Posts Tagged ‘Cloud / Internet / Email’

GDPR and the Golden Rule

Written by Jonathan Smith on . Posted in Articles

© 2018 by Jonathan E. Smith, all rights reserved
Director of Technology, Faith Ministries
Reprinted from MinistryTech Magazine
 

I know what you’re thinking. You’ve received numerous emails over the past few months about GDPR and you are sick of hearing about it. Seeing GDPR one more time makes you want to scream. I’m with you. I’ve gotten emails about GDPR from companies I have no record of ever interacting with, and I’m a geek so I keep track.

While traveling around the past few months since GDPR went into effect on May 25, 2018, I’ve been amazed at the number of questions folks are asking about it and the astonishing lack of information there is about it, especially as GDPR relates to churches and ministries. In an attempt to narrow the knowledge gap here is my best effort to tackle the GDPR issue, specifically how it relates to churches and ministries. Please note, I’m not an attorney, I don’t even play one on TV, so while I’ve done my research it is always good to ask your legal counsel to sign off on any plans or changes you may have or plan to implement in response to GDPR.

What is GDPR?
GDPR stands for General Data Protection Regulation. It was passed by the European Union to provide their citizens with more control over their personal data and to determine what those they’ve given their personal data to can do with it. In many ways, it could stand for Golden Data Protection Rule, one with a biblical worldview could sum up GDPR as the Golden Rule of Data, treating others data the same way you want your data treated.

The law also provides a few specific provisions for EU citizens. First, what is considered personal data is defined. Second, EU citizens can request their data be completely removed or can only be used for certain purposes. For example, you can contact me using my data but you cannot send me ads using my data. Third, organizations operating in the EU have to report any data breaches within 72 hours.

Reading what GDPR does you can understand why it was written. It took Equifax weeks to notify the world they had been hacked, GDPR addresses that. Your data on Facebook makes you the product, not the customer and you have no control over what Facebook does with your data, GDPR addresses that.

How does this affect those not in the European Union?
This is the biggest question surrounding GDPR and one the entire planet is struggling to understand. The European Union has 500 million citizens, so they have the ability to push their agenda a bit. The challenge for organizations operating worldwide is the EU has set the strictest of standards, so do you operate with multiple policies concerning data collection and use based on where the individual lives, or do you work off GDPR since that ensures the most people will be covered by your policies. If you don’t fully understand, you aren’t alone.

Some companies in response have stopped operating in the EU until they can figure this out. The issue is they operate in the EU and are storing data for EU citizens. GDPR states how you should do that if you meet both qualifications.

Enforcement
This is where the world of international law gets complicated. While GDPR tells you how you can/should store and use the information of its citizens, it cannot be enforced on organizations that do not have a physical presence in the EU. Let’s take Facebook for example; they have a large, lucrative presence in the EU. They have data centers, offices, etc in the EU. The EU is able to enforce GDPR because Facebook has a physical presence there. In other words, there is a location that can be seized, personnel that can be arrested, and executives that can be taken to court.

For organizations that do not have a physical presence in the EU, this does not apply. There is no office or data center or person they can hold accountable and the EU is not able to enforce its laws on those outside the EU, for example, in North America. That’s how international borders work.

Blah, blah, blah. How does this Impact Churches?
If you’ve skimmed the first part of this, that’s fine but this is the part in which to pay close attention. At its heart, the GDPR legislation is about being a good steward of data. While data can mean many things from name, address, phone number to t-shirt size and food allergies, it is important for us to remember in the church world: data means people and people mean souls. We did not need GDPR to tell us to be good stewards of the people our ministries serve.

The Bible tells us to be good stewards (1 Corinthians 4:2), the Bible also tells us to obey the authority (Romans 13), including governments, placed over us. In this case, it seems the EU is telling those who operate in the EU to do what the Bible says and be good stewards of data.

GDPR requires a few things I would hope churches around the globe are already doing:

  1. If your data is breached, report it within 72 hours. Even without GDPR, every church should have a data breach plan and procedure in place and want to be open and honest when mistakes happen. The church is the last place that should try to cover it up for weeks or months.
  2. If a user wants you to remove them from your database, remove them. Even without GDPR, every church should have a procedure to remove a record from their database if someone does not want any of their information stored within your organization.
  3. If a user wants you to email them prayer requests but nothing else, honor their request. Even without GDPR, you should be able to send folks what they want and not require them to get everything you send out. There is a difference between sending out prayer requests and fundraising requests. Do you allow folks to determine how you use their data?

