Computer Security Practices in Nonprofit Organizations

A NetAction Report


Section II: Computer Security Practices

When asked how they would characterize the state of their own organization's computer security practices, nearly a third of the respondents (32%) acknowledged that their computer security practices needed to be improved. The chart below shows how respondents described their own organization's computer security.

Chart B: Which of the following statements best describes your organization's computer security?

We also wanted to know whether the respondents had identified specific computer security issues that needed to be addressed within their own organizations. When we asked what specific computer security issues their organization needed to address, nearly two-thirds of the survey respondents listed user work habits and disaster planning, and about half listed data backups and encryption. Responses to the survey questions that specifically addressed these security practices underscore the need for improvement. The table below indicates the security issues that respondents identified as needing to be addressed by their organization:

Table IV: In your opinion, what are the computer security issues that your organization needs to address?
(Check all that apply.)

User Work Habits

In a majority of the organizations, computer users logon with a personal user name (54%) and/or a personal password (68%). While only 3% allow a user to logon without a user name, 10% allow a user to logon without a password, 9% allow all users to logon with the same password, and 4% allow all users to logon with the same user name.

The most basic - and low-tech - security practice is to lock or shut down a computer when it's not in use. Yet only about a third of the respondents (30%) indicated that computer users do lock or shut down their computers most of the time when they are away from their desk. Nearly one fourth (24%) indicated that computer users do not. The table below indicates responses to our question about security practices in the area of user work habits:

Table V: Do computer users lock or shut down their computers when they are away from their desks during working hours, and when they leave work? (Select the statement that best describes your office.)
ResponsePercent# Replies
Most do all the time30%36
Most do some of the time15%18
Some do, some don't29%35
No24%29
Don't know2%2
Total100%120

Responses to some of our other questions underscore the importance of this simple security measure. For example, 89% of the survey respondents indicated that there are shared files on office computers or office network servers that can be read and/or modified by more than one person, and in 80% of the organizations there are volunteers, interns, outside consultants and/or temporary employees who have access to the computers. Requiring users to logon with a user name and/or a password is not an effective security measure if the user does not logoff before leaving his or her desk.

Data Backups

Our survey included two questions about data backups. First, we asked about the frequency of backups. Only about half of the respondents (56%) indicated that their organization backed up data every day. The following table includes responses to our question about the frequency of data backups:

Table VI: How often is the data on your office computers backed up?
ResponsePercent# Replies
Every day56%67
One time or more per week14%17
One time or more per month15%18
Never1%1
Don't know how often9%11
Don't know if backed up3%4
Data not backed up2%2
Total100%120

The location where backups are stored is also an important security consideration. For example, if the building in which a nonprofit organization is located is destroyed in a fire, a backup stored on site is likely to be destroyed along with the computers. Our survey found that 39% of nonprofits stored backups both on and off site, and 15% stored them only off site. The table below shows responses to our question about the location of backed up data:

Table VII: Where is your organization's backed up data stored?
ResponsePercent# Replies
In the office32%37
In a separate location15%18
In office & off site39%46
Don't know10%12
Data not backed up3%4
Total100%117

Virus Protection

Our survey found that nearly two-thirds of nonprofits (63%) update their anti-virus software one or more times per month, only 1% never update the software, and only 3% don't have anti-virus software installed. The frequency with which nonprofits update their anti-virus software is detailed in the following table:

Table VIII: How often is the anti-virus software on your office computers updated for new virus definitions?
ResponsePercent# Replies
One or more times per month63%75
Less than once per month8%10
Whenever someone remembers14%17
Never1%1
Don't know how often10%12
Don't know if software installed1%1
Don't have software installed3%3
Total100%119

We also wanted to know what happened to nonprofits that had experienced virus attacks. Of the nonprofits that had, 22% had minimal data loss, 47% had no data loss, and 19% had random non-sensitive files emailed to addresses in a user's Outlook address book. Only 5% of the nonprofits that responded had catastrophic or significant data loss from a virus, and only 3% had random sensitive or confidential files emailed to addresses in a user's Outlook address book. Another 12% indicated that they had never experienced a virus attack.

The type of email software that an organization uses can also make a difference. Since the vast majority of viruses and worms are created to exploit features in Microsoft's Outlook and Outlook Express email software, Outlook users are more at risk than users of alternative software programs (such as Eudora or Netscape Communicator). Unfortunately, nearly two thirds of the survey respondents indicated that their organization used Outlook and/or Outlook Express to send and receive email. The following table indicates the email software that respondents used in their organization:

Table IX: What software program(s) are you using to send and receive email? (Check all that apply.)
ResponsePercent# Replies
Outlook or Outlook Express64%76
Entourage5%6
Eudora22%26
Netscape Communicator18%21
America Online16%19
Pine/Elm/Mail/Mutt6%7
Pegasus Mail3%3
Other [6]22%26
Total100%119

Since computers running the Windows operating system are more vulnerable to a variety of cyber attacks, and Microsoft provides patches when security flaws are identified, we also wanted to know if nonprofit organizations update their operating system when patches are available. Our survey found that 29% of nonprofits did update their Windows operating system with patches. However, another 16% did not and 21% didn't know whether or not patches were being run.

Encryption

Encrypting sensitive and/or confidential files is another important security practice. It prevents unauthorized users from gaining access to confidential documents and ensures that any modifications to the data are revealed. Yet 70% of the nonprofits surveyed do not use encryption. The following chart indicates how respondents answered questions about the use of encryption:

Chart C: If your organization uses encryption software to protect sensitive and/or confidential files on your office computers, what software do you use?

We also wanted to know more specifically whether nonprofits encrypted sensitive and/or confidential files stored on network computers. Nearly two-thirds of the nonprofits (64%) store sensitive files on computers connected to a local network, and 46% store such files on computers connected to the Internet. But only 4% of the nonprofits encrypt all such sensitive files, and 29% indicated that none of those files are encrypted.[7] The following table shows how nonprofits responded when asked about sensitive files on networked computers:

Table X: If there are files on any of your office computers that contain personnel records, financial documents, or other types of confidential or sensitive information, which of the following statements apply? (Check all that apply.)
ResponsePercent# Replies
We have sensitive files on computers connected to a local network64%75
We have sensitive files on computers connected to the Internet46%54
We have no sensitive files on computers connected to a local network9%11
We have no sensitive files on computers connected to the Internet9%11
All sensitive files are encrypted4%5
Some sensitive files are encrypted8%10
No sensitive files are encrypted29%34
Don't know6%7
Other [8]13%15

Firewalls

When we asked about firewalls, nearly two-thirds of respondents (64%) indicated that there was a firewall between their office computers and the Internet. But 23% do not have a firewall, and 14% didn't know.

We also asked organizations that had experienced a security breach to briefly describe the experience, and received 42 responses. Some of their comments are included below:

Disaster Planning

Nonprofits use computers for virtually all of their critical operations, so preparing for a disaster is no less important for nonprofit organizations than for businesses and government agencies. Yet nearly half of the nonprofits in our survey (49%) do not have a data recovery plan in place to implement in the event of catastrophic data loss, as indicated in the chart below:

Chart D: Does your organization have a data recovery plan to implement in the event of catastrophic data loss?

Next: About the Survey