This post recaps a webinar presentation by Enzo Logozzo and Eric Neufeld from 365 iT Solutions, an IT consulting firm that works closely with nonprofits. 365 iT Solutions offers discounted rates and some donated services for TechSoup Canada members. Watch the full webinar here.
Technology projects are a big undertaking for nonprofits, especially when budgeting is tight. However, any organization can perform a tech self-assessment with the guidance in this post, and better understand the shortcomings of their networks and their future technology needs.
Do-It-Yourself: A Nonprofit Network Assessment
A network assessment provides a ‘snapshot’ of your nonprofit’s entire network and helps you create IT strategies by identifying your pain points (areas where your tech is hindering productivity). Enzo and Eric guide us through a network assessment in 8 steps.
Step 1: Assess your Entire Organization
Your nonprofit’s organizational structure is the foundation of your network assessment, and can be broken down into five key areas. It’s important your entire management team (or your entire team, if you’re a small nonprofit) is consulted to get this part right.
How many users (workers with a computer workstation) does your nonprofit have? Do you have a computer for each worker, or do you rotate computer time (can save money)? Get a clear picture of how many workstations you need to maximize access.
Does your nonprofit have multiple offices? Are they connected through a VPN, or an internal server?
365 iT Solutions recommends 5-year plans, as they allow for scalability. For example, if your nonprofit plans to double your work force within the next five years, your server needs to be able to support your growth.
Is your nonprofit using the cloud? If not, how can you leverage it? An easy place to start is to find out whether current applications you use have a cloud option. For example, decide whether you need the desktop version of Quickbooks (which takes up server resources) or whether it makes sense to use the cloud version.
A pain point is an area where your tech is causing inefficiency and frustration, and is something your nonprofit needs to improve on. The best way to identify them is to connect with management, who hear from front line staff (or your entire team, if you’re a small nonprofit), in order to gain organizational expertise. You can even launch a staff survey to better understand their IT experiences. Programs like Survey Monkey and Google Forms have free plans with basic features that may suit your needs.
“You would be surprised with a quick survey to your employees, how many issues they actually face on a daily basis, and how many work-arounds they’ve figured out on their own, including things they shouldn’t be doing,” Enzo said.
“It’s your employees [and volunteers] that keep the lights on and move your organization forward, and they are what the assessment is really based on. You have to open up and hear what’s going on.”
Step 2: Assess your Network Assets
Nonprofits must find vulnerabilities in their network, including security threats like viruses, malware and hacking attempts. The consequences can be severe: security breaches, downtime in your servers, and public exposure in the news if personal data is lost.
Firewalls and Routers
Your organization must ensure firewalls and routers are under warranty and that you have a plan to regularly update firmware (updates strengthen security).
You should also consider web content filtering to improve employee productivity, protect against lawsuits (by restricting employee access to sensitive data) and help enforce your Acceptable Use Policy, which will be addressed later on.
Your firewall and routers should also run a gateway anti-virus feature, which provides a second layer of defense by stopping threats at the edge of your network, rather than inside. Similarly, an intrusion detection feature prevents hacking attempts.
When servers are ‘spun-up’, they create open ports in your firewall that remain there even when they’re decommissioned. This may create a backdoor to your network that hackers can exploit. You should always have a business justification for keeping these ports open.
Nonprofits should upgrade to a gigabit switch; this significantly increases speed. Make sure you’re getting updates, and have warranties for all switches.
Perform a wireless site survey to identify WiFi hotspots and deadspots and determine whether your coverage is adequate. You should use WPA2 encryption, which gives the best speed and security.
Also consider how visitors are using your wireless. Do they have access internally? Having a Guest network is ideal, as it prevents access to internal networks and allows for a separate Acceptable Use Policy for that network.
Step 3: Assess your Server
Your server stores all of your data and it should therefore be accessible at all times - 24 hours a day, 365 days a year. It’s the heart of your organization and it’s always working.
Have a valid warranty with the manufacturer. This is especially important with your server, because if individual components die, you’ll have to fetch replacement parts in the aftermarket. Have at least a 4-hour warranty, or ideally a full business-day warranty. This will also facilitate a quick replacement and minimize your server’s downtime if an emergency occurs.
Operating Systems (OS)
Windows Server 2003 reached its end of life in Jan 2015, meaning it doesn’t receive new security updates. Server 2008 will reach its end of life in 2020, but has already stopped receiving performance enhancements. If you're using Windows Server 2008, you should ideally migrate to 2012 or even 2016.
Your nonprofit should be aware of what network services are running. For example, you may have Microsoft Exchange for email or SQL Server to manage your databases. Whatever it may be, identify what you are running, so you can decide if any server functions can be consolidated or retired.
How are security updates (aka patches) being installed? If you’re doing it manually, consider using WSUS, which is a service that gives central control to push out updates to your computer workstations.
