|Published by NetAction||Issue No. 80||January 29, 2002|
Probably not, according to the results of NetAction's recent survey of computer security practices in nonprofit organizations.
Despite the growing importance of computers to nearly every aspect of nonprofit operations, our survey found substantial room for improvement, especially in maintaining the security of confidential and/or sensitive files, user work habits, and disaster planning.
Nonprofit organizations are just as vulnerable to cyber attacks as businesses and government agencies, and our survey should be a wake up call to the nonprofit sector: security needs to be improved.
NetAction's report on the survey results, "Computer Security Practices in Nonprofit Organizations," is available at: http://netaction.org/security/.
Many of the respondents acknowledged the need to improve their security practices. When asked to identify specific security issues their organization needs to address, about two-thirds of the survey respondents listed user work habits and disaster planning, about half listed data backups and encryption, and about one third listed virus protection and firewalls.
The need to improve the security of confidential and/or sensitive files (such as personnel records or financial documents) was especially evident. Only 4% of nonprofit organizations encrypt all sensitive files. Yet nearly two thirds of the organizations surveyed store sensitive files on computers connected to a local network, and nearly half store them on computers connected to the Internet.
Moreover, computer users in nearly one fourth of the organizations we surveyed do not routinely lock or shut down their computers when they are away from their desks, and 80% of the nonprofits indicated that volunteers, interns, outside consultants and/or temporary staff have access to office computers.
Some risks aren't as obvious as others. Most organizations are aware that they could lose important data if they don't do regular backups. But they may not realize that when users forget to logoff, a disgruntled employee could steal confidential information, or a nosy volunteer could access an organization's personnel records.
Our survey also found that only slightly more than half of the nonprofit organizations back up their data every day, and only about one third have a data recovery plan in the event of catastrophic data loss.
The organizations did a somewhat better job of protecting their computers from viruses. About two-thirds of the organizations updated their anti-virus software one or more times per month. However, we also found that about two-thirds of the nonprofits use Microsoft's Outlook or Outlook Express to send and receive email despite the higher risk of an attack by viruses or worms than with other email clients.
Although we cannot generalize the results to the larger nonprofit community since random sampling techniques were not used, nonprofit organizations should find the report useful in assessing their own computer security practices and identifying practices that need improvement.
Security experts were concerned about the vulnerability of computer systems to cyber attacks long before the horrendous events of September 11, 2001; the level of concern has only increased since the terrorist attacks on New York City and the Pentagon. While the focus of computer security concerns has primarily been on the potential threat to corporate and government computer systems, computers are no less critical to the operations of nonprofit organizations.
With experts warning that the vulnerabilities in computer systems are increasing faster than the nation can respond, it is important that nonprofit organizations take steps to improve the security of their computer systems. We will be discussing specific security practices in future issues of NetAction Notes.
In comments filed Monday with the U.S. Department of Justice, NetAction and Computer Professionals for Social Responsibility (CPSR) warn that consumers will have to make substantial investments in new hardware and software in order to benefit from the terms of the proposed settlement of the Microsoft antitrust case. NetAction and CPSR argue that the proposal is not in the public interest and urge Judge Colleen Kollar-Kotelly to either reject the proposed settlement or order additional proceedings to eliminate its many ambiguities.
The comments are available on NetAction's web site at: http://www.netaction.org/msoft/doj-comments.html
In the comments, NetAction and CPSR argue that the Proposed Final Judgement (PFJ) provides only limited relief to consumers for middleware software applications, and no relief at all for consumers using Windows 95, Windows 98, Windows NT, or Windows 2000. Moreover, many consumers will have to buy new software and hardware, including new computers, to obtain any of the benefits that Microsoft and the DOJ claim are contained in the PFJ.
NetAction and CPSR also express concerns about the ambiguities in the PFJ and note that they are similar to the ambiguities in the first Microsoft antitrust settlement that prompted the DOJ's return to court. To assure itself that the parties to the settlement have actually come to an understanding, NetAction and CPSR propose that the Court allow parties that have commented under the Tunney Act process to submit written questions about what is permissible under the provisions of the settlement.
The parties to the settlement should be required to submit separate answers and agree to be bound by their answers in any additional proceedings. If the separate answers are in agreement, the Court could approve the settlement knowing that the parties are truly in agreement. But if the answers to the questions are different, the Court should reject the PFJ and order further proceedings so that there will be no disagreements regarding the terms of the settlement.
Pro bono assistance in submitting the comments was provided by Jeffrey Blumenfeld, Michael D. McNeely and Patrick O'Connor of the Blumenfeld & Cohen Technology Law Group.
We are thrilled to report that NetAction's popular Virtual Activist online training curriculum is available in print in "People.Dot.Community," a recently published guide to community activism. The guide was written by Annie Nash, a longtime community activist in Australia, and was published by the nonprofit Villamanta Legal Service in Australia. Subtitled, "A resource guide for effective community activism," the book is just that. The focus is on community activism in Australia, of course, but the advice is applicable to community activism in many other parts of the world. More information is available at: http://www.villamanta.org.au/publish/VP_Publications.asp, or by email to: . NetAction's entire Virtual Activist training curriculum is included as an appendix.
NetAction Notes is a free electronic newsletter, published by NetAction. NetAction is a California-based non-profit organization dedicated to promoting use of the Internet for grassroots citizen action, and to educating the public, policy makers, and the media about technology policy issues.
To subscribe to NetAction Notes, send a message to:
The body of the message should state:
To unsubscribe at any time, send a message to: . The body of the message should state:
For more information contact Netaction by phone at 415-215-9392, by E-mail atNetAction * P.O. Box 6739 * Santa Barbara, CA 93160
Copyright 1996-2003 by NetAction. All rights reserved. Material may be reposted or reproduced for non-commercial use provided NetAction is cited as the source.