Make-a-Wish Foundation moves safely and securely to the cloud with Expel

Nonprofit group optimizes cloud security to support remote work, and allocates savings to grant wishes.

The organization

The Make-A-Wish Foundation of America is a nonprofit organization that helps fulfill the wishes of children from 2½ to 18 years old suffering from a critical illness. In addition to national staff, the nonprofit has 59 independent chapters in the United States and Puerto Rico, and 39 international affiliates in nearly 50 other countries around the world.

Founded in 1980, Make-A-Wish has granted hundreds of thousands of wishes to critically ill children, improving the quality of life for children and their families by promoting resilience and increasing well-being.

The situation

In 2019, Make-a-Wish was in the midst of planning an IT transformation with a move to cloud infrastructure and SaaS applications. Previously, the organization utilized on-premises hardware and software to connect about 2,500 employees — including those in regional chapters that the IT team provides with technology assistance. With a traditional network architecture, the team felt they had the tools and people needed to manage data securely. But when the pandemic forced the nonprofit to shift to remote work, leaders accelerated their cloud transformation by moving to Microsoft Azure.

“We had to go from planning to actual implementation in a very short time,” explains Marcus Brown, infrastructure and security manager for Make-a-Wish. “We had to shift from the planning stage for remote access to implementing the ability for chapters and users nationwide to work remotely. We had so many things to take into consideration. Besides giving employees a way to access resources, we also had to provide a secure environment for the chapter offices and their data. Expel assisted our organization in making sure we were protected, and our data was secure.”

As a nonprofit, Make-a-Wish faced fresh security challenges. To maintain donor trust, the foundation must protect private data such as names, contact info, and donation history. Additionally, Make-a-Wish has private data on wish recipients, including medical records.

Several months into the pandemic, Make-a-Wish leaders decided to permanently adopt remote work for its national workforce and chapters. With that decision came greater concerns for the IT security team as they planned a framework for running a nonprofit securely in the cloud.

“People might think that because we’re a nonprofit, we’re not a target of cyber attackers,” says Brown. “But due to the nature of the data we maintain and protect, makes us a target for all kinds of attacks, every day.”

To block potential attacks, the Make-a-Wish IT security team had to sort through thousands of noisy alerts, taking time to identify which alerts were false positives from its on-prem environment and SaaS apps, and which required responses. “We’d be looking at lag times of hours, even days, before we might detect something,” says Bret Babula, a security specialist for Make-a-Wish.

Evaluating options

Along with its rapid move to the cloud, Make-a-Wish needed a new framework and solution for managing its security. Babula notes that the process had to basically start from scratch.

“We went from everything on-premise with an SD-WAN to connect with the chapters, to a hybrid cloud environment, basically overnight,” Babula says.

A couple of key security challenges were quickly identified. First, the three security team members realized they didn’t have the deep knowledge of cloud security needed to keep communications safe and secure. “It’s a new area for us — and we knew we couldn’t keep our eyes on every threat coming into the cloud,” Babula says.

“We needed a threat detection and response solution to help us see things we aren’t aware of, and discover what to defend against,” says Liam Theus, security specialist at Make-a-Wish.

The second challenge was business email compromise (BEC), the most likely threat to impact Make-a-Wish and its leaders. “We’re not a Fortune 500 company,” says Brown. “But we have a very high-profile brand internationally which makes us a target for threat actors – and email is a key attack vector for us.”

The security team selected Expel Managed Detection and Response (MDR) — in particular, to protect cloud infrastructure and SaaS apps. For a small team with a wide range of security projects to manage, the “eyes on” 24×7 support from Expel was critical for supporting the global nonprofit.

The deciding factor was the solutions’ ability to help the team focus on the most urgent threats, instead of spending hours and days assessing noisy alerts. Expel MDR custom workflows and automations analyze and compare alerts in minutes. The team immediately knows when there’s something they need to care about, and what they need to do about it. In this way, the team only needs to take action when absolutely necessary.

Without Expel, we’d probably need another two or three people on the team, and another shift or two – at an annual cost of about $180,000. By keeping our team small, we can be better stewards of our donations. ”

⎯Marcus Brown | Infrastructure and security manager

How Expel helps

Since the shift to remote work, Make-a-Wish employees have embraced SaaS apps such as Salesforce and Microsoft Office 365. Expel’s flexibility in allowing Make-a-Wish to choose what it needs to protect — cloud infrastructure, on-prem infrastructure, SaaS apps, and more — is particularly valuable to the foundation.

“The way Expel integrates with Azure and apps like Office 365 gives us the granular details about critical issues we need,” Brown says. “One of the best examples is with business email compromise. Detecting those threats is all about automatically monitoring and reading sign-in logs, which would be tedious and time consuming to do manually. When a potential issue was detected, it would take several hours to perform our IRP, review logs and verifying the impact and then remediate. With Expel, we’re looking at just minutes, versus days.”

Expel unearths and highlights the potential threats that the Make-a-Wish team alone wouldn’t have spotted. “We might get an alert about a possible brute force attack, or about a user logging in from an infrequently visited location” explains Theus. “With Expel, we can quickly investigate to determine if the attack is indeed happening, or if it’s a false positive. We can address the threat more quickly, because Expel has already done most of the investigation for us.”

Expel’s centralized dashboards provide real-time visibility into threats, alerts, and actions taken, and they also give the Make-a-Wish security team a head start in remediating threats. In the event of a security incident (and anytime outside of that), teams have full visibility within Expel Workbench™. They have access to detailed descriptions of what’s occurring, what’s being done (while it’s being done), and how similar events can be avoided in the future.


Expel saves Make-a-Wish time that the security team can spend working on more strategic projects, like securing employee workstations.

“We save hours per incident, because Expel takes that first step to investigate the issue and identify the potential threat to Make-a-Wish,” Brown says.

In addition, Make-a-Wish can keep the security team at its current size without putting the nonprofit in danger of not detecting and mitigating cyber attacks.

“Without Expel, we’d probably need another two or three people on the team, and another shift or two – at an annual cost of about $180,000,” says Brown. “By keeping our team small, we can be better stewards of our donations.”