They called it the “Spanish influenza,” and in the waning days of WWI it marched in step with the returning troops across Europe, Africa, the Middle East, Asia and the Americas. In a mere 120 days the flu swept the globe, claimed 22-million lives and became one of the worst epidemics in history. Years later, in March 1999, a different kind of virus, called “Melissa,” would use America On Line to sprint across the Internet. Within days an estimated 100-thousand computers were infected, forcing at least 300 major corporations–including Microsoft, IBM and the U.S. Marines–to shut their e-mail systems down.
Sometimes offering a bit humor, perhaps a promise of intimacy and, as often as not, accompanied by bogus references from a friend or colleague, they arrive unbidden to annoy, disrupt or destroy. Computer viruses exploit our curiosity, desires and vulnerabilities. And, since an attacker’s aim is disrupting business-as-usual, merely crying, “wolf” can be devastating. 

To understand your risk as a nonprofit, simply examine your exposure. According to a study completed last year by Gifts In Kind, nine in ten nonprofits have Internet access and external e-mail capability; almost three-quarters are networked; and most are either maintaining or constructing a Website (77%). Moreover, while more nonprofits (49%) are adopting formal technology policies, barely a third have a long-term technology plan (32%), an onsite tech-support person (28%), or budget for ongoing technology training (35%). As a sector, our technological reach may be exceeding our organizational grasp–a precarious position.

What can you do? For the no-nonsense nonprofit executive, the most critical risk-management concerns are prevention, recovery and reliable advice.

Like its biological namesake, a computer virus is a tiny bit of code that enters its host carried by some other program or document. Once “opened,” the virus self-replicates by editing (infecting) the code of other programs or documents. And just as the flu virus disturbs body temperature, heart rate and respiration, computer viruses will often trigger some physical phenomenon–from printing a silly on-screen message to altering the basic functions of an application to erasing chunks of your hard drive. Biological viruses are opportunistic, attacking weaknesses in the body’s immune system; computer viruses are engineered to exploit flaws in the security jacket of selected programs and, once inside, reproduce, proliferate and wreak havoc.

Computer viruses first appeared in the early 1980s, coincident with the spread of personal computers and the popularity of computer bulletin boards. These early viruses were categorized as “executable,” “Trojan Horses” or “boot-sector,” referring to the methods of transmission–by either downloading or through a contaminated floppy disk. Today, e-mail viruses, the most notorious being “Melissa” and “ILOVEYOU,” represent a new generation of malicious code. 

“Melissa” masqueraded as a confidential e-mail attachment from a friend or colleague which, when opened, immediately forwarded itself to the first 50 entries in the victim’s own address book. A friendly note in the victim’s name snares the next hapless recipient–and so on. This virus inflicted an estimated $80-million in damage and lost productivity during its brief rampage.

As if viruses weren’t bad enough, there’s also something called a “worm.” Worms attack entire computer networks, infesting e-mail systems station-by-station, overwriting legitimate system files, and using up computer time and bandwidth as they replicate. Worms often carry a “payload” intended to trigger some kind of disastrous malfunction. “ILOVEYOU” was a worm embedded in a harmless looking e-mail message originating in the Philippines in May 2000. The love bug became a global epidemic in less than six months–fifteen times faster than Melissa. “Code Red,” a particularly nasty bug appearing in July 2001, replicated itself over 250-thousand times in roughly nine hours. And “Klez,” a wily and resilient e-mail worm, is designed to disable virus detection programs once executed.

A recent spate of “celebrity viruses” successfully duped the unwary with promises of free screensavers (the Budweiser frogs) or pinups of Britney Spears, Jennifer Lopez and other pop idols. After forwarding itself to everyone in the victim’s address book, the “Shakira worm” displayed an on-screen message brazenly announcing itself.

You’re checking your morning e-mail when a dialogue box pops into view: “Scan type: Realtime Protection; Event: virus found; Virus name: W32.Klez@mm; Action taken: Clean failed: Leave alone succeeded: Access denied…” In other words, you’ve just gotten e-mail with an infected attachment, but your recently updated anti-virus software has flagged and quarantined this particular bug, rendering it harmless.

In this case, the tainted e-mail poses as a friendly, if somewhat overheated, warning on the destructive potential of the “Klez” worm. It also offers a free “immunity tool” and advises that you ignore any “false” virus warnings when opening the attachment. Uh-huh. 

Executing any unsolicited “tool” is like wagering your computer in a game of Three Card Monte–you can’t possibly win. Industry experts caution that 8-12 new virus strains surface on the Internet every day–and just when you thought it was safe to trek the Information Superhighway again.    

“The first line of defense is still your own commonsense,” confirms Wayne, a nonprofit technology manager introduced on these pages in our last issue (Summer 2002). Simple measures, like not opening unsolicited mail with attachments, or verifying the authenticity of an unexpected document with the alleged sender are obvious precautions. Beyond that, he strongly suggests investing in updated virus software, periodic training for staff, and someone paid to enforce organization-wide anti-virus protocols.

