We've just released the results of NetAction's survey of security practices
in nonprofit organizations. I thought it might be of interest to RISKS readers.
Despite the growing importance of computers to nearly every aspect of
nonprofit operations, an online survey of security practices in nonprofit
organizations found substantial room for improvement, especially in
maintaining the security of confidential and/or sensitive files, user work
habits, and disaster planning.
"Nonprofit organizations are just as vulnerable to cyber attacks as
businesses and government agencies," said NetAction executive director
Audrie Krause. "This should be a wake up call to the nonprofit sector:
security needs to be improved."
NetAction's report on the survey results, "Computer Practices in Nonprofit
Organizations," is available at: http://netaction.org/security/.
Many of the respondents acknowledged the need to improve their security
practices. When asked to identify specific security issues their
organization needs to address, about two-thirds of the survey respondents
listed user work habits and disaster planning, about half listed data
backups and encryption, and about one third listed virus protection and
firewalls.
The need to improve the security of confidential and/or sensitive files
(such as personnel records or financial documents) was especially
evident. Only 4% of nonprofit organizations encrypt all sensitive files. Yet
nearly two thirds of the organizations surveyed store sensitive files on
computers connected to a local network, and nearly half store them on
computers connected to the Internet.
Moreover, computer users in nearly one fourth of the organizations that
NetAction surveyed do not routinely lock or shut down their computers when
they are away from their desks, and 80% of the nonprofits indicated that
volunteers, interns, outside consultants and/or temporary staff have access
to office computers.
"Some risks aren't as obvious as others," said Krause. "Most organizations
are aware that they could lose important data if they don't do regular
backups. But they may not realize that when users forget to logoff, a
disgruntled employee could steal confidential information, or a nosy
volunteer could access an organization's personnel records."
NetAction's survey also found that only slightly more than half of the
nonprofit organizations back up their data every day, and only about one
third have a data recovery plan in the event of catastrophic data loss.
The organizations did a somewhat better job of protecting their computers
from viruses. About two-thirds of the organizations updated their anti-virus
software one or more times per month. However, the survey also found that
about two-thirds of the nonprofits use Microsoft's Outlook or Outlook
Express to send and receive e-mail despite the higher risk of an attack by
viruses or worms than with other e-mail clients.
The online survey was conducted between December 19, 2001 and January 20,
2001. Although the results cannot be generalized to the larger nonprofit
community because random sampling techniques were not used, Krause said
nonprofit organizations should find the report useful in assessing their own
computer security practices and identifying practices that need improvement.
[...]
She added, "Security experts were concerned about the vulnerability of
computer systems to cyber attacks long before the horrendous events of
September 11, 2001; the level of concern has only increased since the
terrorist attacks on New York City and the Pentagon. [...]
NetAction, Audrie Krause, Exec.Dir., 601 Van Ness Ave., No. 631, San Francisco
CA 94102 1-415-775-8674 http://www.netaction.org audrie@netaction.org [Audrie Krause via risks-digest Volume 21, Issue 91]
0:00
#
G!
