The root cause of these disasters? Not some powerful computer virus or trojan, not some fire, flood or strange “act of God” ….but the loss of their domain name.

For the “total non-techies” of you, your domain name is the bit after the www in your website address and after the @ in your email address. It, and the records stored with it, are what enables the whole world to find your website or send emails right to your computer. Basically, in the modern age, without it your communications are pretty well sunk!

The exact causes of the domain name losses were varied, but most related in some way to the charity not having direct control of the domain – either because someone (no longer active within the charity) had registered the domain on their behalf or because the charity had not ensured that their own up to date contact details were recorded in the official domain registration details.

It’s important to add here that (other than in one case of spectacularly bad management by a major UK ISP) the domains weren’t actually “stolen”, they were just not renewed (or renewed correctly) – so they were released back for sale and someone else bought them.

Whatever the reason, the charities were suddenly without email and their website no longer worked. As well as the obvious effects this had on their productivity, outreach and income, new websites often appeared under the (former) charity website address – often advertising things the charity had no wish to be associated with, let alone inadvertently send their supporters to. So their reputations suffered badly as well.

Fortunately we managed to eventually get the domains back for each charity concerned. But it wasn’t generally a quick or easy process – and some retrievals took a lot of detective work far outside our normal IT remit and took weeks of investigations – during which time the charities concerned were without their normal email and website.

We were glad we could help, but sad that we had to do so.

If the domain ownership and contact details had been managed as we had advised, then the problem wouldn’t have occurred in the first place.

So a question to every charity CEO, manager, employee or supporter out there:

Are you sure who owns your domain and who is listed as its official contacts?

If you aren’t, then check ….TODAY.     And make any necessary changes before something goes wrong and YOUR charity’s entire digital world is lost overnight!

There is no doubt that many users (including me!) were put off upgrading from XP by the version that followed it – the “dreaded” Vista, which was fairly well hated by techies and “normal people” alike.  But there is no doubt that Microsoft did a huge amount to redeem their previous messes with the introduction of Windows 7 which contained many of the best features introduced by Vista but combined then into a far more practical operating system which coped far better with older machines and applications, was more user-friendly and basically just worked far better – in other words the best of XP combined with the best of Vista.

Though any major change such as the introduction of a new desktop operating system tends to be approached with caution, particularly by organisations like charities who often do not have the in-house technical resources to best support such changes, there is no doubt that it can’t be delayed forever.  Microsoft have already said that XP will not be supported after April 2014 (so no service packs or security patches) so it really is time to start at least planning when you will upgrade.

Though there is no getting away from the fact that there will be almost certainly  be some costs involved with the migration (technical time/costs and possibly new PCs and/or upgraded versions of some of the applications you use) there is at least now an upgrade path that is attractive in Windows 7.  You may find that the hardware and applications you already have will work just fine with Windows 7 without a problem (Microsoft has special free tools that allow you to check – see below for details) And if your charity qualifies for Microsoft donations via a scheme such as the Charity Technology Exchange it is now possible to get the Windows 7 desktop software at an incredibly reduced rate.

Some links you may find useful:

• Charity Technology Exchange www.ctxchange.org
• Windows 7 Upgrade Advisor http://windows.microsoft.com/en-us/windows/downloads/upgrade-advisor

So if you are still running Windows XP, now is the time to start planning your migration to Windows 7 – it really can’t be delayed too much longer.  Once you get going, you will probably find that it isn’t anywhere near as scary as you might have been expecting, but if you are a UK-based charity and you need help, either with getting the upgrade done or just working out what you need to do, then please do feel free to contact us (0118 932 8338 or sales@charitysolutions.co.uk ) – if we can help we will be more than happy to do so.

Without naming names or going into “techie details” that would probably bore most of you silly, the change required would have taken one of our techies less than 2 minutes to do.  Unfortunately the charity concerned had (many years ago, way before we started working with them) entrusted the domain management and renewal to another company.  Not only does this company charge them waaaaaayyyyy over standard market rates to process the yearly domain renewal, it charges them a stonking great extra fee every time a change is required to the domain records.  And to add insult to injury 50+ hours later the charity is still waiting for the change to be done (so still has no email) and the company is now blaming the delay on their partner company. (A  much larger and well-known one that is probably not best known either for its speed or technical competence but which they chose to partner with for reasons that I would hesitate to guess, though the best interests of their customers would perhaps not seem to be first on the list.)

