These aren't trick questions. They're not meant to embarrass anyone.
They're simply three things we look at in IT reviews we conduct with NonProfits across Southern New England and most Executive Directors can't answer all three with confidence.
Can you?
1. When were your backups last tested. Not just running, but actually tested?
There's a big difference between a backup that's running and a backup that works.
A lot of organizations have automated backups in place and assume they're covered. But a backup that's never been tested is essentially an assumption, and assumptions don't restore your data when something goes wrong.
Ransomware, accidental deletion, hardware failure, any of these can bring your operations to a halt. The question isn't whether you have a backup. It's whether you've confirmed it actually works when you need it most.
What you should know: When your backup was last tested, what was restored, and how long a full recovery would take.
2. How many former staff still have active access to your systems?
Every time someone leaves (a program coordinator, a volunteer manager, a finance director) and their access isn't fully removed, you've left a door open.
This isn't about assuming bad intent. It's about basic security hygiene. Former employees with active credentials represent one of the most common and most preventable vulnerabilities we see across organizations of every size.
What you should know: Whether your offboarding process includes a formal IT checklist, and when your user access list was last audited.
3. If your email went down tomorrow, do you have a plan?
Email is the nervous system of most NonProfit operations, it stores donor communications, grant correspondence, board updates, vendor relationships. If it went down tomorrow, how long before things started breaking down?
A lot of organizations don't have a clear answer to this. No documented backup communication plan, no defined response steps, no clarity on who calls who or what happens next.
What you should know: Your organization's continuity plan for communication outages and whether your team has actually seen it.
The Gap Is Where Risk Lives
Most NonProfit leaders aren't negligent. They're stretched thin, wearing multiple hats, and managing missions that matter deeply to their communities.
But there's a real difference between assuming things are fine and knowing things are fine.
That gap (between assumption and certainty) is exactly where cybersecurity risk lives. And for NonProfits in CT and RI, the stakes are real. A breach, a ransomware attack, or a compliance failure doesn't just disrupt operations. It erodes donor trust, jeopardizes funding, and can set your mission back for months.
This month, I-M Technology is offering free Cybersecurity Assessments to NonProfits in Connecticut and Rhode Island.
No sales pitch. No obligation. Just a clear, honest picture of where your organization stands and what, if anything, needs your attention.
If you couldn't answer one or more of the questions above with full confidence, that's your sign to book one.
