What You’ll Learn
- Why Nonprofit IT Problems Are Different
- Problem 1: Slow or Unreliable Internet and Network
- Problem 2: Aging and Unpatched Devices
- Problem 3: Backups That Have Never Been Tested
- Problem 4: Poor Remote Access Setup
- Problem 5: No Endpoint Protection
- Problem 6: Disconnected Software Systems
- Problem 7: Single Points of Failure
- Problem 8: Outdated Email Security
- Fix vs. Modernize: How to Decide
- Frequently Asked Questions
- Your Next Steps
Why Nonprofit IT Problems Are Different
Nonprofit IT infrastructure problems share the same technical root causes as those in any organization, but they accumulate differently. Nonprofits routinely defer technology spending, run on devices and systems well past their useful life, and staff IT functions with people who carry technology as a secondary responsibility alongside a primary program or operations role.
The result is a pattern Scottship Solutions sees consistently: five or six problems that individually feel manageable but together create an environment where staff productivity is chronically degraded, security exposure is real, and a single failure (a ransomware attack, a hard drive going out, a key staff departure) can cascade into a significant operational crisis.
The good news: most nonprofit IT infrastructure problems have clear, documented fixes. This guide walks through the eight most common, what causes each, and what it takes to resolve it.
Problem 1: Slow or Unreliable Internet and Network
Symptoms: Video calls drop or freeze regularly, file uploads and downloads are slow, staff complain about lag when accessing cloud applications, the office Wi-Fi loses devices or requires frequent reconnection.
Root causes: Inadequate bandwidth for the number of users and applications running simultaneously, consumer-grade Wi-Fi hardware deployed in an office environment, outdated routers or switches, or a poorly configured network where all traffic competes on a single segment.
How to fix it:
- Audit current bandwidth usage and compare against the number of concurrent users. A 20-person office running video calls, cloud CRM, and VoIP simultaneously needs significantly more bandwidth than a simple calculation of seats would suggest.
- Replace consumer-grade Wi-Fi hardware (Netgear, Linksys home routers) with business-grade access points (Ubiquiti, Cisco Meraki, or equivalent). Business access points handle device density and interference management in ways home hardware cannot.
- Segment network traffic so that guest devices, staff devices, and video conferencing traffic do not compete on the same channel.
- If the ISP connection speed is adequate but performance is still poor, the problem is typically the internal network hardware, not the internet service.
Fix or modernize: If the hardware is more than five years old, replace rather than reconfigure. Reconfiguring aging hardware solves the immediate symptom without addressing the underlying capacity and reliability problem.
Problem 2: Aging and Unpatched Devices
Symptoms: Computers take several minutes to start up, applications crash frequently, staff have learned workarounds for devices that cannot run current software, and operating system updates fail or are perpetually postponed.
Root causes: Devices are beyond their useful life (typically 4 to 5 years for laptops, 5 to 6 years for desktops), operating systems are no longer receiving security updates, or no one owns the patching process so updates accumulate and are never applied.
How to fix it:
- Inventory every device in the organization with its age, operating system version, and current patch status. This is the starting point for every device-related remediation plan.
- Identify devices running Windows 10 (end of support October 2025) or macOS versions more than two major releases behind. These are active security risks, not just performance problems.
- Implement automated patch management. Microsoft Intune (included in Microsoft 365 Business Premium) and similar tools push updates automatically without relying on staff to approve and install them manually.
- Establish a device replacement cycle. A three to four year refresh cycle for laptops, funded as a line item in the annual budget, prevents the crisis purchases that come when aging devices fail simultaneously.
Fix or modernize: Patching extends the useful life of devices that are otherwise functional. For devices over five years old or running unsupported operating systems, replacement is the correct answer regardless of whether a patch is available.
Problem 3: Backups That Have Never Been Tested
Symptoms: The organization has a backup solution in place but no one has verified a restore in the past year, or staff are not certain what is actually being backed up or where the backups are stored.
Root causes: Backup was set up once and never revisited, backup notifications go to an email address that no one monitors, or the backup covers files but not application data (CRM records, financial system data) because those require separate backup configurations.
