When asked how they would characterize the state of their own organization's computer security practices, nearly a third of the respondents (32%) acknowledged that their computer security practices needed to be improved. The chart below shows how respondents described their own organization's computer security.
Chart B: Which of the following statements best describes your organization's computer security?
We also wanted to know whether the respondents had identified specific computer security issues that needed to be addressed within their own organizations. When we asked what specific computer security issues their organization needed to address, nearly two-thirds of the survey respondents listed user work habits and disaster planning, and about half listed data backups and encryption. Responses to the survey questions that specifically addressed these security practices underscore the need for improvement. The table below indicates the security issues that respondents identified as needing to be addressed by their organization:
Table IV: In your opinion, what are the computer security issues that your organization
needs to address?
(Check all that apply.)
In a majority of the organizations, computer users logon with a personal user name (54%) and/or a personal password (68%). While only 3% allow a user to logon without a user name, 10% allow a user to logon without a password, 9% allow all users to logon with the same password, and 4% allow all users to logon with the same user name.
The most basic - and low-tech - security practice is to lock or shut down a computer when it's not in use. Yet only about a third of the respondents (30%) indicated that computer users do lock or shut down their computers most of the time when they are away from their desk. Nearly one fourth (24%) indicated that computer users do not. The table below indicates responses to our question about security practices in the area of user work habits:
|Table V: Do computer users lock or shut down their computers when they are away from their desks during working hours, and when they leave work? (Select the statement that best describes your office.)|
|Most do all the time||30%||36|
|Most do some of the time||15%||18|
|Some do, some don't||29%||35|
Responses to some of our other questions underscore the importance of this simple security measure. For example, 89% of the survey respondents indicated that there are shared files on office computers or office network servers that can be read and/or modified by more than one person, and in 80% of the organizations there are volunteers, interns, outside consultants and/or temporary employees who have access to the computers. Requiring users to logon with a user name and/or a password is not an effective security measure if the user does not logoff before leaving his or her desk.
Our survey included two questions about data backups. First, we asked about the frequency of backups. Only about half of the respondents (56%) indicated that their organization backed up data every day. The following table includes responses to our question about the frequency of data backups:
|Table VI: How often is the data on your office computers backed up?|
|One time or more per week||14%||17|
|One time or more per month||15%||18|
|Don't know how often||9%||11|
|Don't know if backed up||3%||4|
|Data not backed up||2%||2|
The location where backups are stored is also an important security consideration. For example, if the building in which a nonprofit organization is located is destroyed in a fire, a backup stored on site is likely to be destroyed along with the computers. Our survey found that 39% of nonprofits stored backups both on and off site, and 15% stored them only off site. The table below shows responses to our question about the location of backed up data:
|Table VII: Where is your organization's backed up data stored?|
|In the office||32%||37|
|In a separate location||15%||18|
|In office & off site||39%||46|
|Data not backed up||3%||4|
Our survey found that nearly two-thirds of nonprofits (63%) update their anti-virus software one or more times per month, only 1% never update the software, and only 3% don't have anti-virus software installed. The frequency with which nonprofits update their anti-virus software is detailed in the following table:
|Table VIII: How often is the anti-virus software on your office computers updated for new virus definitions?|
|One or more times per month||63%||75|
|Less than once per month||8%||10|
|Whenever someone remembers||14%||17|
|Don't know how often||10%||12|
|Don't know if software installed||1%||1|
|Don't have software installed||3%||3|
We also wanted to know what happened to nonprofits that had experienced virus attacks. Of the nonprofits that had, 22% had minimal data loss, 47% had no data loss, and 19% had random non-sensitive files emailed to addresses in a user's Outlook address book. Only 5% of the nonprofits that responded had catastrophic or significant data loss from a virus, and only 3% had random sensitive or confidential files emailed to addresses in a user's Outlook address book. Another 12% indicated that they had never experienced a virus attack.
The type of email software that an organization uses can also make a difference. Since the vast majority of viruses and worms are created to exploit features in Microsoft's Outlook and Outlook Express email software, Outlook users are more at risk than users of alternative software programs (such as Eudora or Netscape Communicator). Unfortunately, nearly two thirds of the survey respondents indicated that their organization used Outlook and/or Outlook Express to send and receive email. The following table indicates the email software that respondents used in their organization:
|Table IX: What software program(s) are you using to send and receive email? (Check all that apply.)|
|Outlook or Outlook Express||64%||76|
Since computers running the Windows operating system are more vulnerable to a variety of cyber attacks, and Microsoft provides patches when security flaws are identified, we also wanted to know if nonprofit organizations update their operating system when patches are available. Our survey found that 29% of nonprofits did update their Windows operating system with patches. However, another 16% did not and 21% didn't know whether or not patches were being run.
Encrypting sensitive and/or confidential files is another important security practice. It prevents unauthorized users from gaining access to confidential documents and ensures that any modifications to the data are revealed. Yet 70% of the nonprofits surveyed do not use encryption. The following chart indicates how respondents answered questions about the use of encryption:
Chart C: If your organization uses encryption software to protect sensitive and/or confidential files on your office computers, what software do you use?
We also wanted to know more specifically whether nonprofits encrypted sensitive and/or confidential files stored on network computers. Nearly two-thirds of the nonprofits (64%) store sensitive files on computers connected to a local network, and 46% store such files on computers connected to the Internet. But only 4% of the nonprofits encrypt all such sensitive files, and 29% indicated that none of those files are encrypted. The following table shows how nonprofits responded when asked about sensitive files on networked computers:
|Table X: If there are files on any of your office computers that contain personnel records, financial documents, or other types of confidential or sensitive information, which of the following statements apply? (Check all that apply.)|
|We have sensitive files on computers connected to a local network||64%||75|
|We have sensitive files on computers connected to the Internet||46%||54|
|We have no sensitive files on computers connected to a local network||9%||11|
|We have no sensitive files on computers connected to the Internet||9%||11|
|All sensitive files are encrypted||4%||5|
|Some sensitive files are encrypted||8%||10|
|No sensitive files are encrypted||29%||34|
When we asked about firewalls, nearly two-thirds of respondents (64%) indicated that there was a firewall between their office computers and the Internet. But 23% do not have a firewall, and 14% didn't know.
We also asked organizations that had experienced a security breach to briefly describe the experience, and received 42 responses. Some of their comments are included below:
Nonprofits use computers for virtually all of their critical operations, so preparing for a disaster is no less important for nonprofit organizations than for businesses and government agencies. Yet nearly half of the nonprofits in our survey (49%) do not have a data recovery plan in place to implement in the event of catastrophic data loss, as indicated in the chart below:
Chart D: Does your organization have a data recovery plan to implement in the event of catastrophic data loss?
Next: About the Survey