I’m sure by now some of you are wondering about financial data. What happens when someone gives you money and then wants to be totally removed? In the US you are required to keep a record of financial transactions for 7 years. Even without GDPR, if someone wants to be removed, but they’ve given you money, do you have a procedure to remove them while still keeping the financial record for 7 years and then removing them completely when the 7 years are up?

Most churches don’t have a physical presence in the EU so there isn’t an issue here but what happens if you do have a presence in the EU and someone from the EU gave you money and then wanted to be removed from your database? The principle is to apply donor intent; they don’t want to be in your database so you treat them as if they weren’t there by removing everything you can until you can remove their record entirely.

While there may be several legal and international law issues at play here, I believe the core concept is not a legal one but one of ministry integrity. We should not have needed GDPR to tell us how to care for the data those we minister to have entrusted to us.

FAQ 

  1. We support missionaries or other ministries that operate in the EU and have a physical presence there; do we fall under GDPR?
    • No, the organization you support in the EU that has a physical presence there does fall under GDPR but you as an individual or organization supporting them do not.
  2. Should churches have data access and user rights policies?
    • Yes, even if in a basic format a policy showing who gets access to your data, for what purposes, and how you handle the data you’ve been given is important. It is also important to note how you handle requests for removal from your databases and/or email lists. With everyone talking about GDPR, you may find a guest or two asking if you have any data policies before they give you their children’s allergies when they check their kids in some Sunday.
  3. Should anyone lose sleep over this?
    • No, what we are talking about here is Golden Rule stuff. If you are losing sleep over GDPR then there are probably bigger issues to address in how you handle user data.
  4. Is this really new?
    • No, in 1995 the EU had a privacy policy called Data Protection Directive. It expired when GDPR was enacted. In many ways, GDPR further refines and enhances privacy and data protection provisions that have been around since 1995.
  5. What counts as data?
    • This is harder to answer because there is admittedly some subjectivity here. The obvious name, address, phone number, email address, SSN, picture, etc are pieces of data that can be used to positively identify a person. Recently an EU court ruled that under certain circumstances an IP address can also be considered personal data and is therefore subject to GDPR.
  6. If we take signups and collect data on our website, do we need to make changes for GDPR?
    • Only if you have a physical presence in the EU.

Next Steps 

  1. If your church or ministries do not have a data access and management policy, then get one. Even a basic policy and procedure for how you handle user data and requests is important and shows you’ve thought about it and care about it.
  2. This is not an IT issue nor should this be dumped on the IT team. While IT clearly has a role in data management, they should not be the decision makers. GDPR requires organizations operating in the EU to have a privacy compliance officer. This can be a new employee or a role added to an existing employee. While churches and ministries may not need a privacy compliance officer the concept of having someone constantly checking to make sure you are being good stewards of data and coordinating data stewardship across ministry and church departments and silos is valid.
  3. Get legal counsel. If you operate in the EU or are concerned you might, it would be wise to consult with a licensed attorney with experience in this area. Don’t try to figure it out on your own. The EU is intent on enforcing GDPR and no church or ministry should want to be on their radar.

The Golden Rule comes from Matthew 7:12 and Luke 6:31. “Do unto others as you would have them do unto you.” This applies to how individuals relate to each other in person and online, and to how organizations treat each other and those they serve. Whether we are talking about money, data, time, or talent the Golden Rule is more than just a rule or ideology from long ago; it is the Word of God.


Jonathan Smith is the Director of Technology at Faith Ministries in Lafayette, IN. You can reach Jonathan at jsmith@faithlafayette.org and follow him on Twitter @JonathanESmith.

July – Improve System Security Month!

Written by Nick B. Nicholaou on . Posted in Articles, Uncategorized

© 2018 by Nick B. Nicholaou, all rights reserved
President, Ministry Business Services, Inc.
Reprinted from MinistryTech Magazine

While speaking at a conference recently, a cybersecurity expert whose company offers email user testing and training stated that KnowBe4.com‘s solution was the best they’d ever seen. Little did they know I was in negotiations on The Church’s behalf with KnowBe4!

What Is It?
KnowBe4 is a subscription-based solution that allows an organization to send what looks like SPAM emails to users that include links, etc. The solution tracks who clicks on the links, and when they do, adds them to a group whose members must watch a short training video online to learn what to avoid. Watching the video removes them from the group.

I’m aware of organizations whose users started at an 80% or higher click-rate. They saw the solution to educate their team and get the percentage to under 10%. The results are a more secure user community, and improved security and safety for the organization.