How to fix it:
- Run a test restore immediately. Pick a non-critical file or folder from a backup that is at least 30 days old and restore it to a test location. If the restore succeeds, your backup is functional. If it fails or takes far longer than expected, you have a problem to fix before you need it in a real recovery scenario.
- Document what is backed up, where backups are stored, how often they run, and how long they are retained. This documentation should be accessible to at least two people in the organization.
- Confirm that cloud application data (Microsoft 365 email and SharePoint, Google Workspace, Salesforce, your CRM) is backed up separately. Cloud platforms are not backup solutions. Microsoft and Google both state explicitly that their platforms are not designed to replace a backup strategy.
- Schedule quarterly restore tests and put them on the calendar. A backup that has not been tested recently is not a reliable backup.
Fix or modernize: If backups are running but untested, run the test first before changing anything. If the backup solution itself is outdated or incomplete in coverage, modernize to a solution that covers all critical data stores with automated testing and alerting. For more on this, see our guide on business continuity planning for nonprofits.
Problem 4: Poor Remote Access Setup
Symptoms: Remote staff use personal devices to access organizational systems, access is granted through informal arrangements (sharing credentials, using personal cloud storage for work files), or the VPN solution is slow and frequently disconnects.
Root causes: Remote work infrastructure was set up quickly and never formalized, or the organization relies on a consumer VPN or legacy remote desktop solution that was not designed for sustained remote team use.
How to fix it:
- Move file storage and collaboration to a managed cloud platform (Microsoft SharePoint and OneDrive, or Google Drive with organization controls) so staff access organizational data through authenticated accounts rather than personal storage or VPN tunnels to an on-premise server.
- Require that organizational work happens on organization-managed devices or through a formal BYOD policy with minimum security requirements (device encryption, screen lock, enrolled in mobile device management).
- If a VPN is still required for legacy on-premise systems, replace consumer-grade VPN solutions with a business-grade option and confirm that MFA is enforced on all VPN access.
- Review who has remote access to which systems and remove access for staff who no longer need it or who have left the organization.
Fix or modernize: If the organization is still primarily on-premise with a VPN-dependent remote access model, this is a modernization project, not a patch. Moving to a cloud-first model resolves the remote access problem at its root rather than adding layers on top of an architecture that was not designed for distributed teams.
Problem 5: No Endpoint Protection
Symptoms: Devices run free consumer antivirus or the default Windows Defender without centralized monitoring, there is no visibility into whether all devices are protected, and the organization has no process for responding if a device is compromised.
Root causes: Endpoint security was set up per-device rather than centrally managed, or the organization purchased an endpoint solution that no one is actively monitoring.
How to fix it:
- Deploy Microsoft Defender for Business or a comparable endpoint detection and response (EDR) solution across all organization-owned devices. Defender for Business is included in Microsoft 365 Business Premium, which nonprofits can access at significantly reduced cost through Microsoft’s nonprofit licensing program.
- Confirm that all devices are enrolled in the management console and that alerts are going to someone who will act on them. An EDR solution that generates alerts no one reads provides limited protection.
- Enable automatic remediation for common threat types so that low-level threats are handled without requiring manual intervention.
- Verify coverage: every organization-owned device, including any used by remote staff, should appear in the management console as protected and up to date.
Fix or modernize: If the current solution is a per-device consumer antivirus product, replace it with a centrally managed EDR. Consumer antivirus does not provide the threat detection, behavioral analysis, or incident response capabilities that current threats require.
Problem 6: Disconnected Software Systems
Symptoms: Staff manually copy data between the CRM and the financial system, reports require pulling data from three different places and combining it in a spreadsheet, or the same contact information is maintained in multiple places that frequently go out of sync.
Root causes: Software was adopted tool by tool over time without a plan for how the tools would work together, or integration was considered a future phase that was never prioritized.
How to fix it:
- Map the manual data flows in your organization: every time a staff member copies data from one system to another, that is a candidate for automation. A one-hour process mapping session with your operations and development teams will identify most of them.
