It can be hard enough to trust your own staff with computer equipment, let alone the general public. Yet for some nonprofits and libraries, any computer is a shared computer, with staff using equipment by day to work and constituents using it in the evenings for training, educational, or even recreational purposes.
While wanting to share your resources with community members is admirable, there are certain risks associated with opening up your staff computers to the public that you should be aware of.
Below, we'll identify some of the hazards associated with sharing computers, and offer tips for avoiding or mitigating these threats.
What Can Go Wrong
Inexperienced computer users often mean well, but may not understand what they're doing. While working on your equipment, users could delete, save over, or move important files and folders without even realizing it, costing your nonprofit days — or weeks — of recovery time, not to mention lost productivity and repair fees. And if users have access to the Internet and spend time downloading music or checking email, these activities could put your organization at risk for a variety of threats, including:
- Viruses. Users may inadvertently download a virus, which could delete or duplicate files, take up hard-drive space and even crash your server. Or, the virus could replicate itself by sending an infected email message to your contacts.
- Adware. Users may download a program that creates pop-up ads, slowing productivity and causing frustration for staff and public users alike.
- Spyware. Users may accidentally install a program that tracks keystrokes, potentially divulging sensitive data such as passwords and credit-card information.
In general, it's advisable to separate your work computers from your public computers if you can avoid it. After all, a computer missing key files or afflicted with a virus is of no use to anyone, staff or patron. Below are a few safer alternatives to sharing computers with the public.
- Designate one non-staff computer. If your organization has the space and the funds, you may consider setting up at least one computer for non-staff. This computer should have limited or no access to your server, or, if you have a peer-to-peer network, to other staff computers. Preferably, there will be a firewall between this computer and the rest of your network; this way, in the event of a security breach, your network and staff computers will not be at risk.
- Accept donated equipment. While designating one computer for non-staff is ideal, in many cases the reason that nonprofits are sharing computers with the public in the first place is that they can't afford additional computers. While your resources may be limited, however, your options are not. You may, for example, consider accepting donated computers (carefully!), or purchasing a refurbished computer, which are usually much less expensive than a brand-new machine. (When choosing refurbished, always go with an authorized distributor. Learn more about computer refurbishing on TechSoup's Recycled Computer Initiative (RCI) Program page. Find quality refurbishers in your area on TechSoup's Community Microsoft Authorized Refurbishers listings.)
- Send your users elsewhere. If you can't provide separate computers for your users, you may be able to direct them to publicly available computers in the area. By providing a list of local computer labs, perhaps at nearby libraries, churches, community centers, or schools, you'll help users access technology resources without jeopardizing your own infrastructure.
Proceeding with Caution
If there isn't room in your budget for a new or refurbished computer, donations are hard to come by, and you are determined to share your nonprofit's computers with non-staff despite the risks, there are a few steps you can take to educate your users and protect your equipment.
1. Provide users with an acceptable-use policy. An acceptable-use policy is essentially a code of conduct for users detailing the features and tools available to users, and how this equipment should be used. Acceptable-use policies may include the following guidelines:
- Online decorum, including appropriate language.
- Illegal activities to avoid.
- How to ensure that one user's activities do not disrupt any others on the system. (For example, downloading music files or video may slow down the network, making it difficult for others to work online.)
- How to avoid revealing personal information that could cause identity theft.
Many acceptable-use policies will also outline consequences of violating the policy, such as withdrawing access privileges; notifying appropriate authorities in the case of illegal activity; or reimbursing the organization for damaged or vandalized equipment.
Keep in mind that you don't need to write an original policy from scratch. The SANS Institute has posted its acceptable-use policy online (PDF), which you are free to use and modify.
2. Create separate user profiles. Each staff member should have his or her own user profile, which defines which folders on a shared machine or server he or she can access, and what activities are allowed per those guidelines.
A similar system should be in place for non-staff, limiting these users to one or more specific folders where they may save files (depending on the project) or restricting their access to the server. You may also want to configure this profile to limit users' ability to make changes to the computer's settings and programs. Microsoft SteadyState is a free program for Windows XP that can help you manage user privileges; Web Junction's article Introduction to Windows SteadyState offers some good information to help you get started.
3. Use a content filter. There are many programs on the market that allow you to control which Web sites a computer browser can access. These content filters allow you to block access to sites with inappropriate content or to sites that could expose your computers to spyware and adware, such as gambling, pornography, or gaming sites.
You may also consider blocking access to file-sharing programs such as the popular LimeWire, as downloading music will affect the speed of your network and raises liability issues for your organization if the music is being downloaded illegally. For a comparison of content-filtering tools, see this filtering technology comparison chart from Libraryfiltering.org.
4. Ensure that your antivirus program is updated. If all else fails, your antivirus program may be your only line of defense. Make sure that any computer connected to the Internet has an antivirus program installed and that it is always updated. New viruses are constantly being created; antivirus updates ensure you are protected and up-to-date. See TechSoup's Virus-Prevention Toolkit for resources for protecting your nonprofit's computers; Symantec Norton 360 and AntiVirus 2007 are available to qualifying nonprofits for an administrative fee on TechSoup Stock; for free basic protection you can also try AVG from Grisoft.
Additional Information and Support
Managing computers that are open to public requires different support than maintaining staff computers. For more information about managing public computers, see TechSoup's Nonprofits with Public Computers Toolkit.