What’s The Deal?
KnowBe4 offers a 10% discount to not-for-profit organizations, with an additional discount of 25% for a three-year subscription. So, they normally offer up to 35% in savings to charities.

Through our negotiations, KnowBe4 offered to add an additional 20% discount to any who say they were referred by MBS, and who contact a specific employee of theirs to sign up! That means you can get a 35% – 55% discount just by telling Tiffany Yeager (727.877.8226 or ​tiffanyy@knowbe4.com) you were referred by MBS! (As always, MBS makes nothing on your referral business, as per our by-laws.)

MBS Recommends Their Platinum Package
KnowBe4 offers a few packages; we believe the best for churches and ministries is their Platinum Package.

It’s July– a good month to improve your system security. This is a great way to do so!

March is IT-Be-Green Month!

Written by Nick B. Nicholaou on . Posted in Articles, Uncategorized

© 2018 by Nick B. Nicholaou, all rights reserved
President, Ministry Business Services, Inc.
Reprinted from MinistryTech Magazine

March is the month of St. Patrick’s Day, whose modern-day associated color is green. When we think ‘green’, we also think of doing things that are friendly to the environment. What are some quick tasks we can do to make IT more ‘green’?

Why the Green Focus?
Many in our congregations and ministry constituencies want us to be good stewards– not only of our financial resources, but also in the way we consume resources to accomplish ministry. I live in California, and folks– especially millennials– esteem homes, businesses, churches, and more as ‘better’ if they’re more environmentally sensitive. There are many in your congregation or ministry constituency that would be all the more pleased with associating with your organization if they knew that there are initiatives underway to help protect the environment. And that makes cost-effective green initiatives a win-win!

Green Server Rooms
A common issue we see in server rooms is that they become storage areas for all kinds of things. That happens mostly because team members don’t understand the need to keep the server room clean, cool, and secure; many perceive the space as ‘available’ even though it isn’t. Defending the space can be exhausting.

March is a great month to go through the server room and remove anything that shouldn’t be there. In addition to boxes of things others have deposited there, consider what IT-related items are stored there too! Churches and ministries sometimes have a hard time letting go of retired technology that still worked when it was retired, even though they’ll never use it again. “But what if…?”

When I visit clients, I often offer to clean out all those old CRT monitors, Pentium computers, keyboards, roller-ball mice, and cords that are gathering dust (a fire hazard) and are taking up space. Seriously, if you haven’t used it in a couple of years, it is probably trash. It’s actually good stewardship to let them go! Here are just a couple of reasons why:

  1. There are many electronics recyclers that are willing to help, and usually for free! If they’re certified electronics recyclers, you can even trust them to erase hard drives, etc as they do their recycling! And recycling is a good thing.
  2. The more things that are stored in a server room, the less cool air is available to absorb the heat exhausted by your servers and other electronic gear. That can contribute to running hotter and consuming more electricity, and cause a shorter life for some equipment. Clean server rooms are always best.

Green Systems
There are a few things worth considering and doing that will help make your IT systems more ‘green’ in general.

  1. Virtualize your servers. Virtualization is a software technology that makes it possible to reduce the number of physical servers in your organization. It uses an app called a hypervisor that allows you to install more than one virtual server on each of your physical servers, which we then call hosts. In addition to saving money by not having to purchase a bunch of physical servers, virtualization reduces the amount of electricity consumed because the number of physical servers is smaller. It also helps reduce electricity consumption by reducing the amount of heat in a server room that must be overcome by air conditioning systems because there are fewer electronic devices exhausting heat!
  2. Move Servers to The Cloud. In addition to virtualizing your local servers, consider going a step further by determining whether their roles can be moved to a hosted cloud service provider. In recent years my firm has moved many clients’ entire group of local servers into our cloud infrastructure, dramatically reducing electrical consumption while also outsourcing the responsibility to maintain those servers. The cloud is a terrific way to make your systems more green, while also reducing capital expenses.
  3. Clean Dust from Inside Computers. It’s amazing how much dust accumulates in computers. For those computers that remain on-site (servers, workstations, etc), consider cleaning their cooling fans. Perhaps organize a volunteer work party that goes to each workstation and cleans their insides! Cleaning them out every March as part of your ‘green’ initiative will reduce their electrical consumption and may extend their life because they’ll run cooler!

St. Patrick’s Day! What a great time of year to clean up server rooms– or maybe even eliminate them by moving into the cloud! And a great time to clean the dust from inside your servers and workstations (before the weather begins to warm up).

