The Night We Almost Lost Our Data (And What We Did After)

The Call I'll Never Forget

It was 11 PM on a Thursday when my phone buzzed. Our IT volunteer—a retired systems administrator who helped us on weekends—sounded panicked. "Someone's been in the server. I don't know how much they got."

We were lucky. It was a scare, not an actual breach. But the three days we spent checking every system, changing every password, and wondering what we'd tell our clients if their data was compromised—those were the longest days of my career.

What We Were Doing Wrong

Where to start? Passwords on sticky notes. A shared admin account that six people used. No two-factor authentication. Backups that hadn't been tested in over a year.

We weren't careless. We just didn't know. Nonprofit work doesn't exactly come with a security curriculum.

The Changes We Made

After the scare, we got serious. Some of it was expensive. Most of it was free.

• Moved to a password manager—everyone has their own accounts now
• Two-factor authentication on everything that offers it
• Monthly backup tests, not yearly
• A simple incident response plan so nobody panics alone next time

What I'd Tell Other Organizations

You don't need a big IT budget. You need basic discipline. Write down what systems you use, who has access, and what would happen if each one failed. Then fix the scariest gaps first.

Also: find a volunteer like ours. Retired IT people often want to give back. They've seen things. They'll tell you what you're missing.