© 2007 by Nick B. Nicholaou, all rights reserved President, Ministry Business Services, Inc. Reprinted from Christianity Today’s Your Church Magazine
Some church assets are difficult to assess. Personnel, congregational goodwill, and data are just a few examples of assets whose value is usually understood only once it’s gone. None of us would say our data has no value to the organization, but trying to figure out what it’s worth so we can adequately protect it is challenging.
Data is one of the most valuable assets a church has. Protecting it isn’t difficult, but must be approached as deliberately as the fire and security protection we apply to our church buildings.
Churches have different kinds of data, and classifying them can help set a value to strategically protect them. While some data is mission-critical, others (like our favorite song recordings) are merely convenient. Data that might be considered mission critical includes:
- Databases. Databases contain names and contact information, and sometimes include contribution, attendance, baptism, and other data that help us serve our congregation well. Unfortunately, most churches have more than one database. In addition to lost efficiencies and synergies, having multiple databases adds complexity to making certain they are adequately protected. Church databases can include true databases, spreadsheets, document files, contact lists, and, of course, the Rolodex™.
- Sermons / Lesson Prep. The research behind them, and the actual sermon and lesson files themselves.
- Communications. Letters and email between the organization and others— both internal and external.
- Graphic Files. Photos, videos, bulletins / programs, promotional posters, and audio files.
- Governmental Documents. Church’s minutes, agendas, meeting notices, etc.
- Custom Programming. Templates and anything else that has been customized to help communicate and serve with uniqueness.
The question that begs an answer is, “What would happen if these were made public or were destroyed?”
Data threats are internal and external:
- Internal. Good employees sometimes become disgruntled employees, hardware sometimes crashes, vendors sometimes have sticky fingers, we are constantly being attacked with malicious software (called ‘malware’) in the form of spyware and Trojan horses, and buildings are sometimes destroyed by internal causes.
A large client of ours told us their previous network engineering firm realized the value of their database and took a copy. They rented the list to those who wanted to reach people in their community, segmenting it by various demographics including contributions!
- External. Burglars, external catastrophes like hurricanes and earthquakes, and those who try to hack into systems that are connected to the Internet.
As we monitor our clients’ network security, we see almost constant evidence of Internet programs (called ‘bots’) trying to exploit operating system vulnerabilities. Their goal is to grab data or computer resources to serve the interests of others.
Prioritizing Data Protection
Some data, if lost, would cause no damage (like our favorite song recordings). But other data losses could really hurt! Consider, for instance, if the database were no longer available, or if members’ private information was made public! This is exasperated because many churches and ministries now process online or ACH contributions, and have all of the information on hand that, if in the wrong hands, could let someone raid members’ financial accounts!
It’s important to think through the data we have and how it should be prioritized.
- Losing the database would have the greatest impact, so protecting it should be highly prioritized. This can take multiple forms:
- Reduce the number of databases as much as possible, the ideal being only one. This helps ensure that a high-priority focus on protecting it will be as effective as possible. It also has the benefits of saving staff time (updating a record only once takes less time than updating it multiple times in every database) and increasing staff synergies. The downside is that some ministry areas may have to adjust the way they to maintain their data to accomplish this goal.
- Perform multiple daily backups, easily done with many of today’s database engines. Some choose to have their database backed up every two hours, for example, so that if there were a problem, less work would have to be re-entered.
- Send a copy of database backups to an off-site server. If there were a regional catastrophe (like Hurricane Katrina) in which staff evacuated in many directions, the database could be securely accessible via the Internet.
Jason Powell, Granger Community Church’s IT Director (Granger, IN), said, “Our database is the center of what is done on our network. If it were lost, the cost to reconstruct it would be huge; worth it, but huge.” Spending a little to protect it in advance is good stewardship.
- Safeguard files that are foundational to the ministry. These include communications with governmental authorities as well as the church’s own governmental records (agendas, minutes, meeting notices, etc). Records of this type may become critical in re-establishing a church or ministry following a catastrophe.
- Likewise, safeguard letters and email communications which cannot be easily re-created.
- Few things tangibly say who you are like familiar graphics. Whether these are bulletins and programs, promotional formats, or photo, video, and audio files, these are often irreplaceable pieces of church history that help many feel a little more comfortable in a crisis. They communicate who you are, and should be protected. Because of their size, however, these are often the files eliminated from daily backup routines.
- Custom programming, usually in the form of templates and database modifications should be protected.
Layers of Protection
Protection from those who want to do you harm, we recommend:
- Server rooms should be locked and accessible only to those with a need for access.
- Passwords should meet or exceed minimal policy requirements, avoiding words, names, dates, etc that are easily guessed, and should never be shared with other staff members. David Brown, Capital Christian Center’s IT Director (Sacramento, CA), told us, “When someone lets us know they shared their password for any reason, we immediately change it for them.” Capital, like many ministries, doesn’t allow users to change their own passwords. This helps ensure that passwords are high quality.
Some are even moving toward the use of biometrics to eliminate passwords altogether! Dell, for instance, will often include fingerprint scanners for no additional cost. These easy-to-use devices increase the protection of networks and sensitive data.
- Most of today’s systems have fulltime connections to the Internet. That means the following are a must:
- A firewall that is fully configured, updated, and tested to keep unwanted intruders (bots and hackers) out.
- SPAM filtering that is fully configured and updated to minimize the impact of malware contained in email.
- Secure in-house instant message systems rather than public systems (AIM, etc) avoid security back doors that are easy to exploit.
- Daily (Monday thru Friday night) backups of the entire system with tapes for a minimum of three weeks of backups.
Protection for local and regional catastrophes, we recommend:
- If the heaviest workload happens on Mondays, take Monday night’s backup tape off-site every week, rotating it with the previous week’s backup.
- Copy high-priority data to an off-site location on a daily basis via secure Internet connection. Though many vendors offer this service, only a few also have the ability to restore a database backup and securely host it over the Internet as an interim solution following a catastrophe. This is especially important for databases.
Your data, though difficult to objectively value, is one of your most significant assets. Implementing some fairly simple policies and procedures can go a long way towards protecting your data and your ministry.
Recommended Solution Provider Table
SPAM: Barracuda (www.barracudanetworks.com)
Firewall: SonicWall (www.sonicwall.com)
Hardware w/Biometrics: Dell, Inc. (www.dell.com)
Instant Message System: OpenFire (www.igniterealtime.org)
Online Backup: MozyPro (www.mozy.com)
Online Database Backup: MBS, Inc. (www.mbsinc.com)