Five Things Worth Doing in January

Written by Nick B. Nicholaou on . Posted in Uncategorized

© 2017 by Nick B. Nicholaou, all rights reserved
President, Ministry Business Services, Inc.
Reprinted from MinistryTech Magazine

January, 2018! The start of a new year! New beginnings are part of the Christian life, and January is a great time to make certain a few IT items are ready for the New Year. Let’s focus on protecting systems and data….

Firewalls
The most common entry point for malware and other system ills is the internet. The best way to protect your system and data from bots, rascals, and compromised websites is to be certain your firewall is adequate and is current. Some points worth examining:

  • Is your firewall adequate? There are many options to consider when buying firewall solutions– whether hardware or software. My firm’s preference is SonicWALL firewalls (we don’t sell or benefit from our hardware and software recommendations). We find the features and price point are a good ‘sweet spot’ for churches and ministries. Yes, you can buy more expensive and capable firewalls, but very few churches and ministries benefit from any features beyond what SonicWALL includes in their firewalls. We also recommend purchasing their Total Secure package, which can filter internet content.
  • Is your firewall subscription current? Regardless of which firewall you use, make certain that if it requires a subscription to stay current, your subscription is current and in force. Not doing so is the equivalent of welcoming intruders, rascals, bots, and malware that have developed new methods for gaining access to your systems and data.
  • Make certain there is no connection from your systems to the internet that don’t go through your firewall. We have seen many churches and ministries mistakenly connect their internet connection directly to their network switch. The internet connection should connect to your firewall, and then your firewall to your switch so that all internet traffic MUST go through it.

SPAM
The second most common way for malware to access your systems and data is via email attachments and links. SonicWALL is not our preference for this important role; we prefer the Barracuda SPAM Filter. It is best of breed and a best practices solution.

My firm inexpensively hosts SPAM filtering for many churches and ministries. I don’t mention that to try to sell our service, but to point out that we were surprised to see how many users of Microsoft O365 email use our hosted SPAM filtering solution (yes, we use a Barracuda SPAM Filter, model 600). We moved our email to O365 for six months and were shocked at how much SPAM got through Microsoft’s filter! Now we know why so many O365 users have their email scrubbed by other solutions!

Anti-Malware
Protecting systems and data requires multiple layers. An important one is your anti-malware solution. And simply purchasing and installing it is not enough! These solutions also have subscriptions that keep them updated and identifying new methods used to cause  harm. It is essential that the subscription on your anti-malware not be allowed to lapse– the same as your firewall subscription. I know churches and ministries that have been hit by new ransomware methods because they didn’t keep their subscriptions current.

The anti-malware my firm recommends is Thirtyseven4.com. It is capable, and it is reasonable in cost.

BTW… it should be installed on every Windows and Mac computer– whether notebook, tablet, desktop, or server. Some say it’s not necessary on Macs, but that isn’t true. Even though few anti-malware threats are written to impact Macs, Macs can be carriers that infect shared data drives and more.

Passwords
What is your password policy? Here are some quick thoughts on this important topic:

  • Passwords should be strong (minimum of 7 characters that include uppercase and lowercase alpha, numbers, and common punctuation).
  • Passwords should not be required to periodically change! Our firm has been saying for many years that forcing users to change their passwords actually lowers system security. In 2016 the U.S. Federal Trade Commission agreed with us based on two studies! You can read about it at https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes.

Backup
Some say protecting the integrity of system data is IT’s most important responsibility. Do you have a comprehensive backup strategy? And do you test it? An untested strategy is dangerous! Here’s what we recommend:

  • Establish a strategy that makes certain all important data is on your server. This is worth doing because 1) it is the organization’s data, and 2) it eliminates the requirement that all systems need to be connected to the network (facilitating notebooks, etc).
  • Backup all system data nightly to an appropriate device. LTO tape is the most affordable and durable technology for this, and is preferred by most of corporate America. Our favorite backup solution is Veeam. It’s powerful, easy to use, and they offer churches and ministries very reasonable pricing.
  • Take a copy of your backup tape off-site weekly to protect your organization from a larger disaster.
  • Create a monthly task in whatever task tracker you use (like Outlook) to test the backup. You can do this by restoring a random file or folder, and then confirming that the restored files are intact.

These five things will likely take less than an hour to check, and can help ensure that your organization’s systems and data are well-protected for 2018! Happy New Year!

