Select Page

Tech mistakes Chicagoland nonprofits can’t afford to ignore

by | Mar 1, 2026 | Guide, Non-profit

Cover image for a nonprofit guide titled “Tech mistakes Chicagoland nonprofits can’t afford to ignore,” featuring a purple overlay, a large stylized Reintivity “R” logo, and the Chicago skyline viewed through a hollow sculpture in Chicago’s Lincoln Park.
Download

Nonprofit leaders do not wake up hoping to talk about Wi-Fi, passwords, or backups. You are focused on programs, people, funding, reporting, and partnerships. Technology is supposed to support all of that quietly in the background.

Instead, many organizations get stuck in a loop of small problems that never feel urgent enough to fix properly. Email becomes the file system. Devices miss updates. Staff create workarounds to keep serving clients. Over time, those shortcuts create real risk, plus a steady tax on productivity.

The nonprofit tech friction tax

A “minor” tech issue often has an outsized impact because teams are lean and timelines are real. When systems slow down, people do not stop working. They improvise. They save files locally. They forward attachments. They reuse passwords. They use personal devices because it is faster.

Those choices are understandable. They are also predictable.

The friction tax shows up as:

  • Staff time lost hunting for the right document or the latest version
  • Delays in approvals, reporting, or donor follow-up
  • Increased risk of exposing sensitive client or donor information
  • Burnout for the one person who “knows the tech stuff”

The goal is not perfection. It is reducing friction so the safest way is also the easiest way.

Map your core systems before you change anything

Many tech headaches come from not knowing what systems are truly “core.” You do not need to diagram servers. You do need a simple inventory you can explain to your leadership team and your board (of directors).

Start with five buckets:

  1. Identity and access: how people log in, MFA, password policies
  2. Email and collaboration: email platform, shared calendars, chat, file sharing
  3. Data systems: donor CRM, case management, grant tools, finance system
  4. Devices and networks: laptops, phones, Wi-Fi, internet provider, firewall
  5. Protection and recovery: backups, endpoint security, monitoring, incident plan

Then add two clarity questions:

  • Who owns each system from a business standpoint?
  • Who is responsible for patching, backups, and support day to day?

If you cannot name an owner, you have found a risk that will eventually become a problem.

Cybersecurity basics that stop most common attacks

Nonprofits in the Chicago area are targeted more often than many leaders expect, largely because attackers know you rely on trust and speed. The good news is that most successful attacks still start with the same basics: stolen credentials, unpatched devices, and phishing.

Focus on fundamentals that block common paths:

  • Multi-factor authentication (MFA) for every key account, not just leadership
  • Strong password practices and no shared logins for “convenience”
  • Device updates and patching that happen consistently, not occasionally
  • Endpoint protection that is monitored, not just installed and forgotten
  • Web filtering and firewall controls to reduce exposure to known bad sites

These measures are not exciting. They work because they reduce the number of easy openings attackers look for.

Make data protection a daily habit

Data protection is rarely one big decision. It is small choices repeated every day: where files live, who can access them, and how long you keep them.

Two habits make a big difference quickly:

1) Role-based access control
Not everyone needs access to everything. Give staff the minimum permissions they need for their role, and revisit access when roles change. This reduces the impact of accidental sharing and limits damage if an account is compromised.

2) Practical retention rules
Many nonprofits keep old exports, drafts, and client records “just in case.” Over time, that creates a growing pool of sensitive information that can be exposed. Define retention by category, and set a routine for archiving or deletion.

Data protection becomes manageable when it is treated like operations, not like a once-a-year policy exercise.

Use email and file sharing with fewer surprises

Teams do a lot through email because it is universal and fast. The risk is treating email as the default for sharing sensitive documents, approvals, and confidential updates.

Common failure points are simple and human:

  • Autocomplete picks the wrong recipient
  • An attachment gets forwarded beyond the intended audience
  • A thread contains information the recipient should not see
  • Someone sends the wrong version because copies exist everywhere

A safer default is to store documents in approved systems with permissions, then share links instead of attachments. Pair that with clear version control. One “home” for a file reduces confusion and reduces accidental exposure.

Also be cautious with consumer chat and texting for organizational work. If you cannot retain conversations, manage access centrally, and remove access cleanly when someone leaves, you are accepting risk you do not need.

Decide where systems should live: on-site, cloud, or hybrid

For many nonprofits, this question comes down to tradeoffs: cost, staffing, reliability, and how people work.

