One of our newest partners is a  large nonprofit organization based in Omaha that provides mental health and substance use services across multiple counties. Their programs span outpatient treatment, rehabilitation, family support and education, homeless services, employment support, and residential care for adults and young people.

For an organization like this, trust is everything. Clients share some of the most sensitive information of their lives, and the organization must protect that data while keeping systems available for a busy, mission-driven staff.

The Challenge: A Cybersecurity Wake-Up Call

Before partnering with us, the organization worked with a national, remote IT vendor. Support was handled almost entirely through email. On paper, they believed they had a “comprehensive” security package—but a cybersecurity incident revealed serious gaps.

Despite having some protections in place, the attack made it clear their defenses weren’t keeping up with the speed and sophistication of modern threats. Sensitive mental health and substance use information was at risk, and so was the confidence of clients, staff, and the wider community.

As their leadership put it:

“We thought we had a comprehensive package, but bad actors are getting better every day—and we weren’t keeping up.”

The internal IT team was capable and committed, but their existing external IT solution kept them reactive and overwhelmed. They needed an IT partner who could help them think ahead, not just clean up after the fact.

Why They Looked for a New Kind of Partner

After the incident, the organization knew they needed to strengthen cybersecurity, but they didn’t want to simply swap one vendor for another. They were looking for:

  • Local, face-to-face support instead of distant ticket queues and email responses

  • Strategic guidance, not just technical fixes

  • Transparent conversations about risk, investment, and options

  • A co-managed model that would respect and support their internal IT team

They also wanted to work with people they trusted personally—people who understood nonprofit constraints and wouldn’t push unnecessary tools or projects.

In their words:

“We don’t feel alone in decision-making anymore. With American PCS, we now have a partner who can help us figure out the hard things. They’re not trying to sell us something—they give us what’s best for our organization based on where we’re at.”

Our Approach: Strategic, Local, and Co-Managed

When the organization came to us, our first step was to listen: to understand what had happened, what protections were already in place, and where they felt vulnerable. From there, we developed a roadmap focused on three things:

  1. Immediate risk reduction – tightening security controls, improving monitoring, and addressing obvious gaps revealed by the incident.

  2. Proactive, layered cybersecurity – implementing tools and processes designed to keep pace with increasingly sophisticated attacks, including those leveraging AI.

  3. A true co-managed partnership – dividing responsibilities clearly between our team and theirs, so internal IT retained ownership while gaining additional expertise and capacity.

Because we’re local, we were able to meet with leadership and the IT team in person, walk through their environment, and build relationships that don’t happen over email alone.

Our role wasn’t to take over—it was to come alongside. We worked closely with their IT staff to design a security stack and workflow that fit their size, structure, and regulatory obligations.

Adjusting to Co-Managed IT

Moving from full in-house control to a co-managed model can feel like a big change. Their IT team had been used to “owning everything,” and it took time to get comfortable sharing responsibilities and reaching out to us for certain tasks.

We focused on:

  • Clear communication about who does what

  • Regular check-ins between our engineers and their IT staff

  • Transparency about risks, trade-offs, and recommendations

Over time, responsiveness and reliability built trust. When questions or incidents came up, our team responded quickly, documented what we saw, and explained what we were doing.

The organization noticed the difference in day-to-day operations:

  • Suspicious emails or texts are now investigated within minutes.

  • Patterns of risky activity are monitored and addressed before they escalate.

  • Leadership is kept informed about emerging threats and what they mean for the organization.

As one leader shared:

“It’s saved our team worry. We have confidence now that we didn’t even know we were missing before.”

Seeing Cybersecurity as a Core Part of the Mission

For this nonprofit, investing more in security meant having some hard conversations about budget. The cost was higher than their previous IT arrangement—but so was the level of protection and partnership.

Their CEO described the mindset shift this way:

“We couldn’t afford NOT to do this. Protecting health information is our business.”

Together, we reframed cybersecurity as a necessary part of delivering care—not a “nice-to-have” add-on. That meant dedicating resources, executive attention, and staff time to doing it well.

As part of our assessment, we conducted a full review of what they actually needed compared to what they were paying for. By eliminating redundant tools, consolidating services, and aligning their environment with industry best practices, we were able to save them more than $200,000—all while dramatically improving their cybersecurity posture.

We also tailored our recommendations to their context as a nonprofit: prioritizing high-impact investments, avoiding unnecessary tools, and being transparent about what could wait versus what required immediate action.

The Impact: From Reactive to Confident

Today, the organization operates with a fundamentally different posture toward cybersecurity.

Confidence & Peace of Mind
 Leadership and staff feel supported rather than alone when something suspicious happens. 

They know who to call and what will happen next.

“When someone asks, ‘Is my information secure?’ we can confidently say yes.”

Real-Time Awareness
 Our monitoring and response capabilities help the internal IT team see what’s happening in their environment and act quickly when needed.

Shared Strategy
 We work together to anticipate future threats and plan next steps. Instead of only talking when something breaks, we’re in regular conversation about what’s coming and how to prepare.

Trust & Partnership
 Perhaps most importantly, they describe us not as a vendor, but as a partner:

“They don’t just fix things—they help us think ahead and protect what’s coming.”

Looking Ahead

For organizations that handle sensitive health information, cybersecurity is no longer optional or purely technical—it’s central to the mission. This nonprofit learned that even with protections in place, “good enough” wasn’t enough anymore.

We’re grateful to walk alongside them as they provide much needed care for our community, helping them protect the data and systems that make their work possible—today and in the future.