Check your RAM and CPU cycles, and your disk space. If you notice something is approaching capacity, deal with it - running computers at high rates decreases the life of equipment and slows down your network.
You should always have at least 20% of your disk space free.
It’s important to back your data up in the cloud, in addition to local backups like a hard drive. It’s another layer of protection for your data in the case of a IT disaster. Decide at what increment your nonprofit will back up its data.
If you use a 3rd-party to store data off-site to ensure the data is on Canadian soil, or for other reasons, make sure the company is reputable, fully insured, and is ISO-certified. As well, make sure it’s clear and in writing who owns the data and where your data is going! This will protect your nonprofit legally.
Microsoft is building data centres in Canada, and has already opened two.
Step 4: Assess your Workstations
Computer workstations are the frontline of your nonprofit - they keep us productive, but are also a source of security risk and downtime.
Windows XP reached end of life April 2014, and Vista will do so too in April 2017. You should have Windows 7* at the very least.
*If you’re a TechSoup Canada member and have a Windows 7 or 8 license, get a free upgrade to certain editions of Windows 10 directly from Microsoft until July 29, 2016.
Endpoint security is any antivirus or firewall that run on workstations. They should be centrally managed so that you can ensure they’re updated and virus-free from one location.
Also have settings passwords for antivirus clients - users shouldn't have that control.
Local admin access
Users shouldn’t have local admin access - only a select few of trusted or senior employees should.
Enzo and Eric found some organizations have added domain users to their local administrators group, so users can jump around to different machines and use them as if the were their own. This is a huge security risk, and creates conditions for a virus to rapidly spread through your network.
Step 5: Assess your Line-of-Business Software (LOB)
Most nonprofits use LOB software to run business operations or manage donors. A support contract is needed, because LOB software is usually niche and you need experience from the company to help you troubleshoot and to get updates. Often, this service isn’t available without support contracts!
You need to consider your LOB software’s compatibility. Often, these smaller companies can’t keep up with Microsoft updates. So before you upgrade, makes sure it’s compatible with updates from other aspects of your computer - including your server and OS.
Reliability and Accessibility
LOB software is a perfect avenue to move your business to the cloud, which can improve reliability and accessibility. If you do use cloud-based LOB software, make sure you retain control of your information - this is especially important if the company goes out of business!
For example, Iron Mountain has their Technology Escrow Service, where they hold your data, and have an insurance policy to save your data and code in case they do go out of business. This way, you don’t lose the investment you made into your LOB software.
Step 6: Assess your Policies and Procedures
Acceptable Use Policy (AUP)
AUP’s outline exactly what is and is not an acceptable use of your network, and what the consequences are for breaching the policy. Put it in your employee and volunteer handbooks; It will give you ground to stand on if conflict does arise.
Speak to an IT consultant or HR professional to develop an AUP.
Computer & email monitoring policy
This policy states that management may monitor emails and/or computer use, and that computers and emails are owned by your organization. This protects your nonprofit in case of conflict. Most organizations don’t even use this unless there’s a specific reason!
Bring Your Own Device (BYOD)
BYOD policies protect your nonprofit’s data when it’s being accessed from a device you don’t own and/or control. Smartphones can move lots of data around, and BYOD policies provide the ground to remove your data from those devices.
If you face resistance from employees or volunteers, there are ways to remotely wipe data off phones or computers, or to isolate your nonprofit’s data and then change access passwords for that data.
Step 7: Choose the right IT Consultant
It can’t be stressed enough: do not under any circumstances rush tech projects. When shopping for IT companies, you’ll find they’re only two of these three things: Good, Fast and Cheap.
Have clear objectives, budget lines, and timelines on delivery. Often IT consultants are working on other projects, so you need them to understand your expectations.
Write an RFP (request for proposal) that lays out the terms of engagement, objectives, timelines, and budget. Include anyone at your nonprofit who has experience in this. Having an RFP will eliminate a lot of IT companies who may not be willing to be tied down to such details (some people think differently).
Find IT consultants with industry experience who understand Canadian privacy laws. Nonprofits hold a lot of personal information, and if it leaks it can be a PR nightmare, so it’s risky dealing with IT consultants who don’t have these qualities.
Evaluate the IT consultant's response to your RFP; are your goals addressed? Everything should be planned, documented and totally black and white - in fact, if they are engaged, they will point out the grey areas to you! Make sure they guarantee the proposal; reputable companies have guarantees they won’t over charge.
Step 8: Do your Due Diligence
When dealing with IT consultants, take your time, check references, and ask questions. Do not make decisions to try and hit a deadline, as this will almost always backfire.
Be sure to involved your Board of Directors as well - they are experienced professionals and have a wealth of knowledge and skills to contribute to tech plans.
Good luck on your next tech project!