6 Questions Every Nonprofit Should Ask Their IT Provider Every Quarter
If you're reading
this, there's a good chance technology decisions have become part of your
job—even though they were never supposed to be.
You're responsible
for protecting client information, maintaining donor trust, supporting staff,
answering board questions, and ensuring services continue without interruption.
And somewhere in the
middle of all that, you're expected to make smart technology decisions.
That's a heavy
burden.
Most nonprofit
leaders aren't worried about servers or software.
They're worried
about letting people down.
That's why quarterly
IT reviews matter.
Not because
technology changes every quarter.
Because risk does.
The right
conversation today can prevent the crisis that steals your attention six months
from now.
Here are six
questions every nonprofit should ask their IT provider every quarter—and
exactly how to tell whether the answers should make you feel confident or
concerned.
The Real Cost of Not Asking
Most nonprofit
technology failures don't start with a cybercriminal.
They start with
assumptions.
Someone assumes
backups are working.
Someone assumes
former employees no longer have access.
Someone assumes
donor information is protected.
Someone assumes
"the IT company handles that."
Then an incident
happens.
What looked fine
from the outside suddenly becomes a leadership problem.
The nonprofits that
avoid these situations usually aren't doing anything extraordinary.
They're asking
better questions consistently.
Question 1: What Security Risks Need Our Attention Right Now?
Every nonprofit has
security risks.
Every single one.
The question is
whether anyone is actively looking for them.
Ask:
- What are our
top three security risks today?
- Have there been
suspicious login attempts?
- Are any users
missing multifactor authentication?
- Are any devices
missing security updates?
- Are old
accounts still active?
What Good Answers Sound Like
Weak Answer:
"Everything
looks good."
Strong Answer:
"Five laptops
are missing critical updates. Two staff members still need multifactor
authentication enabled. Three inactive accounts have access to shared files and
are scheduled for removal this week."
One answer creates
confidence.
The other creates
assumptions.
What We Commonly Find
When nonprofit
environments are reviewed, some issues appear repeatedly:
- Inactive user
accounts still have access
- Multifactor
authentication isn't enabled everywhere
- Shared
permissions have never been reviewed
- Critical
software updates are delayed
- Leadership has
no visibility into technology risk
None of these issues
seem urgent until they're exploited.
Question 2: Have We Tested Our Backups Recently?
This may be the most
important question in the entire article.
Because when
something goes wrong, differences in security maturity become obvious very
quickly.
Ask:
- When was our
last recovery test?
- What systems
were included?
- How long did
restoration take?
- Are Microsoft
365 files included?
- Are donor
systems included?
- Are recovery
procedures documented?
What Good Answers Sound Like
Weak Answer:
"Backups run
every night."
Strong Answer:
"We completed a
recovery test last quarter. Shared files, Microsoft 365 data, and donor
information were restored successfully. Recovery took 43 minutes, and the
process is documented."
One answer describes
a backup.
The other describes
readiness.
How One Nonprofit Discovered Backup Gaps Before It Was Too Late
A nonprofit
leadership team believed their backup strategy was in excellent shape.
Their IT provider
had repeatedly confirmed backups were running successfully.
During a quarterly
review, leadership asked a simple question:
"When was the
last recovery test?"
No one knew.
A test was
performed.
What they discovered
surprised everyone.
Microsoft 365 data
wasn't fully protected.
Recovery procedures
weren't documented.
Key personnel didn't
know their roles during an outage.
Fortunately, they
found the problem during a review instead of an emergency.
Within weeks they:
- Expanded backup
coverage
- Documented
recovery procedures
- Assigned
response responsibilities
- Added quarterly
recovery testing
Nothing dramatic
happened afterward.
And that's the
point.
Prepared
organizations often have uneventful stories.
Question 3: Where Is Technology Slowing Down Our Staff?
Technology problems
rarely appear as emergencies.
They appear as
friction.
An employee wastes
time searching for files.
A donation export
requires manual cleanup every week.
Staff maintain
backup spreadsheets because systems don't communicate with each other.
No individual
problem seems worth reporting.
Collectively, they
drain productivity.
Ask:
- What generates
the most support requests?
- What repetitive
tasks are staff doing manually?
- Where are
employees creating workarounds?
- What systems
cause the most frustration?
- What should we
automate or integrate?
Where It Usually Breaks
This often starts
with spreadsheets.
A system lacks
reporting functionality.
Someone exports
data.
Then another person
creates their own version.
Soon multiple
versions exist.
Nobody knows which
one is correct.
The problem isn't
the spreadsheet.
The problem is that
technology stopped supporting the process.
Question 4: Are We Still Compliant and Properly Documented?
