With Nonprofits Under Pressure, Boards Must Step Up on Tech Now

Alethea Hannemann is the co-founder and CEO of Board.Dev.

We don’t need another piece reminding nonprofit leaders that tech matters. Nonprofit CEOs know that digital systems shape service delivery, fundraising, and security; boards recognize the need to invest in them.

What many haven’t accepted, however, is that tech is now a legitimacy issue. How you govern your data, your tools, and your AI choices increasingly signals whether your organization is trustworthy, resilient, and mission-aligned. Risks that once seemed distant are becoming urgent in practice, showing up in the minutiae of vendor contracts, tales of botched AI rollouts, and a growing number of cyber incidents.

Across the world, civil society organizations are confronting digital threats that go well beyond outdated software or staff fatigue. Governments are censoring platforms. Donor data is being seized. Cyberattacks target service providers and advocacy groups alike. These aren’t outliers; they’re common and cautionary tales. And they’re coming closer to home.

Boards don’t need to learn the tactical ins and outs of AI, cybersecurity, or CRM migrations. But they do need to own the big picture and focus on policies, because tech leadership matters more than tech tools. No platform will make an organization resilient without governance aligned to values, risks, and responsibilities. Boards that sidestep these questions leave organizations vulnerable, both operationally and reputationally. Those that take them seriously reinforce trust and signal readiness to everyone who matters: clients, communities, staff, funders, and the public.

Why boards?

The systems nonprofits use, the data they manage, and the platforms they rely on shape how they’re perceived and how they function, especially when civil society is under mounting political pressure. Boards are responsible for guiding strategy, managing risk, and ensuring mission alignment, yet as digital tools increasingly affect client access, organizational trust, and day-to-day operations, they often still see tech as a back-office issue, or leave it entirely to staff and vendors. But while boards don’t need to understand every system, they do need to clarify values, set priorities, and help shape a culture that is both tech-aware and people-centered. As organizations like Mozilla and NTEN have emphasized, boards must help nonprofits navigate not what tech to use, but why, how, and to what end. Key questions include:

• Are we protecting our data and the people it represents?
• Are we prepared if a platform cuts off access or a system fails?
• Do our tech decisions align with our values?
• Do we know when to lead and when to follow?

Digital risks are no longer abstract

Many nonprofits still assume they won’t be targeted. That’s increasingly dangerous. According to the CyberPeace Institute, nonprofits are now the second most-targeted sector for cyberattacks. The 2024 “Cyber Threats to NGOs” report details NGO breaches involving donor data, activist surveillance, and financial theft.

Many nonprofits don't even know how vulnerable they are. In a 2024 Tides survey on cybersecurity, 70% of nonprofits reported having no incident response plan. And smaller organizations—many of those most likely to serve high-risk communities—are often the least resourced to respond.

Boards are responsible for ensuring fiduciary oversight and strategic alignment. That includes understanding these risks and helping their organizations prepare.

Blackbaud: a case study

In 2020, dozens of nonprofits were blindsided when Blackbaud—one of the largest CRM providers in the sector—suffered a ransomware attack. The breach affected more than 10 million individuals across thousands of organizations, exposing donor contact records. For many nonprofits, the news came not from Blackbaud directly, but from media reports weeks after the attack occurred.

The incident highlighted a broader weakness across the sector: vendor risk, cybersecurity, and data governance are rarely discussed at the board level. Few boards have policies in place to guide breach response or ask how third-party vendors protect critical systems and donor data. Without such oversight, many organizations faced delayed disclosure, donor confusion, and regulatory fallout, leading some to reevaluate their vendor relationships.

This isn’t negligence; it’s a structural gap based on outdated board norms. Tech risk simply hasn’t been treated as a governance issue.

A growing number of organizations have now added board-level oversight of cybersecurity and incident planning. Boards that ask these questions early—about vendor risk, data practices, and continuity—can avoid both operational fallout and reputational harm.

Lessons from civil society under pressure

Nonprofits operating in repressive environments have long ago learned to navigate high-risk digital and civic landscapes. US-based nonprofits—especially those working on controversial issues—can learn from their experience.

For example, organizations like Access Now, Tactical Tech, and Frontline Defenders have created toolkits and frameworks to help nonprofits stay safe, operational, and aligned with their mission in volatile conditions. Their lessons are increasingly relevant in the US, where nonprofits face new levels of political scrutiny, platform volatility, and misinformation.