Maybe we at Charity Solutions are be doing things wrong with our (apparently) naive “let’s do our utmost to provide a really good service and not rip charities off” way of doing things.  Maybe we should just follow that other company’s apparent business plan:

1. Boast about providing 24/7 support – but don’t worry about having anyone actually available to do any support out of hours if anyone needs it.  Though we have clearly misunderstood in the past,  24/7 support apparently means that customers can send emails and leave answer-phone messages at any time of the day or night, it doesn’t mean that we need to do anything to help them until after we’ve had at least a couple of coffees on a Monday morning.
2. Offer a domain management service whereby we keep control of customers domains and make them pay through the teeth (at a minimum of 10 times market pricing) every time they renew them
3. Make customers pay extra every time we need to actually do any work up and above renewing the domain, however minor the work is.  Clearly we at CS are under-charging – £50 for a 2 minute job is apparently the going rate!
4. Partner with totally c*** companies (names removed to keep the lawyers happy) and adopt an “apologise half-heartedly but not really give a flying f***” attitude when our customers suffer serious issues due to unnecessary delays in getting our “chosen” partners to actually do anything.

Given that the companies concerned have remained in business for a number of years (which means people are still apparently willing to use pay for such “service” levels) maybe we should set up a new company with a “mission plan” based on the above  –  it would give us far more money …………..not to mention all that extra free time if stop doing any of the boring “technical stuff” and just passed the actual work to someone else (who cares if they don’t do it as long as we get great commissions).

So if you would like the services of such a company, please contact us at www.we-left-our-ethics-outside-the-office-door-along-with-our-ferraris.rip.off and, between champagne lunches and expensive vacations, we will be more delighted to help!

We have added this service after a number of our charity customers ran into problems with their current PAT Testing providers (from incomplete and incorrect testing to causing major IT issues by just hoiking plugs out of walls to test equipment without shutting it down first) and asked us if we could do it instead.

So some of our key technical staff are now also trained and qualified to do PAT Testing – whether on its own or along with other services like network healthchecks or general IT “fixing stuff” work.  To be honest, they are quiet enjoying their new work so far – electricity is a bit more predictable than Microsoft!

If you think this is something we might be able to help you with, just email us or give us a ring – 0118 932 8338.

To celebrate, we are offering a discount to the first three Cornwall-based charities that book a day or more of IT support or consultancy with us.  If you would like to take advantage of this offer, please email us or call the main office on 0118 932 8338 to find out more or book your slot before someone else does!

If you (or anyone you work with or for) is still having trouble getting their heads round all the PCI Compliance rules, regulations, red-tape and general annoyance, or if you have recently taken on new staff who missed all the training first time round, you might be interested in the PCI Foundation Course being run in May by IT Governance.  (With similar course scheduled later in the year if you are reading this later than May!)

The course is designed for anyone with any responsibility for, or involvement in, your organisation’s PCI DSS compliance activities, and anyone involved in information security management generally.  It has been created and designed by a former QSA (Qualified Security Assessor) who knows all the ins and outs of PCI compliance and aims to give you a comprehensive and practical coverage of all aspects of implementing the PCI DSS in the “real world” – rather than just on paper where everything is always so much easier!

It is designed to help you develop an efficient, cost-effective plan for meeting the PCI compliance standards. You can find out more about it here: PCI Foundation Training Course

Just to be clear, the link above is an affiliate link which means you get the same price (and discounts) as anyone else visiting the IT Governance website directly, but if you do choose to book, IT Governance pay us a small comission for letting you know about them.  But regardless of whether they pay us or not, we would still be telling you about this because we know how much of a pain PCI Compliance is for a lot of charities and we think this course can help.

Though there are huge advantages in having a server, there are significant time and cost implications, so it isn’t a decision to be taken lightly or rushed into – in some cases a server isn’t even really what is needed.  So we thought is was high time we updated our (sadly recently neglected!) blog with a few posts to help you make the decision and, if you decide it is right for your charity, implement it.

