", "@type": "ImageObject", "url": "https://captechgroup.com/images/hotlink-ok/logo-light.jpg", "width": 1300, "height": 300 }, { "@id": "https://captechgroup.com/#defaultPublisher", "@type": "Organization", "url": "https://captechgroup.com/", "logo": { "@id": "https://captechgroup.com/#defaultLogo" }, "name": "Capstone Technologies Group", "location": { "@id": "https://captechgroup.com/#defaultPlace" } }, { "@id": "https://captechgroup.com/#defaultPlace", "@type": "Place", "address": { "@id": "https://captechgroup.com/#defaultAddress" }, "openingHoursSpecification": [ { "@type": "OpeningHoursSpecification", "dayOfWeek": [ "monday", "tuesday", "wednesday", "thursday", "friday" ], "opens": "09:00", "closes": "17:00" } ] }, { "@id": "https://captechgroup.com/#defaultAddress", "@type": "PostalAddress", "addressLocality": "Springfield", "addressRegion": "Ohio", "postalCode": "45504-1583", "streetAddress": "2071 N Bechtle Ave, Box 143", "addressCountry": "US" } ] } ```