For many nonprofits, cybersecurity feels like a luxury they simply can’t afford. But according to Michael Nouguier, Partner of Cybersecurity Services at Richey May, ignoring cybersecurity can end up being far more expensive than proactively investing in it.
Michael dismantles the myth that strong digital security comes with an unaffordable price tag. In fact, many nonprofits already have powerful security tools built into systems they’re already using—yet few take advantage of them. “What’s almost as good as free,” Michael explains, “is something that you’ve already been paying for and didn’t know that you could leverage.”
From free services offered by federal agencies like CISA to deeply discounted nonprofit rates from companies like Microsoft and Google, this conversation uncovers a path to digital protection that doesn’t require massive budget increases. Michael urges nonprofits to start by auditing what they already use. Whether it’s Google Workspace or Microsoft 365, most platforms include underutilized features like multi-factor authentication, access control, and data encryption.
These protections aren’t just theoretical—they’re essential. As Michael points out, “You don’t know what to protect if you haven’t actually done an assessment to understand where those risks are.” He encourages leaders to seek out risk assessment tools—many of which are available at no cost—and build a strategy around known vulnerabilities, not guesswork.
The conversation also takes a practical look at automation, which reduces labor costs by removing repetitive security tasks. Many nonprofits mistakenly believe they’re starting from scratch when in reality, they already have a baseline of protections in place—they just need to activate them. Michael shares examples of simple, low-cost ways to improve security posture, including free policy templates and vulnerability scans.
Additionally, he challenges nonprofits to shift their mindset around vendor relationships. Too many organizations fail to ask whether vendors offer nonprofit pricing or security guarantees—questions that could drastically reduce both risk and cost. And when vendors are breached, it’s often the nonprofit that must explain the damage to stakeholders, regardless of fault.
Throughout the session, with host Julia Patrick, the underlying message is clear: cybersecurity isn’t about fear—it’s about preparedness and resourcefulness. The greatest danger lies not in doing too little, but in assuming you’re too small or stretched to do anything at all.