- Use the integration capabilities built into your existing platforms before purchasing additional tools. Microsoft 365 Power Automate, Salesforce Flow, and most modern CRMs have built-in automation that handles common integrations without third-party tools.
- For integrations that require connecting separate platforms, Zapier and Make (formerly Integromat) handle most common nonprofit integration patterns at a cost that is reasonable for small organizations.
- Prioritize integrations that reduce manual data entry in high-frequency processes: donation acknowledgment, grant reporting data pulls, and new contact creation.
Fix or modernize: If the disconnection is between platforms that have no integration pathway (for example, a legacy accounting system with no API), the fix is a patch at best. Modernizing to platforms that support integration natively resolves the problem permanently. Scottship Solutions advises on these decisions as part of our managed IT services.
Problem 7: Single Points of Failure
Symptoms: Only one person knows the administrator password for a critical system, a key staff member’s departure would leave the organization without access to vendor accounts or documented processes, or a single device or server going down would halt operations for hours or days.
Root causes: IT knowledge and access accumulated in one person over time without a deliberate effort to document and distribute it, or the organization never formalized its access management practices.
How to fix it:
- Conduct an access audit: list every critical system and identify who holds the administrator credentials. Any system where only one person has access is a single point of failure.
- Store credentials in a shared organizational password manager (1Password Teams, Bitwarden for Business) accessible to at least two authorized staff members. Individual staff should not be the sole custodians of organizational account credentials.
- Document the five to ten most critical IT processes: how to add a new user, how to provision a new device, how to run a backup restore, how to contact each major vendor. Store this documentation somewhere accessible to more than one person.
- For physical infrastructure (servers, network hardware), ensure that at least one other person besides the primary IT contact knows where the equipment is, how to restart it, and who to call if it fails.
Fix or modernize: Single points of failure in people are a documentation and access management problem, fixable without new technology. Single points of failure in aging physical infrastructure (an on-premise server that has no redundancy) are an architecture problem, best addressed by moving to cloud infrastructure that includes built-in redundancy.
Problem 8: Outdated Email Security
Symptoms: Staff regularly receive phishing emails that pass through to their inbox, the organization has experienced at least one successful phishing or business email compromise attempt in the past year, or email accounts are not protected by multi-factor authentication.
Root causes: Default spam filtering is enabled but advanced anti-phishing, anti-spoofing, and impersonation protection are not configured, MFA is not required on email accounts, or the organization is on a legacy email platform that lacks modern security features.
How to fix it:
- Enable MFA on every email account immediately. This is the single highest-impact change available and costs nothing on Microsoft 365 or Google Workspace nonprofit plans.
- In Microsoft 365: configure Defender for Office 365 anti-phishing policies, enable Safe Links and Safe Attachments, and set up anti-spoofing protection. These settings are not enabled by default and require deliberate configuration in the Microsoft 365 security portal.
- In Google Workspace: enable advanced phishing and malware protection in the Admin Console, configure SPF, DKIM, and DMARC records for your domain, and turn on enhanced pre-delivery message scanning.
- Publish SPF, DKIM, and DMARC DNS records for your organization’s email domain. These records prevent attackers from spoofing your domain name in emails sent to donors and partners.
Fix or modernize: If the organization is on Microsoft 365 or Google Workspace, the fix is configuration, not replacement. Both platforms have enterprise-grade email security available; it simply needs to be turned on and configured. If the organization is on a legacy email platform that does not support these protections, migration to Microsoft 365 or Google Workspace (both available at nonprofit pricing) is the modernization path.
Fix vs. Modernize: How to Decide
For every infrastructure problem, the decision between fixing and modernizing comes down to three questions:
- Is the root cause addressable with a configuration change or a patch? If yes, fix first. Modernization is expensive and disruptive. Do not replace something that can be fixed reliably.
- Will the fix hold for at least two to three years? If a device is four years old and experiencing performance problems, a RAM upgrade buys another year but not three. If the fix has a short shelf life, the modernization investment is often better timed now.