Firstly, let’s start with the basics.        What is a server?

A server is basically just another computer, designed to provide a number of centralised control and storage features – more details below.

You could use a “normal” workstation PC or laptop as a server, but it is better if at all possible to buy a machine designed for the task.  Unlike “standard” PCs and laptops, server hardware is especially designed to be left on 24/7 and often includes extra options to help keep things running if a fault develops – spare power supplies, fans, network cards etc.  The more expensive servers also often have better hard disks (faster and/or with a better warranty), though sadly this is no longer always the case … more on that in a later post.

Another significant difference between servers and PCs/laptops is that servers don’t normally by default come with any operating system software – so when budgeting you need to make sure you include this extra cost.  (And when you do, make sure you get the software with the biggest charity discount possible!)

Servers can be used for a variety of tasks including (depending on their capabilities) any number of the following:

• Central control of users – login names and passwords, access rights etc
• Central storage of files
• Email
• Databases
• Remote access capabilities and control
• Website hosting
• Printer management
• Central management of antivirus and antispam programs
• … and lots more

But it’s unlikely (and not advised) that you get one server to do all of the above.  You would need pretty a pretty “high-spec” server to do it all effectively – and by putting all your “computing eggs in one basket” you would be risking major issues for your charity if the server ever went down.

In our next post we will look at whether a server is the right option for you or whether there could be a better/easier/cheaper solution for your specific needs.  And in later posts we will cover more about how to choose the right server for your particular needs and budget.

But if you can’t wait that long just contact us (details on the About Us page) and we will be more than happy to go through the options with you and help you find the best solution for your particular organisation.

The volume and size of the hoops you need to jump through depends on the number of credit card transactions you do.  So at least if you are a small charity taking relatively few credit card payments, you won’t have to meet the same high-cost audit requirements of the huge retail organisations.  Here is a very brief summary of the criteria you need to meet:

Level 1 – If you take over 6 million transactions a year, or your data has previously been compromised

• Annual Onsite Security Audit  – either reviewed by a specially qualified adviser or (by prior agreement with your merchant provider) an Internal Audit signed by an officer of the company
• Quarterly network security scan by an Approved Scanning Vendor (ASV)

Level 2 – If you take 1,000,000 to 6 million transactions a year

• Annual Self Assessment Questionnaire
• Quarterly Scan by an Approved Scanning Vendor (ASV)

Level 3 – If you take 20,000 to 1,000,000 transactions a year

• Quarterly Scan by an Approved Scanning Vendor (ASV)
• Annual Self Assessment Questionnaire

Level 4 – If you take less than 20,000 transactions

• Annual Self Assessment Questionnaire
• Possible Quarterly Scan by an Approved Scanning Vendor (depends on your merchant providers specific requirements)

As you can see from the list above, even though PCI DSS is (supposedly at least) an agreed standard, it’s interpretation depends on your specific merchant provider – and so you need to double-check with them as to the exact requirements your charity needs to meet.

If you are not an IT compliance expert, the whole Self Assessment Questionnaire and Quarterly Scan thing can appear incredibly scary and time consuming. 

There are a number of qualified experts our there (QAS) who can help,  and if you take enough credit card transactions to need to meet the higher level criteria you are probably going to want to ask for their help, but (due to the training, certification and insurance requirements they themselves need to maintain) their services are not particularly cheap.  So for smaller organisations, a DIY approach, probably with help from your internal or external IT experts, is going to be the most likely route to take.

As well as consulting your IT experts, there are a number of organisations who provide “fill in the gaps” type toolkits to help you complete your PCI DSS requirements with the minimum of pain, and a number of organisations who can provide those quarterly scans for a relatively low charge.  Here are a couple we have looked at, an internet search will no doubt yield a lot more:

• IT Governance PCI Toolkit –  A specially designed toolkit to help payment card-accepting organisations quickly create all the documentation required to affirmatively answer the requirements of the PCI DSS as set out in the Self Assessment Questionnaire (v1.2), containing a full set of documentation templates for the all mandatory PCI DSS policies.
     
