A 60-person human-services nonprofit headquartered on Pittsburgh's North Side came to us six weeks before its annual audit. Staff were splitting time between a Strip District office and client sites in Allegheny, Beaver, and Westmoreland counties. The executive director had inherited a patchwork of personal Gmail accounts, a file server humming in a closet, and a part-time contractor who answered tickets when he could. A board member — a retired CIO — had flagged donor data exposure as a material risk in the last meeting minutes. That is the exact moment most leaders start searching for IT support for nonprofits in Pittsburgh, and it is the scenario this case study walks through.
Names and identifying details are anonymized, but the technical situation, the budget constraints, and the sequence of work are representative of engagements PGH Networks runs across the region.
The challenge
The organization was trying to deliver case management to vulnerable populations while running on infrastructure that would have looked dated in 2015. Specifically:
- A Windows file server well past warranty, with backups that had not been test-restored in over a year.
- Eleven different email domains and aliases, several still on a consumer mail provider, with no MFA enforcement.
- Case notes containing PHI stored in shared folders with "everyone" permissions, creating clear HIPAA exposure under the BAA the org had signed with a county health partner.
- A donor CRM that no one fully owned, integrated with a payment processor whose PCI attestation had lapsed.
- Roughly $14,000 budgeted for "IT" in the current fiscal year — a number that had not been revisited in four years.
The real problem was not old hardware; it was that no one in the building could answer the question "who has access to what, and how would we know if that changed?"
The board wanted a defensible answer before the audit. The ED wanted staff to stop losing two hours a week to login problems. Both were right.
How it was solved
We ran a two-week assessment first, not a sales pitch. That produced a written risk register the board could actually read, mapped to the HIPAA Security Rule and to the funder requirements baked into two of the org's largest grants.
From there, the work unfolded in three phases over about ninety days:
Phase 1 — Identity and email. We consolidated everything into a single Microsoft 365 Business Premium tenant, sourced through TechSoup at the nonprofit grant rate (roughly a 75% reduction versus list pricing). MFA was enforced for all staff. Conditional access policies blocked logins from outside the US. Legacy mailboxes were migrated and the consumer accounts were retired.
Phase 2 — Data and endpoints. The closet server was decommissioned. Case files moved to SharePoint with permission groups tied to job role, not to individual names. Every laptop was enrolled in Intune, encrypted with BitLocker, and brought under Defender for Business. We documented a backup and restore procedure and actually tested it.
Phase 3 — Operations. A documented helpdesk process replaced the part-time contractor. Staff in Beaver Falls, Greensburg, and Washington got the same response time as staff at headquarters. We built an AI-assisted intake workflow in Microsoft 365 Copilot that drafts grant report narratives from case-management exports — cutting a task that had eaten an entire Friday each month.
TL;DR: Nonprofit IT is not about buying more tools; it is about consolidating onto a small number of well-configured ones the staff can actually use, paid for at grant pricing, and documented well enough to survive a board transition.
Outcomes
By the audit date:
- Donor and client data lived in one platform, with role-based access logged and reviewable.
- The HIPAA risk register had thirteen of fifteen findings closed, with a written remediation plan for the remaining two.
- Total annual IT spend rose from roughly $14,000 to about $31,000 — but that figure now included licensing, security tooling, backup, and unlimited helpdesk, where the prior number covered effectively none of those.
- Staff onboarding for new caseworkers dropped from "a week of waiting on accounts" to same-day.
- The Copilot grant-reporting workflow was adopted by the development team and credited internally with freeing about half a day per month per staffer.
The auditor's management letter the following spring contained no IT findings.
Who this applies to: IT support for nonprofits in Pittsburgh
This pattern repeats across the organizations we serve in Allegheny, Washington, Westmoreland, Butler, and Beaver counties. If you run a human-services agency, a foundation, an arts organization, a community health center, or a faith-based nonprofit between roughly 15 and 200 staff, the constraints look familiar: lean budget, mixed-tenure staff, donor and client data that absolutely cannot leak, and a board that needs answers in plain language.
Federally qualified health centers and behavioral health nonprofits add HIPAA. Organizations taking DoD-adjacent workforce development funding are starting to see CMMC language in subcontracts. Both are workable; neither is something to figure out the week before an audit.
Why nonprofits in the region work with PGH Networks
We are based in Pittsburgh, not a national franchise running a regional zip code. Our engineers know which carriers actually deliver fiber to Lawrenceville versus which ones promise it. We work in TechSoup and Microsoft nonprofit grant pricing every week, so licensing conversations start from the discounted number. And our AI-enablement practice is built specifically for organizations that do not have a data team — meaning Copilot and workflow automation get configured against your real grant reports and case templates, not a demo dataset.
We are also comfortable saying no. If you do not need a tool, we will tell you, and we will not resell it to you.
Takeaway and next step
The lesson from this engagement is not that nonprofits need enterprise IT. It is that the gap between "what a small nonprofit can actually afford" and "what a funder or auditor now expects" has narrowed significantly, mostly because of grant-rate cloud licensing. A competent partner can close that gap in a quarter, not a year.
If the scenario at the top of this page sounded uncomfortably familiar, the right next step is a no-cost assessment conversation. We will look at your current stack, your grant and compliance obligations, and your fiscal-year budget, and tell you in writing what we would actually do. Reach out through the contact form on pghnetworks.com or call our Pittsburgh office to schedule a thirty-minute intro.