How can the church can protect itself from those bad actors? How do we provide maximum Kingdom impact while also being good stewards of the data God has entrusted to us? One overlooked aspect of church tech is using wise tech policies and procedures. (This assumes you have a firewall and a proper network design.)
Look at your Church Management System.
Do you rely solely on the ChMS vendor to keep your data secure? Do you test the security of your ChMS, or do you just take the vendors word for it?
Do your tech policies call for security audits along with your financial audits? I assume you have financial audits. Even then the security questions in a financial audit can be useless. A church IT friend of mine answered the security audit question, “How do you keep your data secure?” with, “12 flying monkeys.” He never heard back from the auditor regarding that answer. He should have. Use a security company for a dedicated security audit or ask your ChMS vendor for a copy of the security audit they have done on their product.
Second, what is your password policy like?
Are your tech policies written down? How do you enforce them? Do they make sense? Research has shown that longer, more complicated passphrases are more secure than shorter, complicated passwords that users have to change frequently. Forcing users to change their passwords, whether to their computer, ChMS, or any other system on a regular basis leads to the passwords being written down on the bottom side of the keyboard —where some of those bad actors know to look.
I suggest using long passphrases. 15 characters or more, with a capital, lowercase, number, and special character all required. Using a phrase from your favorite song or Bible verse works. “InthebeginningGod1!” as an example—but don’t use anything obvious or inscribed on a plaque hanging on your wall. A passphrase like this will never need to be changed unless it is compromised.
Your tech-policies regarding passwords should also include the ability to prevent users from sharing their passwords, even with volunteers. It is far better to invest the time and issue a volunteer a login than to share staff access. The same is true for your ChMS. Does your password policy also apply to other sites and services that require your users to login?
If you find that a user has shared or compromised their password I suggest setting it to something like, “Isharedmypasswordsonowittakesme5minutestoentermypassword?!” and forcing them to use that for a week.
Do you have any data access tech-policies?
Who gets access to your data? What level of access? Does everyone see everything or do users only see what they need to see? What criteria do you use to determine who sees what? Do you allow people to snoop around your database? Who can view giving data? How do you determine who sees what?
