Your Nonprofit’s Trusted Platforms Might Be Leaking Donor Info!

“Cybersecurity used to be the Department of ‘No’. Today, it’s about enablement—how we help people work securely without getting in the way.”

Cybersecurity isn’t just an IT issue—it’s a trust issue. Michael Nouguier, Partner at Richey May’s Cybersecurity Services, joins us to discuss how nonprofits can better protect donor data, assess third-party platforms, and prepare for the inevitable breach.

Michael opens with a striking truth: “Cybersecurity is about risk—what we choose to accept, and what we work to prevent.” From this lens, this episode offers a detailed breakdown of today’s most pressing cybersecurity concerns, especially as they relate to data collection, donor privacy, and evolving threats like AI-driven attacks.

The conversation kicks off with the importance of identifying and documenting what data your organization actually collects—not just donor information, but client data, health records, payment details, and beyond. Michael stresses the danger of overlooking third-party vendors, who may have weak security protocols but still process sensitive data on your behalf.

Julia Patrick, host, presses Michael on how access control works in today’s remote-first world. His response is practical: build systems around role-based access and restrict data visibility by “need to know.” Whether you’re a 5-person nonprofit or a national organization, overly broad permissions are a recipe for disaster.

Michael shares real-world examples of organizations undermining their own security—like contractors blocking ChatGPT integrations due to risk, prompting staff to email data to themselves for off-system use. It’s not just about locking systems down—it’s about enabling safer, smarter workflows that employees will actually use.

The episode wraps-up with a powerful call for scenario planning. Just like fire drills, “tabletop exercises” around cybersecurity incidents can build organizational muscle memory, reduce financial loss, and preserve your nonprofit’s reputation when—not if—a breach occurs.

If you think this topic is too technical to matter to your mission, think again. This conversation makes clear: cybersecurity is mission-critical because your donors expect trust, your clients deserve privacy, and your organization can’t afford the fallout of avoidable mistakes.