For over 30 years I’ve instructed computer system users on appropriate actions to take to safeguard their information. I’m going to distill all that down into the most helpful and relevant information I believe will best protect you, your church/parish staff and volunteers, and the information you store and use in your systems.
In this and my next three blog articles, we’ll cover the following topics:
- Information security for church staff and volunteers.
- Information security for congregation/parishioners.
- Security for your computers and systems.
- Security for your mobile devices.
At its core, security is not a product, but a process. Those are the words of recognized security expert Bruce Schneier. This process depends on people doing their utmost to protect their information. However, we are up against determined adversaries who utilize weaknesses in both people and technology to subvert, steal, and deny access to information.
So, what can you do?
Keep an updated information security policy:
This is likely the largest oversight in small and medium-sized churches/parishes. Even larger organizations that create a policy find it collecting dust on a shelf. Your information security policy needs regular review to keep it relevant (does yours still reference Windows® XP or AOL?). Ensure an annual training — not just a re-reading — of the policy occurs for all staff and volunteers. Reinforce this training with periodic reminders to maintain information security. A good policy will list all the following topics and more. In addition, an online search for “church information security policy” will result in many good resources to help you craft an effective policy.
Use role-based access:
ACS Technologies applications support only giving specific permissions needed to staff based on their role in the church/parish. Program administrators should carefully consider who receives additional access and what type of access they’re given. Not everyone needs access to the giving records!
Change passwords regularly:
Remember, passwords are like toothbrushes: Use a good one, don’t share it, and change it often! Because of this, password managers are indispensable. Many top-shelf products offer free or feature-limited versions that will ease the password burden on your staff while helping them maintain hard-to-guess passwords. And encourage staff to use different passwords for different accounts. See our blog article about password management for details.
Don’t take the bait:
The best password in the world won’t protect you if you’re tricked into giving it out. Email phishing is the third most common cybercrime incident and the third most common cause of data breaches according to the 2018 Verizon Data Breach Investigation report. Train your staff to recognize phishing email by requiring them to use a phishing simulator at least annually. Some of these tools also allow you to test your staff to see how susceptible you are.
Gift card scams are growing in popularity. Unfortunately, there has been an uptick in these kinds of scams targeting places of worship. Also called “Confidence scams,” they come in many forms and are becoming more prevalent. Your church collects a lot of information that is valuable to a scammer. There are several different gift card scams out there. Please read the Federal Trade Commission’s article “Worshipers targeted by gift card scams” for more information and details on how to report a scam if it happens to you.
Train your clergy and volunteers:
As I mentioned before, training is essential to reduce the likelihood that your church/parish will become a victim of cyber crime. A mix of annual training combined with monthly reminders and periodic security exercises ensures good coverage without burning out your staff. For example,
- Annual training should consist of reading and discussing the information security policy.
- Monthly reminders can follow the SANS Institute’s “Ouch” series. These are well-written and practical guides to better information security.
- Periodic training can include phishing exercises, USB drops, and scam recognition questionnaires.
- Regularly remind senior clergy and church/parish/diocese IT administrators that they may be singled out for what is called “spear phishing.” These are targeted phishing emails with an implied sense of urgency sent directly to them eliciting some kind of response: click a link, open an attachment, etc.
- How to Prepare Your Church for Cybersecurity Threats
- Churches and Cybersecurity Risks (membership required)
- Computer Security for Your Church (free ebook resource)