Has your nonprofit ever had a simulated break-in to test your digital defenses? If not, you may already have an intruder inside!
Cyberattacks aren’t just happening to big corporations—they’re happening to nonprofits every day. And far too many organizations have no idea they’ve been breached until months later. Cybersecurity expert Michael Nouguier, Partner of Cybersecurity Services at Richey May, pulls back the curtain on the urgent, often-overlooked practice of penetration testing—known as “pen testing.” His message is blunt: if your nonprofit hasn’t done one, you may already be compromised.
Michael explains that a pen test is essentially a real-world simulation of a cyberattack, conducted by ethical hackers to expose weaknesses before malicious actors exploit them. “It’s like hiring a home inspector before you buy a house,” he says, “but instead of finding leaky pipes, we’re finding the digital doors and windows you’ve accidentally left wide open.” These gaps can exist in email, donor databases, websites, payment systems—anywhere sensitive information lives.
The process starts with scoping—identifying your organization’s tech environment, third-party tools, and data flows. From there, ethical hackers gather open-source intelligence (OSINT) to see what information about your nonprofit is publicly available, then attempt to exploit any vulnerabilities found. This may involve phishing attempts, network access attempts, or probing for weaknesses in online applications. Post-exploitation, the team determines how far they can move within your systems—accessing donor records, financial data, or confidential client files.
The findings are compiled into a detailed report, along with a letter of assessment that can be shared with insurers or contractual partners. In many industries, including healthcare, justice, and education, annual pen testing isn’t optional—it’s required by regulation or by contract. Yet, as Michael warns in this episode, many nonprofits sign agreements without realizing they’re agreeing to perform such tests.
Waiting too long is costly. IBM research shows that proactive security measures can save organizations over $200,000 per breach. On the flip side, skipping pen testing can raise your cyber insurance premiums—or get your coverage denied entirely. And because updates, new software, and staffing changes continually introduce new risks, pen testing isn’t a one-and-done task—it’s an annual checkup for your organization’s digital health.
Michael also touches on the human factor. When testing social engineering risks, you often don’t alert staff in advance—because real attackers certainly won’t. The goal is to create realistic conditions, not staged ones.
This conversation should serve as a wake-up call: penetration testing is not an optional luxury—it’s a frontline defense. Whether you hold donor payment information, confidential case files, or sensitive program data, you can’t afford to leave your cybersecurity to chance.