• IT Governance ASV Scanning Service – Provides a fixed yearly contract service for scans by an Approved Scanning Vendor based on number of external IP addresses to be scanned – prices (at time of writing) from £165 for a one year contract for 10 scans per quarter across up to 5 IP addresses

Just to be clear, some of the links above are affiliate links –  which means you get the same price (and discounts) as anyone else visiting the destination websites directly, but if you do choose to buy, the website owners pay us a small comission for letting you know about them.  But regardless of whether they pay us or not, we would still be telling you about this because we know how much of a pain PCI Compliance is for a lot of charities and we think these products can really help.

If you store, process or transmit any cardholder data electronically or manually, then your organisation needs to comply with the Payment Card Industry Data Security Standard (PCI DSS) – and prove it – by 1st September this year.  And if your organisation doesn’t comply, you run the risk of a massive fine.

PCI DSS is a set of comprehensive requirements for enhancing payment account data security.  It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, in order to ensure the broad adoption of consistent data security measures on a global basis.

It is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures – all designed to help proactively protect customer account data. 

It includes a whole range of requirements, including rules about what data you can and cannot store and what levels of security your organisation and systems network must meet.

It is important  realise that it covers your entire trading environment, including all third-party partners that store, process or transmit data for you as part of your credit card payment process.  Third parties include:

You can’t just assume that your website host or any third-party organisation you use will deal with this – the buck stops with you and you will need to make sure that all your providers, facilities and software comply before you can achieve compliance. 

More to follow soon ….

This time round we take a look at the most common methods available to send out “bulk” emails,  i.e.  emails to many recipients (like newsletters and appeals) as opposed to just a few recipients. 

There are three major ways of sending out bulk emails:

• Via your own email client (like Outlook) – either by placing all recipients in the BCC field or by using an email distribution list
   
• Via  a program specifically designed for sending bulk emails that is installed on a PC or server at your offices
   
• Via a specialist bulk email sending company like AWeber, Constant Contact or Sign-Up.to

All have pros and cons.  Here are some of the key ones and our personal advice on where you can benefit – or slip up – using each of them.

Your own email client

Pros:

• It’s immediately available – probably already running on your desktop, so nothing more to pay.
   
• You already know how to use it.

Cons:

• It is incredibly easy to make a mistake and put recipient addressed in the To or CC field of the email – meaning that every recipients email address is sent to every person and your organisation has instantly breached both UK Data Protection laws and spam laws in every continent!
   
• You need to remember to put in the legal “stuff” (like registered addresses and unsubscription links) in to each email.
   
• You need to manage subscribe and unsubscribe requests yourself.
   
• Emails to more than a few recipients are likely to get blocked by the spam filters on your local PC or your email server.
   
• The sudden volume of outbound emails may be a lot for your email server to handle all at one time, resulting in other day-to-day emails being delayed while you server works to handle your mailing.
   
• If you mess anything up and your email domain gets onto any spam blacklists, you may well stop all email from your organisation from getting through and bring email communication to a total halt until you can get your organisations email server de-listed.
  Even if you do it perfectly, someone can still report you for spam and it will be up to you to prove your innocence.   In the world of spam blacklisting you are sadly often deemed guilty until proven innocent!
   
• You will need to understand what all the non-delivery reports you get back mean in order to manage re-sends and mail list removals.
  If you don’t know the difference between a “hard bounce” and a “soft bounce” – and their error codes – and what you need to do if you get one or more of each type to an email address within a certain time period to keep on the right-side of spam laws, then this probably isn’t the right solution for you!

Our view:

We wouldn’t recommend this unless you only have a few (under 50) subscribers and really understand what you are doing when it comes to email legalities and email delivery and error report codes.
 

Dedicated bulk email program on your PC

Pros:

• They are relatively cheap to buy and you don’t have many (if any) further costs.
   
• They are relatively easy to use and many provide additional features – to help you design good looking emails for example or to automatically add the “legal” bits for example.

Cons:

• Most of the disadvantages listed above for personal email clients (other than the first one).
   
