Third-Party Software Risks Nonprofits Overlook: Shadow IT, AI, and Donor Data episode artwork

EPISODE · Sep 10, 2025 · 31 MIN

Third-Party Software Risks Nonprofits Overlook: Shadow IT, AI, and Donor Data

from The Nonprofit Show · host Parker Brissette | Richey May

Send us Fan MailNonprofits lean on outside platforms to save time and stretch budgets—but those relationships can quietly expose sensitive donor, client, and payment data. In this episode, Senior Cybersecurity Advisor Parker Brissette of Richey May explains how to recognize and manage third-party software risk before it becomes tomorrow’s headline. He starts with a simple lens: follow the data. Where is it stored? Who can touch it—directly or indirectly? Many teams only think about contracted vendors, but Parker widens the aperture to “shadow IT” and consumer tools staff use without formal approval. As he puts it, “Third parties is really anybody that can touch the data at any point in your business, whether you have an agreement with them or maybe not.”From privacy regulations (GDPR, CCPA) to sector-specific rules (HIPAA, PCI), nonprofits carry legal and reputational exposure the moment personal information enters their systems. Parker offers practical steps: inventory paid tools via your accounting system; ask, “If this vendor vanished tomorrow, what would break?”; and press vendors for proof—SOC 2 reports, ISO 27001, or completed security questionnaires. For organizations without a CIO, he recommends clear contracts and one non-negotiable safeguard: “The biggest thing that I recommend in any third-party engagement is setting an expectation of having cyber insurance, because that’s a big protection for you financially.”AI enters the picture with both promise and peril. Consumer AI tools can learn from and retain your uploads, potentially exposing proprietary or personal information. Enterprise agreements (e.g., Microsoft Copilot) can offer stronger data protections, but only if configured and used correctly. Parker’s guidance is pragmatic: don’t ban AI; set guardrails, choose vetted tools, and train teams.Finally, he urges preparation and transparency. Incidents can happen—even with good controls. Donors and corporate funders expect frank communication about what protections exist and what happens if data is exposed. Build trust now by documenting safeguards, validating vendors, and rehearsing your response.You don’t have to be a security expert to make smart choices—but you do need a map: know your systems, test your assumptions, ask vendors for evidence, and write risk into your contracts and budgets. That approach turns anxiety into action—and preserves the trust your mission depends on.Find us Live daily on YouTube!Find us  Live daily on LinkedIn!Find us Live daily on X: @Nonprofit_ShowOur national co-hosts and amazing guests discuss management, money and missions of nonprofits!  12:30pm ET   11:30am CT  10:30am MT  9:30am PTSend us your ideas for Show Guests or Topics: [email protected] us on the web:The Nonprofit Show

Send us Fan Mail Nonprofits lean on outside platforms to save time and stretch budgets—but those relationships can quietly expose sensitive donor, client, and payment data. In this episode, Senior Cybersecurity Advisor Parker Brissette of Richey May explains how to recognize and manage third-party software risk before it becomes tomorrow’s headline. He starts with a simple lens: follow the data. Where is it stored? Who can touch it—directly or indirectly? Many teams only think about contracte...

NOW PLAYING

Third-Party Software Risks Nonprofits Overlook: Shadow IT, AI, and Donor Data

0:00 31:56

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Frequently Asked Questions

How long is this episode of The Nonprofit Show?

This episode is 31 minutes long.

When was this The Nonprofit Show episode published?

This episode was published on September 10, 2025.

What is this episode about?

Send us Fan MailNonprofits lean on outside platforms to save time and stretch budgets—but those relationships can quietly expose sensitive donor, client, and payment data. In this episode, Senior Cybersecurity Advisor Parker Brissette of Richey May...

Can I download this The Nonprofit Show episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!