Computer Security Practices in Nonprofit Organizations

A NetAction Report

Summary of Findings

Our survey found substantial room for improvement in the security practices of nonprofit organizations. Despite the importance of computers to nearly every aspect of nonprofit operations, only slightly more than half of the nonprofit organizations we surveyed back up their data every day, and only about one third have a data recovery plan in the event of catastrophic data loss.

The need to improve the security of confidential and/or sensitive files (such as personnel records or financial documents) was even greater. Only 4% of nonprofit organizations encrypt all sensitive files. Yet nearly two thirds of the organizations surveyed store sensitive files on computers connected to a local network, and nearly half store them on computers connected to the Internet. Moreover, computer users in nearly one fourth of the organizations we surveyed do not routinely lock or shut down their computers when they are away from their desks, and 80% of the nonprofits indicated that volunteers, interns, outside consultants and/or temporary staff have access to office computers.

The organizations did a somewhat better job of protecting their computers from viruses. About two-thirds of the organizations updated their anti-virus software one or more times per month. However, we also found that about two-thirds of the nonprofits use Microsoft's Outlook or Outlook Express to send and receive email despite the higher risk of an attack by viruses or worms than with other email clients.

Many of the respondents acknowledged the need to improve computer security practices. When asked to identify computer security issues their organization needs to address, about two-thirds of the survey respondents listed user work habits and disaster planning, about half listed data backups and encryption, and about one-third listed virus protection and firewalls.

Next: Section I: Nonprofit Organizations Surveyed NetAction's Cyber Security Checklist