Compliance isn't
something you achieve.
It's something you
maintain.
Policies become
outdated.
Staff roles change.
New software gets
introduced.
Documentation stops
matching reality.
Ask:
- Have compliance
requirements changed?
- Are our
policies current?
- Have
permissions been reviewed?
- Is training
documented?
- Are donation
platforms being reviewed?
- Can we produce
evidence if we're audited?
The External Evaluator Test
Imagine your
organization is being evaluated tomorrow by:
- Your board
- A cyber
insurance carrier
- A grant funder
- An auditor
- A major donor
Would they see
documented processes?
Or good intentions?
That's an important
distinction.
Organizations are
judged by evidence.
Not effort.
For HIPAA-Oriented Nonprofits
If you serve clients
through counseling, healthcare, recovery services, or related programs, ask:
- Has our risk
assessment been reviewed recently?
- Are policies
current?
- Is workforce
training documented?
- Are access
controls functioning correctly?
For Donation Processing
Ask:
- Who has
administrative access to donation systems?
- Are permissions
reviewed regularly?
- Are payment
systems monitored appropriately?
- Is donor
information protected according to documented policies?
The goal isn't
perfect compliance.
The goal is
defensible compliance.
Question 5: What Should We Budget For Next Quarter?
The best technology
investments are planned.
The worst technology
investments are urgent.
Ask your provider to
review:
- Aging hardware
- Licensing
changes
- Software
renewals
- Warranty
expirations
- Security
improvements
- Backup
investments
- Website risks
- Infrastructure
upgrades
A quality quarterly
review should reduce surprises.
Not introduce them.
Question 6: Where Are We Falling Behind?
This question
separates strategic providers from reactive providers.
Ask:
- What are
organizations like ours doing differently?
- What risks are
increasing?
- Which
improvements create the greatest impact?
- Where are we
over-relying on manual processes?
- What should we
address first?
Strong providers
prioritize.
Weak providers
overwhelm.
One Question Most Nonprofits Forget to
Ask
Ask this every
quarter:
"If we
experienced a cybersecurity incident tomorrow, who would do what during the
first 24 hours?"
Most organizations
discover they don't actually know.
Who contacts
leadership?
Who communicates
with staff?
Who works with
vendors?
Who coordinates
recovery?
Who speaks with
donors if necessary?
The first day of an
incident is rarely the time to figure this out.
Nonprofit Technology Maturity Scale
Level 1: Reactive
- Problems are
fixed after they occur
- Limited
documentation
- Minimal
planning
Level 2: Documented
- Basic policies
exist
- Backups are
configured
- Security
controls are established
Level 3: Managed
- Reviews happen
quarterly
- Risks are
tracked
- Recovery
testing occurs regularly
- Leadership
receives reporting
Level 4: Strategic
- Technology
supports board objectives
- Budget planning
is proactive
- Security
decisions align with organizational goals
- Leadership has
visibility into risk trends
Most nonprofits
don't need perfection.
Most nonprofits
simply need to move from Reactive to Managed.
Nonprofit Technology Risk Scorecard
|
Area |
Green |
Yellow |
Red |
|
MFA |
Enabled for all users |
Partial deployment |
Limited deployment |
|
Backups |
Tested quarterly |
Tested annually |
Never tested |
|
Staff Training |
Annual program |
Occasional training |
None |
|
Device Lifecycle |
Under 5 years |
Mixed ages |
End-of-life devices |
|
Donation Security |
Reviewed regularly |
Inconsistent review |
No review process |
|
Board Reporting |
Quarterly reviews |
Annual updates |
No reporting |
If you're yellow or
red in multiple categories, that's where to focus first.
Quarterly IT Review Worksheet
Bring this worksheet
to your next meeting.
Top Three Risks
Budget Planning
Upcoming
investments:
Upcoming renewals:
Compliance Review
Policy updates
needed:
Training
requirements:
Next Quarter Priorities
Board Reporting Template
Require a one-page
summary containing:
- Top Three Risks
- Mitigations
Completed
- Budget Requests
- Open Compliance
Concerns
- Major
Technology Projects
- Next Quarter
Priorities
This turns IT from a
support conversation into a governance conversation.
Your Next-Week Action
Put a 30-minute
quarterly IT review on the calendar next week.
Send these six
questions in advance.
Require written
answers, documented evidence, and a prioritized action plan.
You will learn more
from that single meeting than from six months of assumptions.
Schedule Your 10 Minute Discovery Call
Schedule your 10
minute discovery call and use it as a sanity check on your current risk
posture. In 10 minutes, 911 IT can help identify whether your biggest
technology risks are already being managed—or simply being assumed away.