On-site systems can feel controlled because the hardware is “yours.” They can be fast and reliable, but only if you plan for maintenance, replacements, patching, monitoring, and backups. Without active care, problems often appear suddenly.

Cloud systems shift most of that infrastructure responsibility into a subscription model. They can be easier to scale as staffing and programs change, and they often support hybrid work more naturally.

Hybrid setups are common, especially when one legacy application remains on-site while everything else is cloud-based.

Security is not automatically better in one model than the other. Both can be safe or risky depending on configuration, access controls, and ongoing maintenance. The key is accountability: someone must own backups, updates, and monitoring in writing, not by assumption.

Backups and continuity: plan for the bad days

In Chicago, outages are not hypothetical. Weather, building issues, vendor problems, and simple human error can interrupt access when you least expect it. Backups are the starting point, but they are not the whole plan.

A practical framework is 3-2-1:

  • Three copies of important data
  • Two different storage types
  • One copy stored off-site

Then do the part many organizations skip: test recovery. A backup job that runs does not guarantee you can restore what you need on a deadline.

Continuity planning is the next layer. Ask:

  • If systems went down today, what work must continue within 4 hours?
  • What can wait 24 hours? 72 hours?
  • Who decides when to shut down access, notify stakeholders, or engage outside help?

Even a one-page incident and recovery playbook reduces panic and shortens downtime.

Use technology to save time, not add admin

Nonprofits have repeatable workflows, even if the mission work varies. Intake, donor acknowledgments, volunteer onboarding, grant reporting, board packets, approvals, and vendor paperwork all follow patterns.

When these processes are manual, you get duplication, missed steps, and avoidable delays. Better productivity usually comes from tightening the basics:

  • Templates for recurring forms, letters, and board materials
  • Workflow automation for routine handoffs and reminders
  • E-signature tools to remove printing and scanning delays
  • Search and indexing so staff can find information quickly
  • Carefully governed AI tools for summarization and first drafts, used inside secure environments with clear rules

The goal is to remove low-value admin so staff can focus on outcomes, relationships, and service delivery.

Control devices and access as your team changes

Across Greater Chicago, nonprofits often have a mix of employees, contractors, interns, and volunteers. That mix increases the need for clear device and access control, because people join quickly and rotate often.

Two areas matter most:

Device management
Mobile Device Management (MDM) helps you enforce encryption, confirm updates, and remotely lock or wipe a lost device. It is especially important when personal devices are used for work, because organizational data can otherwise blend into personal apps with no clean way to remove it later.

Access hygiene
Access tends to grow “just in case.” Review accounts and permissions on a schedule. Offboarding should be disciplined: disable accounts promptly, collect or wipe company devices, and change shared passwords. If an account has no clear owner or purpose, remove it rather than letting it linger.

This is basic governance, and it is easier to maintain than it is to clean up after an incident.

How to pick an IT partner your board can trust

A good support partner does more than fix what breaks. They prevent repeat issues and help leadership make decisions with confidence.

You can evaluate support without being technical. Ask:

  • Do they explain options in plain language and document what was done?
  • Do they understand nonprofit realities like audits, grants, and lean staffing?
  • Do they bring you a plan, or do you only hear from them when something is on fire?
  • Can they show evidence of patching, monitoring, access reviews, and backup testing?

Strong partners also schedule regular reviews and help you prioritize. Those meetings should cover risks, upcoming needs, and what is being improved. If everything is always “fine” but you are still dealing with constant disruptions, that is a signal worth taking seriously.

A 30-day practical checklist

If you want momentum without boiling the ocean, start here for the next 30 days:

  1. Turn on MFA for all critical accounts and confirm it is enforced
  2. Confirm encryption is enabled on all laptops and mobile devices
  3. Identify where sensitive data lives and stop sharing it by attachment
  4. Define one approved file-sharing location and permission model
  5. Run a basic recovery test for your most important data
  6. Review user access, remove unused accounts, and clean up shared logins
  7. Write a one-page incident response plan with owners and first steps
  8. Schedule a quarterly IT review with notes and action items

Small, consistent improvements beat big projects that never finish.

If your organization wants fewer workarounds, stronger fundamentals, and clearer accountability, Reintivity can help you assess priorities, reduce risk, and build an IT plan that matches your budget and your board expectations.

Mastodon