© 2016 by Nick B. Nicholaou, all rights reserved President, Ministry Business Services, Inc. Reprinted from MinistryTech Magazine
Churches and ministries have the intent of doing things well. IT security is no different, but most in church and ministry leadership are not familiar with IT security risks and solutions. Let’s work through some important, easy to accomplish, and affordable IT security needs.
Why Does IT Security Matter So Much?
All data– church data included– is vulnerable. That is a given, and data vulnerability cannot be completely eliminated. But as leaders we are charged to do our due diligence to reasonably secure our most sensitive data and protect those who could otherwise be harmed.
There are internet programs (called bots), disgruntled former employees, disgruntled former members, and a bunch of other rascals who would love to find a crack in your security and make things challenging for your church or ministry. Church data is usually more exposed than other data for two reasons:
- Most churches and ministries try to economize on IT, seeing it as operational vs programming, and don’t typically explore whether all is being addressed that needs to be in this increasingly vital area.
- Churches and ministries are managed by those who, more often than not, don’t have IT expertise in their training or education, and are thus not aware of some of the high risks that exist in IT and have affordable resolutions.
So all data being vulnerable; the next question is Do we have sensitive data that we need to protect? The answer is almost definitely Yes! Here’s a short list of examples:
- Databases that include contribution information and contact information for adults and children.
- Accounting and bookkeeping systems that include payroll information– like salaries and social security numbers.
- Board minutes that likely include ‘sensitive’ details like personnel decisions, spiritual discipline communication details, and liability information.
What Are the Essentials?
There are many things that need to be addressed, but this IT security primer is a good starting place:
- Maximize protection from the internet and from those off-site who would like to cause harm:
- Firewall. The firewall is a small piece of equipment that goes between your network and the internet. It is different than a router or switch, though it can replace the router. The firewall we recommend is Dell SonicWALL. It has a great combination of features at an affordable price. In addition to keeping the ‘bad guys’ out, it can also filter internet content.
- SPAM Filtering. One of the most common ways for malware to get into a system is via email SPAM. Churches are wise to have their email filtered by a good SPAM filter, and the best is from Barracuda. Buying a Barracuda SPAM Firewall is expensive, but there are some vendors who ‘host’ SPAM filtering with Barracuda SPAM Firewalls for churches for as little as $50/month with no limit on the number of email addresses. My firm is such a vendor (there are also others), and in the millions of emails received weekly through our Barracuda SPAM Firewall, about 85% are SPAM.
- Passwords. It is essential to have a good password strategy. We recommend a minimum of 7 characters (at least one of each: uppercase alpha, lowercase alpha, number, and common punctuation). Also, don’t make users change their passwords periodically unless there’s been a security breach… changing passwords actually lowers security.
- Computers and servers should be running a good anti-malware solution– even Macs! The one we recommend is Thirtyseven4.com.
- Control of mobile devices is very important to ingrain into team members. On a monthly basis tell a story of a church or ministry that was harmed by poor IT data security practices (like the one in the next section) to help your team understand the need to be careful. That especially extends to those who have mobile devices with church data on them (like notebook computers) to protect the custody of their devices.
How Much of a Priority Should These Be?
A church in Missouri ran their guest WiFi unsecured 24•7, and someone in their community discovered it. That person pulled into the church’s parking lot in the evenings, connected to the internet via the church’s WiFi, and distributed child pornography. When the FBI investigated, two things happened:
- The FBI confiscated all of the church’s computers and servers so they could do a forensic analysis to determine if any were involved in distributing child porn. The church was without their computers for some time. How would that impact your church or ministry?
- The story hit the news in a big way– television and newspapers. A headline in one local paper was “Child Porn Investigation Focused on [church name]”. A TV news report was titled “Child Porn Linked to Church IP Address”. How long would it take your church or ministry to rebuild trust in your community following that kind of press?
The answer to those types of questions should drive the prioritization of improving your church or ministry’s IT security. In addition to the lives that would be hurt by a breach, the Lord’s work through your organization would also be diminished.
The solutions we addressed are easy and quick to implement, and not cost prohibitive.