• By default, most use their own email server software to send and track emails, so you need to make sure that any anti-spam settings on your outward server (or even possibly your ISP) are configured to expect bulk emails from it.
   
• Not all of them are particularly accurate at tracking whether emails have reached their destination or not. As well as messing up your statistics, this can lead to you re-sending emails that were incorrectly reported as not having gone through but really had done – leading to subscribers receiving multiple copies which at best will annoy them and at worst may see you being incorrectly reported as a spammer.
   
• If your email recipients are split over several lists, not all of them are able to flag up duplicate sends where the same email address it in multiple lists – which means that subscribers receive multiple copies, with the same results as above.
   

Our view:

This can be a cheap and effective solution.  But you really understand what you are doing when it comes to email legalities and email delivery and error report codes.  If a paid member of staff is handling this, don’t forget to take into consideration the cost of their time learning and administering the program into account – these “hidden” ongoing costs can mean that this isn’t always the cheap and easy solution it appears to be.

Specialist bulk email sending company

Pros:

• They handle all the “legal bits” for you – all you need to worry about is the content!
   
• They have their own email deliver servers, which are specially designed to handle large volumes of emails quickly and efficiently.
   
• Most provide easy to use software for designing your emails as part of the package.
   
• Some include special checking software that you can run to ensure that your email isn’t likely to fall foul of spam filters or other reasons for non-delivery.
   
• Their software automatically handles subscribe and unsubscribe requests for you.
   
• Most provide extra email features like auto-responders that allow follow-up messages to be scheduled and sent automatically.
   
• Some include integration to other information delivery methods such as Twitter and Facebook, allowing you to reach donors and supporters in many different mediums via one single place.
   
• Most include tracking and analytical tools that enable you to quickly and easy monitor deliver and read rates – and report and analyse trends over time or a particular campaign.
   
• If anyone should make a spam complaint about one of your emails sent using one of these services, the company will help sort things out.  And in the meantime, your own organisations day-to-day email won’t be affected.
   

Cons:

• Some offer low price (or free) trials for low subscriber numbers and/or time periods, but after that you will need to pay a monthly or yearly charge which depending on your subscriber numbers (and how often you mail then) can be significant – so costs can mount up unexpectedly if you don’t keep an eye on numbers.
   
• In order to ensure that they stay on the right side of spam legislation (and don’t have their other customers emails blocked) most impose restrictions on the methods by which you can add subscribers.  Though uploading your existing subscriber-base should be no problem, many require that new subscribers are added using “double opt-in” and some specifically ban you from using emails from purchased marketing email lists.
   
• Your subscriber data (email name at minimum) needs to be stored on their servers, so you (or subscribers) may have concerns about privacy or data confidentiality.  In practice this isn’t normally a real problem at all (all the specialist companies have tight security procedures) but there may be a perceived risk.  And if you are using a company whose servers are not based in the UK, you may need to check (and possibly amend) your own organisations published privacy policy.
   
• You are not totally in control of the whole email delivery mechanism – which some organisation may not be comfortable with.  Also subscribers may worry that their email address has been shared with others if  they see a mention of another organisation at the end of your emails (like the Sign-Up.to one at the end of our newsletters) or when subscribing or unsubscribing.  In practice, most internet users are well used to this concept and unworried by it, but if your subscriber base is more conservative or less “internet savvy” then you might need to give them extra reassurance.
   

Our view:

If you have thousands of subscribers, this probably the only practical solution unless you want to employ (or train to be) an email delivery specialist and your email servers really have the capacity to handle the huge volume of email. 

If you have fewer subscribers, you need to balance the benefits against the costs.  Make  sure you take into account not only the time spent sending the emails, but the measured risk to your organisation if you did end up on a spam blacklist – and the time and effort to get off it, which after having to do this for other organisations ourselves we can vouch can be a painful and costly process and one which is best avoided!

Though we are IT specialists and a lot of our time is spent working with email delivery in some shape form (so we do have some level of expertise in this area), this is the solution we choose to use ourselves.  Even though our mailing list is pretty tiny compared to some of the organisations we work with, we still find that outsourcing this part of our communication to an outside specialist organisation saves us time and money overall.