Wayne has noticed an increase in e-mail viruses probing for gaps in his network’s security. In addition to the sheer volume Internet traffic generated by 32-networked computer stations, this mid-sized nonprofit maintains a Website and publishes a monthly e-newsletter (circulation upwards of 12000)–a fair amount of exposure. His records suggested that virus incidents were spiking within days of sending each e-newsletter; Internet presence and patterns of use (e.g., subscribing to listservs, newsgroups, etc.) are factors in estimating your organization’s vulnerability.

If your organization has more than ten computers, odds are they’re networked to share files, printers and other peripherals. Insisting that the most sophisticated virus protection software is only as effective as its last update, Wayne installed network protection software at the server, rather than relying on the memories of individual network users.

Finally, the impulse to backup critical data as soon as a problem is detected is understandable but may be self-defeating if it results in saving the virus as well. TechSoup, an on-line tech-support journal, cautions users to avoid temptation–perform an initial virus scan immediately, update your virus definition files and run a second scan before saving important files.    

Given the extensive media exposure, the challenge for creators of today’s computer bugs is how to snare the wary; the challenge for intended victims remains how to minimize losses.

“Viruses are one of the many reasons you should have a comprehensive data backup plan,” asserts TechSoup. Indeed, with data on programs, funders and payroll at stake, red flags pop up with the mere suspicion of a virus threat to our database. Yet, a recent study of “Computer Security Practices in Nonprofit Organizations” conducted by NetAction, a San Francisco-based nonprofit promoting Internet advocacy, found that roughly half (56%) of all respondents backed up data on a daily basis, but only 36 percent had a plan for recovering data lost as a result of some catastrophe.

Wayne’s organization performs a daily, incremental backup of changed files; a weekly backup of all shared files; and a monthly backup of the entire system, archived off-site.

In the event you do contract a particularly damaging virus, and suffer a meltdown, there are services specializing in data-recovery. These services can perform miracles, but will bill anywhere from several hundred to several thousand dollars–so check out their reputation and billing policies, opting for one with a “no data, no charge” provision. You should also factor in the costs of your downtime and the possibility of having to recreate damaged files from scratch. Clearly the dreary routine of backing up critical files on a regular basis is preferable.

At Hoaxbusters, a Website maintained by the U.S. Department of Energy, the flood of hoaxes, chain letters and “Spam” (unsolicited advertising) saturating the Internet is taken very seriously. In fact, the agency admits that it now spends more time debunking hoaxes than handling real viruses. Although easy to dismiss as a minor annoyance, hoaxes and chain letters exact a price measure in accumulated minutes of production lost to opening, reading and deleting one. And since the idea of these messages is convincing you to forward them to everyone you know…   

Hoaxes usually warn of some new virus strain sweeping the globe, devouring hard drives and breaking hearts. Using language bordering on melodramatic, a hoax may add a sprinkle of technical-sounding jargon, or make other claims to convince you of its validity and sincerity. Its primary objective is to enlist your unwitting aid in its dissemination. Hoaxes can also be malicious attempts to cause user-inflicted damage–like removing necessary operating files to no good purpose. Hoaxbusters recommends that you never forward an unconfirmed warning to others, and that you either delete or have its claims validated.

Likewise, people claiming knowledge in areas for which they have limited or no experience will waste your time and may cause real damage when their advice is taken seriously. Vmyths, an on-line newsletter dedicated to exposing computer virus misinformation and hoaxes, adopts a similar stance toward “claims of false authority.” Naming names, they caution against accepting virus advise from your computer store’s sales manager, the technology instructor at your local community college, or anyone else whose technical training and experience doesn’t explicitly qualify them as an authority. 
Like the Old Folks say, “It ain’t what you don’t know that hurts you, it’s what you do know that ain’t so.”

In 1918, the Spanish flu arrived in Philadelphia by troopship in September, claimed 12,191 lives, caused major disruption to essential public services, and left a business sector crippled by lost revenue in the millions–all within the brief span of four weeks. The “Spanish Lady” had caught most public health officials unawares, seriously straining the medical knowledge and practices of the period.

Traveling at the speed of light, modern computer viruses may be getting more sophisticated, but translating simple precautions into formal policies governing virus protection and data management will go a long way toward inoculating your organization against the risk of catastrophic loss.

Marshall Brain, (1998-2002). “How Computer Viruses Work,” www.howstuffworks.com/virus.htm
For technology advise, references to other resources and discounts on software, see www.techsoup.org/.DiscounTech/
For anti-virus software, software updates and information on hoaxes see: www.symantec.com, www.sophos.com and www.mcafee.com
For information on computer security, see Computer Emergency Response (CERT) Team, Carnegie-Melon University, at www.cert.org
Vmyths.com, an on-line newsletter dedicated to exposing computer virus misinformation and hoaxes at www.vmyths.com
Hoaxbusters, on-line service of the Computer Incident Advisory Capability, U.S. Department of Energy, at www.ciac.org/ciac/
Audrie Krause (2002). “Computer Security Practices in Nonprofit Organizations,” NetAction, www.netaction.org/security/