Key best practices include:

1. Assume surveillance is possible. Don’t expect confidentiality by default; design systems that minimize exposure.
2. Minimize data collection. Only collect what you truly need, and limit where it’s stored or shared.
3. Distribute risk. Avoid over-relying on a single vendor, platform, or tool.
4. Prioritize physical and digital asset security. Treat hard drives, backups, and accounts as critical infrastructure.
5. Center trust in people, not platforms. Build direct, human relationships that don’t depend on one app, list, or tool.
6. Stay nimble but truthful. Use strategic vagueness when communicating publicly about sensitive operations—without compromising truth or trust.
7. Plan for disruption. Prepare for shutdowns, takedowns, and other interference, before they happen.
8. Conduct regular threat modeling. Ask what could go wrong, who might be harmed, and how to mitigate the risk.
9. Build solidarity. Connect with aligned groups locally and globally to build collective resilience.

These practices are part of effective governance now. US nonprofit boards may not face the same daily risks as international organizations–yet–but they can learn from their peers abroad to prepare for uncertainty, build digital resilience, and ensure they’re protecting not just their mission, but the people they serve.

The opportunity in governance

Mitigating risk is just the beginning. Board engagement can unlock more investments, greater trust, faster adaptation, and better staff wellbeing. According to Mozilla and ServiceNow, ethical tech adoption is most effective when paired with strong governance; 92% of nonprofit leaders see digital transformation as valuable, and 59% believe AI can enhance productivity and impact when paired with clear governance.

Others see it too. As the Financial Times recently reported, donors increasingly expect nonprofits to demonstrate impact through data and digital transparency. Governance also strengthens trust with donors, clients, and communities; clear, ethical data practices give people confidence that their information is handled with care and aligned to the mission. And funders, partners, and future staff increasingly look for signs of digital readiness and resiliency as part of organizational strength. Boards play a critical role here. A tech-fluent board signals that your organization is prepared, strategic, and forward-thinking.

Just as important, boards across the sector can help their organizations move toward shared resilience. That might mean encouraging data collaboratives, adopting network-level cybersecurity protocols, or joining coalitions that protect civil society infrastructure. The more nonprofits act like players in a digital ecosystem, the stronger they become.

What boards can do now

Even if board members aren’t tech experts, they can take clear steps to govern technology with intention and care.

• Put tech on the agenda for every board meeting. What’s in use, what risks are emerging (AI misuse, surveillance, data-sharing), what decisions lie ahead. Treat tech like finance or compliance—a standing topic, not an optional one.
• Ask good questions. Are we protecting our data? Do we have a backup plan if a platform fails, or we need to leave one? Are we outsourcing tech decisions we don’t understand? The Tech 28 from Board.Dev is a set of starter questions across strategy, resourcing, oversight, and operations.
• Assign and take responsibility. Name a board member or a small task force to track digital governance. Ask them to raise concerns and recommend actions. Include tech oversight in recruitment and onboarding.
• Use the right frameworks and guides to build resilience into planning. What happens if a vendor fails, a system breaks, or the organization is targeted? Start with Mozilla’s Trustworthy AI Toolkit; Tactical Tech’s Data and Activism Resources; and Roundtable Technology’s Cybersecurity Toolkit.
• Connect tech to mission and values. Technology isn’t neutral—it either reinforces your values or contradicts them. Are your tools increasing access and impact? Are they putting anyone at risk? For example, the NTEN Equity Guide helps nonprofits make technology decisions in racially equitable ways to meet their missions and community needs.

A sector-wide call to action

Digital resilience is a sector issue, which means funders have a powerful role to play. What gets funded becomes the norm. Yet tech funding is still hard to come by: only 20% of grants include any provision for technology or tools, and 66% of the world’s largest global development organizations report that their cybersecurity programs are underfunded.

To build a stronger, more resilient social sector, funders must invest not just in tools, but in the infrastructure, capacity, and above all, leadership that nonprofits need today.

When they do, boards will start treating technology as a major strategic asset and a source of risk, not just an operational line item to minimize when talking to supporters. Keeping up with tech is no longer about execution alone; it’s about trust and mission integrity. Not every board member–or funder–needs to be a tech expert. But together they can shape what comes next.