Date: January 30, 2002
Contact: Audrie Krause, Executive Director
Phone: 415-215-9392

NetAction Survey Finds Security Lax at Nonprofits

Despite the growing importance of computers to nearly every aspect of nonprofit operations, an online survey of security practices in nonprofit organizations found substantial room for improvement, especially in maintaining the security of confidential and/or sensitive files, user work habits, and disaster planning.

"Nonprofit organizations are just as vulnerable to cyber attacks as businesses and government agencies," said NetAction executive director Audrie Krause. "This should be a wake up call to the nonprofit sector: security needs to be improved."

NetAction's report on the survey results, "Computer Practices in Nonprofit Organizations," is available at:

Many of the respondents acknowledged the need to improve their security practices. When asked to identify specific security issues their organization needs to address, about two-thirds of the survey respondents listed user work habits and disaster planning, about half listed data backups and encryption, and about one third listed virus protection and firewalls.

The need to improve the security of confidential and/or sensitive files (such as personnel records or financial documents) was especially evident. Only 4% of nonprofit organizations encrypt all sensitive files. Yet nearly two thirds of the organizations surveyed store sensitive files on computers connected to a local network, and nearly half store them on computers connected to the Internet.

Moreover, computer users in nearly one fourth of the organizations that NetAction surveyed do not routinely lock or shut down their computers when they are away from their desks, and 80% of the nonprofits indicated that volunteers, interns, outside consultants and/or temporary staff have access to office computers.

"Some risks aren't as obvious as others," said Krause. "Most organizations are aware that they could lose important data if they don't do regular backups. But they may not realize that when users forget to logoff, a disgruntled employee could steal confidential information, or a nosy volunteer could access an organization's personnel records."

NetAction's survey also found that only slightly more than half of the nonprofit organizations back up their data every day, and only about one third have a data recovery plan in the event of catastrophic data loss.

The organizations did a somewhat better job of protecting their computers from viruses. About two-thirds of the organizations updated their anti-virus software one or more times per month. However, the survey also found that about two-thirds of the nonprofits use Microsoft's Outlook or Outlook Express to send and receive email despite the higher risk of an attack by viruses or worms than with other email clients.

The online survey was conducted between December 19, 2001 and January 20, 2001. Although the results cannot be generalized to the larger nonprofit community because random sampling techniques were not used, Krause said nonprofit organizations should find the report useful in assessing their own computer security practices and identifying practices that need improvement.

"With experts warning that the vulnerabilities in computer systems are increasing faster than the nation can respond, it is important that nonprofit organizations take steps to improve the security of their computer systems," said Krause.

She added, "Security experts were concerned about the vulnerability of computer systems to cyber attacks long before the horrendous events of September 11, 2001; the level of concern has only increased since the terrorist attacks on New York City and the Pentagon. While the focus of computer security concerns has primarily been on the potential threat to corporate and government computer systems, computers are no less critical to the operations of nonprofit organizations."

P.O. Box 6739 * Santa Barbara, CA 93160
Phone: (415) 215-9392 * Fax: (805) 681-0941 * E-mail: