Fact sheets

Organizational planning

 Action plan

 Budgeting and evaluation

 Business Intelligence and Data Analytics

 Charities & VAT

 Creating Confidence

 Effective Tax Giving

 Fundraisers as a sales force

 Fundraiser's volunteer survey

 General Press Pack

 IT for charities - guide to databases

 IT for charities - guide to PC & network security

 IT Strategy Review

 Looking after fundraisers

 Lotteries act

 Market research

 Marketing effectiveness - external communication

 Marketing strategy and planning

 Organising productive meetings

 PR in Fundraising

 Relationship marketing and fundraising

 Selecting Membership and Fundraising Systems

 Strategy

 Target marketing & the fundraiser

 The Fundraisers Financial Year Resolution

 Tips for Fundraisers

 Using Your Database

 Using your volunteers in a fundraising capacity

 Volunteer fundraising

 What is Business Process Reviews

 Your database

 
Professional Fundraiser logo
Map of the whole siteContact usDownload the site for offline browsing

Back to the home page
Index of suppliers and resources
Main fact sheet index
Download, register or ask a consultant		  
 

IT for charities -
Guide to PC & network security

This Guide

This guide is intended to give you a fundamental appreciation of security issues surrounding PCs and networks. The guide covers the following topics:
  • Why worry about computer security?
  • The three main problem areas of computer security
  • Back-ups
  • Passwords
  • Viruses
  • E-mail and the Internet
  • Laptops
  • A quick word on Encryption
  • Security products
  • An Introduction to Risk Assessment

Why worry about computer security?

If you are sceptical as to the importance of security in your organisation, take a moment or two to consider a few points:
  • While you are away from your office/home, do you know who is using your PC?
  • What is on your PC that you would not want others to see?
  • How much inconvenience/damage could it cause if the data on your PC was corrupted?
  • If you carry a laptop on your travels, what might it mean to you if your laptop did not reach your destination with you? Is there data on it that could be used by others? (e.g. personal contacts? donor information?)
Take a few moments to think about these points and then answer the following simple questions:
  • Do you know when you last backed up your data?
  • Is there a password protecting any of your sensitive data?
  • Is there anything preventing your PC from simply being picked up and carried off?
  • Are you aware that when you delete a file the PC does not necessarily remove a file from your hard disk? (This is explained in detail below).
  • Do you know what a computer virus is and how they spread?
If you have answered 'Yes' to all of these questions then you are either already a very secure minded person or tending towards data paranoia! If most of your answers were 'No', then read on.

The three main problem areas of computer security

There are three main areas of computer security, which we will consider in this guide:
  1. Confidentiality
  2. Deletion
  3. Theft

1. Confidentiality

Data confidentiality is about ensuring that authorised users can only access your data. Primarily, who should be allowed to see the data but also who can update it and who can delete it? This can all be addressed using passwords or other forms of identification and authentication. Passwords are covered in more detail in their own section below but broadly speaking they are the simplest method of trying to ensure data confidentiality. There are also more secure forms of security such as smart/swipe cards, fingerprint or eye scanners and so on. These are known as 'authentication' as it is not only something you have to remember (as per a password) but also something you must have or be. You will probably find that there are different levels of password on your computers: e.g. when you turn a PC/laptop on, when you enter Windows, when you access your network and when you use an application such as a database or e-mail.

2. Deletion

Deletion covers three areas: malicious deletion, accidental deletion, and 'data which is not really deleted'. Malicious deletion (either by a virus or a hacker or even a disgruntled employee) can be the most dangerous. This is where someone erases your data on purpose. You can take some steps to try to prevent this by using PC software to stop simple deletion. But the main problem is where someone is given access to delete a file because they have to have this access as part of their job. If this is the case then your main line of defence has to be ensuring you have back-ups (see below). Some network operating systems and databases also have audit trails so you can track back and see who deleted a particular file.

Accidental deletion, for example where you accidentally delete a document or spreadsheet, can usually be recovered from. In Windows 95/98 all deleted files are by default put in the Recycle bin from where you can recover a file. You can also buy software tools (such as Norton) to recover deleted files. And of course you should have back-ups in case of real emergency (see below). But did you also know that when you delete a file from your PC, the data is not necessarily erased from your hard disk? At its simplest level, now we have the Recycle bin in Windows 95/98, deleting a file simply puts it in the bin and it can easily be recovered. But you should also be aware of what a PC actually does when you do ask for a file to be deleted. All the files on your PC are 'indexed' on the PC (like a table of contents). When you delete a file using Windows Explorer or File Manager, or when you use the DOS Delete command, all the PC actually does is delete the file reference from its index - the data in that file is still on your PC! The PC does this for speed sake and when it next has to save data to your hard disk it may do so on a blank part of your hard disk or it may write over the data in an old file, which you have erased. But until the PC does write over that data, that data is still there on your hard disk; it is simply hidden. But, and this is the important bit, using comparatively straight forward (and very cheap) PC tools, someone who knows what they are doing can recover or 'un-erase' that data and see it. The answer to this problem is addressed in a later section.

3. Theft

Theft can refer to both physical theft or data theft. Physical theft is easy to understand: the stealing of your PC/laptop or back-up disks (don't forget that last one). You can buy equipment to help prevent that. But data theft is harder to comprehend and stop. But if you pause to consider what could happen if someone stole your donor base or personnel records then you can see the implications. And data theft is no longer confined to copying the data onto a floppy disk; it can also be copied over networks or even remotely (via a modem or the internet). This is also more difficult to stop and some ideas are addressed in the section below on Security Products.

Back-ups

Why backup?

If there is one 'first rule of computing' then it is Backup, Backup, Backup. You cannot under-estimate its importance. If files are deleted accidentally or maliciously, if files are 'saved over', if you get a virus attack, if a PC or hard disk crashes or is corrupted, if a PC or laptop are stolen, or if you simply need to see an older version of a file, then the answer is found in your backups. The main reason people don't back-up is because it is seen as 'too much bother.' It takes too long, it is too awkward, they haven't got time and anyway, "it will never happen to me." Below, it is shown how simple it can be to introduce automatic backups.

What is involved in a backup?

Physically speaking, there are two parts of a backup process: the software, which controls the backup and the 'media' where the data is backed up to (e.g. floppy disk, Zip drive, tape).
 

Backup software

The software controls what data/files are backed up. The options are generally: simple PC commands, simple PC software, specialist backup software. Simple PC commands are 'copy' and 'xcopy' and combining those with DOS 'batch' files. Or you can click & drag files from your Windows explorer/file manager to floppy disks. Simple PC software refers to either Windows' own Backup program (which comes with the standard Windows software) or 'zip compression' software. You can store different sets of files to be backed up in Windows' backup program so you can continually backup easily. 'Zip compression' software (such as WinZip) also lets you define pre-set groups of files and then 'compresses' those files so that they take up less space than they would have done using a straight 'copy' process. Specialist backup software can do all the above and more. You can often set rules so that it will backup different files, folders, and hard disks and so on dependent on the conditions you give it. For example, only do a backup if the file has changed since the last backup. You can also pre-set the software so it will do the backup at a pre-defined time, for example the middle of the night when it will not interfere with anyone's work. Such software can be as simple or as sophisticated as you want.

Backup media

The 'media' is where the data is backed up to. The options are generally: floppy disks, tape drives, Zip drives, CDs and DAT. Individual users on their own PCs who just want to backup a few important files can use floppy disks. They can obviously only take a few files before they may become full, but is simple and quick. To backup whole networks, it is more likely you will need a tape drive. These are similar to cassette tapes but larger and more robust and can backup huge amounts of data. Zip drives are like large floppy disks but store a lot more: the smallest one can store 100MB (the equivalent of about 70+ floppy disks), larger ones ten times that. They are simple to use, lightweight, comparatively cheap, robust and the drives themselves are easily transportable. CDs and DAT drives are alternatives, but more expensive and newer technology. They could be considered if you have very large networks.

How often should I do a backup?

The six million dollar question! And one without a straightforward answer. Because the answer is: it depends. On what? Well, on what it would mean to you if you had to re-key or otherwise recover a lost file without a backup. For example, if you spend ten minutes setting up a simple spreadsheet then it probably isn't the end of the world if you do not have a backup. But if you spend six hours updating a donorbase and then find all that data entry is lost, then you will be far more upset. There are a few generic guidelines and ways of backing up as follows: The 'Grandfather-Father-Son' method. These uses three disks say (or three tapes and so on). On day one you use disk one which is called the 'son'. On day two, you use disk two which becomes the 'son' and yesterday's disk becomes the 'father'. On day three, you use the third disk, which in turn becomes the 'son', the previous day's disk becomes the 'father' and the first disk you used becomes the 'grandfather'. Then on day four, you start the cycle again with disk one which becomes the 'son' again. This means you always have three generations of backups. This is done because often people do not realise they have lost a file or that a file is corrupted, until one or two days after a backup was made. And where we say 'day one and two' above, you can easily call it 'week one and two' and so on. It is also worth complementing (or substituting) this with 'regular backups', which are kept for longer periods. Very often, organisations do a weekly backup at the end of each week, and a monthly backup each month. You could keep four separate disks for each week of the month and then start again next month, and so on.

Passwords

Passwords are one of the most fundamental items of computer security. Their advantages are that they are cheap (free!), easy to use, acceptable to users and better than no security at all. Their downsides are that they can be forgotten and guessed. When you use passwords be aware that there are many over-used words, which can be guessed, and you should avoid using. For example, do not use anything obvious such as: the same word as your user-ID, your own name or initials, your partner's, child's or pet's name, date of birth, place of birth, favourite football team, colour or car, your car registration, your postcode or anything else people would obviously associate with you - or any of the above with the number '1' after it. The following words are also often used and should be avoided: 'password', 'love', 'sex', 'admin', 'supervisor', 'master,' 'qwerty', 'computer'. And there are more. If you want to use a secure password, how about using a 'pass-phrase'? For example, 'ilikecakes', 'isupportchelsea', 'mydogisbrown'. Easy to remember and almost unguessable.

In Microsoft Windows, passwords can be used when you first turn on your computer and on Windows' screen savers (good security for when you leave your computer alone over lunch or during a meeting). In applications, passwords can be used to protect databases, word processing documents and spreadsheets. On a database, you should not let everyone use the 'master' password - set up the passwords so that people only have access to what they actually need. On networks such as Windows NT and Novell you can set-up very sophisticated password protection and other security access control so that not only do people have passwords but if they should not have access to a particular application or part of the system, then the network will not even let them near that area so they can't even try to guess the password. Also, on networks, there is a type of account known as a 'Guest' account, which is meant to be used by an occasional user on a temporary basis. If you have to allow such an account then don't leave it without a password. For high-level security, you could always follow the banks' 'four eye' principle, where one person knows only half of a password and a second person the other half. And, please, please don't tell anyone your password 'so they can use your account while you are on holiday.'

Viruses

What is a virus?

There can be few PC users who have not heard of viruses although there may be those who are unsure as to exactly what they are or how they might unfortunately 'catch' one. A virus is actually a computer program, a self-replicating piece of code that, once it attaches itself to an executable file (a program or application) or boot sector of a disk, spreads itself rapidly throughout the rest of the system. It will then perform some pre-programmed activity at a specified time. A benign virus may just display a harmless message (e.g. "Your PC is stoned") or appear to corrupt the display without actually doing any real harm (e.g. All the letters on the screen will "fall" to the foot of the VDU). The more dangerous viruses, however, may corrupt or destroy your data or even damage whole hard disks. However, a virus must be activated by the actual running of an infected file, or by booting from an infected disk - it does not just 'happen' because it is present on a disk.

How do viruses spread?

In essence, computer viruses spreads just like a human virus. Once an infected disk is placed in a floppy drive and the infected file is executed and/or copied to the hard disk, then the virus will activate itself, load itself into the PC's memory and then proceed to attach itself to every program that is run thereafter on that PC (including the PC's 'start up file', Command.Com). Any infected files, which are copied onto another floppy disk and passed on to other users, lead to further 'epidemics'. Hence, a virus spreads from file to file, disk to disk and PC to PC. Just like a human virus spreads when a contagious person comes into contact with someone else. And, just like a human virus, you may not know that you have a virus in your system until it strikes! So how might you catch a virus?

You will not get one from shrink wrapped software and software houses (although admittedly there have been one or two rare cases of this) and generally a virus will spread due to one of the following ways:

  • Copied or pirated software (especially games)
  • Downloaded files from the Internet or bulletin boards
  • Attachments on E-mails
  • 'Old disks' (i.e. those you have had lying around for some time where you don't know what's on it)
  • Shareware.
Bare in mind that even if an attachment on e-mail contains a virus, it will not activate until you open that attachment. You can open and read the e-mail safely. So if you use an anti-virus package to check for viruses before you open the attachment, you will significantly reduce the risk of catching one that way. With shareware, you will have a far lower risk of any problems if you purchase the shareware from a mail order company, reputable internet site or known source rather than getting it from friends. To be sure of not attracting a virus, always ensure that you only use software from an accredited source; do not use a floppy disk when you do not know its origin.

If you do get a virus

Then you can use anti-virus software to remove it. Such products are described in the Products section below. But be warned, if you find you have got a virus then it could already be on many other disks or PCs and clearing it up can be a nightmare. However, the safest way of removing a virus is to delete any infected files and re-install them from your master disks. Most anti-virus packages will also have a 'memory resident' program, which sits in your PC's memory (RAM) and detects a virus entering your system before it has a chance to do any damage. The problem with viruses is that new viruses are forever appearing on the market. Virus writers are getting increasingly more advanced and new viruses are appearing every day. Many anti-virus suppliers provide regular 'updates' to ensure that their software can detect any new viruses that have recently been released.

