How can the church can protect itself from those bad actors? How do we provide maximum Kingdom impact while also being good stewards of the data God has entrusted to us? One overlooked aspect of church tech is using wise tech policies and procedures. (This assumes you have a firewall and a proper network design.)
Look at your Church Management System.
Do you rely solely on the ChMS vendor to keep your data secure? Do you test the security of your ChMS, or do you just take the vendors word for it?
Do your tech policies call for security audits along with your financial audits? I assume you have financial audits. Even then the security questions in a financial audit can be useless. A church IT friend of mine answered the security audit question, “How do you keep your data secure?” with, “12 flying monkeys.” He never heard back from the auditor regarding that answer. He should have. Use a security company for a dedicated security audit or ask your ChMS vendor for a copy of the security audit they have done on their product.
Second, what is your password policy like?
Are your tech policies written down? How do you enforce them? Do they make sense? Research has shown that longer, more complicated passphrases are more secure than shorter, complicated passwords that users have to change frequently. Forcing users to change their passwords, whether to their computer, ChMS, or any other system on a regular basis leads to the passwords being written down on the bottom side of the keyboard —where some of those bad actors know to look.
I suggest using long passphrases. 15 characters or more, with a capital, lowercase, number, and special character all required. Using a phrase from your favorite song or Bible verse works. “InthebeginningGod1!” as an example—but don’t use anything obvious or inscribed on a plaque hanging on your wall. A passphrase like this will never need to be changed unless it is compromised.
Your tech-policies regarding passwords should also include the ability to prevent users from sharing their passwords, even with volunteers. It is far better to invest the time and issue a volunteer a login than to share staff access. The same is true for your ChMS. Does your password policy also apply to other sites and services that require your users to login?
If you find that a user has shared or compromised their password I suggest setting it to something like, “Isharedmypasswordsonowittakesme5minutestoentermypassword?!” and forcing them to use that for a week.
Do you have any data access tech-policies?
Who gets access to your data? What level of access? Does everyone see everything or do users only see what they need to see? What criteria do you use to determine who sees what? Do you allow people to snoop around your database? Who can view giving data? How do you determine who sees what?
Volunteers are great and we use them all the time but do they need ChMS access at home? While doing visitor data entry should they see SSNs and giving information? It may take a little more work to set users up so they only see what is necessary but it is better—especially when you consider the amount of turnover volunteers have.
Physical access should also be addressed.
I’m talking about physical access to the hardware storing the data. What tech-policies do you have to protect your server room, or is it just a closet everyone can get into? I’m convinced I could walk into most churches, steal a server, and walk it out to my car and drive off with it if I just pretend that I own it.
Our personnel tech policies also have to be reviewed.
Having the right people in the right positions is often times half the battle. What happens when folks are dismissed or fired and access must be removed? While we would like to say that doesn’t happen in the church world we all know it happens far too frequently. Are you hiring people you can trust with your data?
People are the biggest security risk any organization has. They fall prey to phishing scams and because they want to help they click on things they shouldn’t trying to help people they shouldn’t trust. This leads to data loss. Do you provide training for your users to teach them how to avoid such threats?
It is vital that security and cyber threat protection decisions not be made by tech people—they are leadership decisions, and hopefully the tech folks have a representative at the leadership table. Contrary to popular belief tech people aren’t wired to say no. But we are trained to keep things safe. Leadership needs to get input and make wise, informed decisions about how to keep data safe, how much money to invest, and policies and procedures.
Again, the nature of our business makes creating tech policies a challenge. We use volunteers. But decisions made in the light of day with the involvement of the necessary parties is a huge step towards avoiding disaster.
Jonathan Smith is the Director of Technology at Faith Ministries in Lafayette, Indiana. You can reach Jonathan at firstname.lastname@example.org and also follow him on Twitter @JonathanESmith.