Dear Bob …

I’m the first line of defense when it comes to information technology here, here being a 30-person non-profit. I know you normally advise companies a hundred times our size or bigger, but I’m still hoping you can help me out.

What I’m looking for are … I know, not best practices, I’ve been paying attention … but some tested, reliable practices I can put into place here to keep the joint running, to coin a phrase.

Any suggestions?

– Stretched thin

Stretch …

Not a comprehensive list by any means. These should get you started:

• Anti-virus/anti-malware: Choose one. Not a free one either. Install on every machine. Uninstalling to improve performance is a firing offense, because really, no business needs employees that stupid.
• License management: In my admittedly limited experience, employees in small offices tend to be more cavalier about license legitimacy than those in large enterprises, those who work in non-profits even more so.

Impress on everyone that being smaller, or an organization that does good works won’t help a bit if there’s an audit. And besides, for many software categories non-profits qualify for very large discounts, so if someone needs a piece of software there’s rarely even a financial case for using an illegitimate copy of something.

• Password reset: Set passwords to expire after no more than 60 days. Passwords should cover the basics — at least 8 characters long with at least two alphas and two numeric.

Yes, everyone will complain. Empathize, but hold your ground.

And while you’re talking to everyone about passwords, you might as well suggest they have a few different ones for different types of on-line life. The experts say they’re supposed to have a different password for every website they log into, but since that isn’t going to happen, having (for example) one for financial sites, a second for social media and a third for news will provide at least a layer of additional protection.

• Phishing attacks: Educate everyone to recognize these, and in particular to avoid clicking on links within emails if they aren’t certain of the source.

Phishing attacks are the single most common way passwords are stolen, so this is critical.

And don’t be shy. Most people like to learn a few things so they feel more sophisticated about a topic, so long as you don’t overdo it.

So show them how to find out what’s in a link, and how to spot a URL that looks legitimate but isn’t (example: www.yourbankname.phonyphisher.com/lotsanonsensetohidethings).

They’ll feel good about knowing a bit more, and you’ll be a bit safer.

• Installing free software: In a small office like yours I’m guessing you don’t lock down everyone’s system, and that’s okay. The best advice I have here is to caution everyone to be careful about what sites and software they download. Remind them to Google the name of any software they’re thinking of downloading — to do some research first to see if there are reports that a particular program isn’t safe.

In particular (and I’m carrying a grudge here), if a site offering free software tries to install a downloader first “to make installing software more convenient,” never (sorry, NEVER) trust that site. It’s easy to get fooled, by the way. I ended up with Mezaa a couple of months ago by missing that this was happening. It’s a nasty piece of malware I ended up with just by trying to upgrade a program I’d been using for some time.

Mezaa is what you might call flashmob software: When it comes in it immediately invites all of its friends to join it.

Don’t get me wrong. I’ve downloaded and used plenty of free software over the years that I’ve found immensely valuable and helpful. What you’re trying to do is to help everyone tell the difference between safe and unsafe free.

• Protecting sensitive information: If it’s sensitive and someone is copying it to a jump drive, they should encrypt/protect it first.

MS Office has this as a built-in option; everyone should learn how to use it. Or, most jump drives now come with on-board encryption — all you have to do is enable it.

One complicating factor is that some countries have made it illegal to bring encrypted files through customs. Travelers should check the rules.

• Last one: If a user becomes frustrated with their computer, it is not okay to throw it out the window. There might be an innocent pedestrian below — always check before hurling something heavy.

That’s what occurs to me. KJR subscribers … what did I miss?