E-mail and the Internet E-mail

Is now used more than ever before and will only increase even more rapidly in the coming years. It is also used for more and more reasons and it is no longer taboo to include very sensitive information in e-mails. But for some reason, many PCs and laptops are set-up so that when someone opens their e-mail program on their computer, they do not have to enter a password. Especially when they work off-line. It is an incongruous situation. Most e-mail programs should give an option to enforce a password - use it. E-mail attachments are also susceptible to viruses as detailed in the above section. From an Internet viewpoint, there are two aspects of security worth mentioning here: access to your network and 'site-blockers'. To prevent unauthorised access to your network from people outside your office you can use a firewall: a sophisticated piece of software and/or hardware. But they also need to be considered carefully with the rest of your network set up and you should consult an expert on this. Site-blockers are software packages, which prevent users in your organisation from accessing 'unwanted' sites, most commonly pornographic sites, but also sites such as those broadcasting radio, or video, which could slow down your network performance. They can even be programmed to look for users typing in 'unwanted' words. Clever stuff.

Laptops

Laptops deserve their own, short section because of the increased risk with them, and their increased usage. Obviously, it is far easier to steal a laptop than a PC and so you should be more careful what you store on your laptop. Use passwords on any sensitive data (as this will encrypt those files). You can also buy devices to bolt down laptops (see the Product section below). And many new laptops come with an optional 'boot- up' password, or series of such passwords. This means that whenever anyone turns on the computer they must enter a password almost immediately and way before Windows starts to load. (If you do use such a password, make sure you know what to do if you forget it!) You might even want to consider buying a laptop with a removable hard disk; many are sold like that today. That means you can easily take out the hard disk when you are not using it and keep it, say, in your briefcase. But if you do this, consult the laptop's seller/manufacturer as to the best way of storing the hard disk when it is not in the laptop as it may be that you need to protect 'exposed' parts of the hard disk.

A quick word on data encryption files, floppy disks or whole hard disks

So that if anyone tries to get around your passwords by using special software tools, then they will only see random characters. It can also be used on networks and it is also used on the Internet, for example when you transmit your credit card details over the net. This is to stop anyone who might try to intercept such messages from seeing your credit card details. It is an extremely powerful method of data security but needs careful implementation into any security policy.

Security products

So what software and hardware products are available to help you with PC and network security?
The following are covered here:
  • Anti-virus software
  • Access control software
  • Hardware locks, cables and alarms Actual products are listed on the "IT For Charities" web site. Anti-virus software.
This will do two things: load into your PC's memory and watch out for viruses every time you run a program or copy to/from a floppy disk; and 'scan' floppy and hard disks for viruses on your command. They can then also remove some viruses ('clean' the files) if any infected files are found. Access control software. This can do a whole multitude of things, depending on each package. Examples are: extra (and often 'transparent') password protection on any file, device control (on your printer, common ports, and on your floppy drive), boot protection (to stop the booting of a PC from a floppy drive), keyboard locks, true erasure of any file so that the data cannot be recovered if the file is undeleted, data encryption, and more. Hardware locks, cables and alarms. You can buy different locks and cables to bolt down PCs to desks, fix laptops to tables and chairs and so on, physically block off floppy drives, and cause an alarm to go off if a laptop is picked up or moved.

An introduction to Risk Assessment

If you own a car then it is likely that you lock it when you leave it. If you are more concerned about its security then you might put on a steering wheel or hand-brake lock, or an alarm. And if you are highly concerned then you might put a big Doberman dog on the back seat! This is called risk assessment. All the above precautions on your car would be unlikely to prevent a truly determined thief with the right tools and enough time. But we know that the different levels will discourage most people and that is what is important. It is the same with computer security, except that you can expect to achieve far higher security on your data, than you would with the above car example. But risk assessment is what you must do. Depending upon the sensitivity of your data, the open-ness of your equipment, physical access to your offices, whether you have outside links to other computers from your network and so on and so on. You need to work out the risks and how much it is worth to you to pay for equipment to introduce an acceptable level of risk.

Go to the top of the page

Other fact sheets in Organizational planning
Fact sheet index

Email a question

Copyright of Alba Fundraising Ltd or the individuals or companies who contribute to this website. This material may be copied and distributed freely on the understanding that no profit is made from doing so.

Disclaimer: No payment is received from suppliers, companies or individuals for publishing their details on this website. The information is offered by those in the fundraising arena and whilst we try to make every effort to ensure the integrity of this information, Alba Fundraising Ltd cannot be held responsible for any inaccuracies, or any loss or inconvenience that may be caused by using this site.

home | resources | fact sheets | services
site map | download the site
Alba Fundraising Ltd.
Tel: 44 (0) 7775868768, Email: alba@alba-lewis.demon.co.uk
Web: www.professionalfundraiser.org.uk

Web site design by Vivid Interactive.