- Is the current system blocking other improvements? An on-premise server that prevents cloud adoption, a legacy email platform that cannot support MFA, or a CRM without an API that prevents integration are blockers. Fixing them extends the blocker rather than removing it.
Scottship Solutions uses a structured IT infrastructure assessment to answer these questions for each system in an organization’s environment. The output is a prioritized remediation plan that distinguishes between quick fixes, short-term patches, and justified modernization investments. Learn more at our managed IT services page.
Frequently Asked Questions
The most common nonprofit IT infrastructure problems are: slow or unreliable networks from consumer-grade hardware, aging devices running unsupported operating systems, backup systems that have never been tested, informal remote access arrangements, missing or unmonitored endpoint protection, manual data transfer between disconnected systems, single points of failure in staff knowledge and system access, and email accounts without MFA or advanced phishing protection. Most organizations have at least three or four of these present simultaneously.
Some fixes are within reach for a technically capable operations or finance staff member: enabling MFA on email accounts, running a backup restore test, or installing a password manager. Problems involving network hardware configuration, endpoint management, patch automation, or cloud migration require someone with hands-on IT experience. Attempting complex infrastructure changes without that experience often creates new problems alongside the ones being addressed. A managed IT provider can handle the technical work while keeping internal staff informed and in control.
Replace rather than fix when: the hardware is more than five years old and experiencing recurring failures, the operating system or application is no longer receiving security updates, the fix addresses the symptom rather than the root cause, or the current system is blocking other improvements the organization needs to make. The cost of emergency replacement after a failure is almost always higher than the cost of planned replacement on a predictable cycle.
A nonprofit IT infrastructure assessment documents every device, system, and application in the organization’s environment, evaluates each against current security and performance standards, identifies single points of failure and compliance gaps, and produces a prioritized remediation plan. A well-run assessment takes one to two weeks and delivers a clear picture of what needs to be fixed immediately, what can be deferred, and what warrants modernization rather than repair. Scottship Solutions conducts IT infrastructure assessments for nonprofits in the 10 to 75 employee range.
A managed IT provider handles the technical diagnosis and remediation work while keeping organizational leadership informed through plain-language reporting rather than technical detail. For infrastructure problems specifically, they bring the tools and processes (patch management, endpoint monitoring, backup verification, access auditing) that catch problems before they become failures. Scottship Solutions provides managed IT services for nonprofits that include proactive monitoring, regular infrastructure reviews, and hands-on remediation so staff can focus on mission rather than managing technology. Schedule a free consultation.
Your Next Steps
- Run a quick self-audit. Go through the eight problems in this post and mark each as present, absent, or unknown. Any “unknown” is itself a problem: you cannot manage what you have not documented.
- Start with the highest-risk items. Untested backups, devices without endpoint protection, and email accounts without MFA represent active risk today. Address these before tackling performance or integration problems.
- Document what you have. A current device inventory, a list of every software system and who administers it, and a record of credential custodians for each critical account takes a day to build and eliminates several categories of single-point-of-failure risk.
- Get your backup restore tested this week. Pick any file from a backup at least 30 days old. Restore it to a test location. If the process fails or you cannot find how to do it, that is the most important infrastructure problem your organization has right now.
- Schedule a free consultation with Scottship Solutions — we will walk through your current infrastructure, identify the highest-priority problems, and give you a clear picture of what needs immediate attention and what can wait.
Sources
- Microsoft — Microsoft 365 Business Premium: Defender for Business and Intune inclusion
- Microsoft — Microsoft for Nonprofits: licensing and eligibility
- Verizon — Data Breach Investigations Report 2024
- NIST — Cybersecurity Framework 2.0
- NTEN — State of Nonprofit Technology
Written by
Will Facques
Senior IT Consultant at Scottship Solutions
Will works directly with nonprofit and small business clients on infrastructure, managed services, and technology implementations. He translates complex technical requirements into practical solutions that actually get done.
Certifications
PMP (Project Management Professional) • Lean Six Sigma Yellow Belt • CompTIA Network+
Industries Served
Human Services, Healthcare & Community Health, Education & Youth Development, Faith-Based, Child Advocacy, Arts & Culture