How Do I SPAM Thee…

Written by Nick B. Nicholaou on . Posted in Articles, Uncategorized

© 2017 by Nick B. Nicholaou, all rights reserved
President, Ministry Business Services, Inc.
Reprinted from MinistryTech Magazine

SPAM email can be dangerous and painful to the recipient and to any data they have access to. Whether it’s ransomware, phishing, pushing of malware, or impersonation, a strategy is needed to protect ourselves. I’ll address these different types of SPAM, and how each should be strategically managed.

SPAM Comes in Many Flavors
In addition to what many think is a tasty lunchmeat, SPAM also refers to unsolicited email, and those emails are usually intended to do the recipient harm. Sometimes the pain is small, but often it is big and costly. The most costly to an organization are usually ransomware and business email compromise; the most costly to an individual are usually phishing scams.

Here are some categories of email SPAM and how to respond to them:

  • Business Email Compromise (BEC), a.k.a. Impersonation Emails
    • Form: These SPAM emails used to only target businesses working with foreign suppliers and businesses who use financial wire transfer methodology. But in the last year we have seen many occurrences hit churches and ministries using checks! The form of the attack, as it affects churches and ministries, is usually an email supposedly from a pastor or executive in the organization directing the recipient to immediately transfer funds or cut a check. These attacks are usually well researched (we are welcoming and friendly environments, and we give them all of our staff structure and names on our websites!), and can feel legitimate.
    • What To Do: Never comply with the request. Always, require a live voice confirmation of the request in person or via live telephone call.
  • Ransomware
    • Form: Ransomware is malware installed on your computer that usually gets introduced through a SPAM email, compromised website, or even through a bot (internet program) that looks for Remote Desktop Protocol vulnerabilities. Once infected with the ransomware malware, data is encrypted and held for ransom.
    • What To Do: One of the best defenses against ransomware is to keep multiple days (we prefer a full month) of full data backups so your system can be ‘reset’ if an infection gets through your defenses. In addition to ensuring good backups:
      1. Never click on a link or graphic in an email you weren’t expecting. Even if it came from someone you know, do not click any links. If you think the email and its links may be legitimate and want to click them– before clicking on them– hover your mouse pointer over the link without clicking. Doing so should show the destination of the link. I recently did this on an email I received from Microsoft that looked legitimate, but the link would have taken me to a very different location than what I expected. Best rule: if you’re not sure that it’s okay to click, do not click!
      2. Make certain your computer has a good anti-malware program running on it. That’s true whether you’re using a Windows or a MacOS computer. The solution my firm recommends is www.thirtyseven4.com… doing so will help prevent you from accessing most compromised websites.
  • Phishing
    • Form: Phishing has a few forms, almost all of which happen through email SPAM. Phishing is the attempt to get the recipient to provide personal information about themselves that could be used to accomplish some form of identity theft. Phishing is sometimes referred to as clone phishing (a previously legitimate email that has been recreated with malware embedded or in links and re-sent to the same list of recipients as the original), whaling (phishing attacks aimed at executives and high-profile targets), and spear phishing (attacks targeting specific individuals that may even contain information about them discovered through websites, social media, and other sources.
    • What To Do: Never respond to a request for personally identifying information in an email without first confirming the source. I even take this a step further if I get a phone call from my bank about possible fraudulent activity in my credit card account! In the call they ask for my password to prove I am who they intended to reach. I decline their request and tell the caller they need to tell me my password to prove they are who they say they are since they initiated the call! They’re not allowed to tell me, of course, so that’s when I disconnect and call the number on my credit card– that way I know I’m talking to my bank.

These are a few SPAM categories. It is imperative that every organization use a high-quality SPAM filter on its email server to eliminate most of the SPAM from being delivered to email account holders. There are a lot of SPAM filter solutions available; our favorite is from Barracuda. They are the gold standard and best-of-breed in that industry.

Just an fyi… we host SPAM filtering for churches and ministries nationwide using a Barracuda SPAM Filter 600. We process more than 90,000 emails daily, and it blocks about 80%. That means about 80% of the email pointed toward your email inbox is unwanted! And some of it is dangerous!

Using a solid SPAM filter won’t stop all SPAM from getting to users’ email inboxes, but doing so will stop almost all of it. That reduces the likelihood that someone will click on something they shouldn’t. But the best protection will only come from repeated training to all team members. I recommend reminding the team of the danger on a monthly basis during all-staff meetings. And if you know a story in which an organization was hurt as a result of SPAM, tell the story! Doing so will help those who don’t take threats and threat-mitigation seriously to re-consider.