Protect Your Congregation’s
Important Data

Answer these 8 questions to discover if your organization has identified the right priorities and strategies to keep your critical data systems protected and resilient.

1. Has your organization developed a strategic roadmap to manage cybersecurity risk to systems, people, assets, data, and capabilities?

   We don't have a formal date security plan per se, but we are a praying congregation.
   We have a couple of volunteers that help us with technology, and they seem very knowledgeable. But we don't have a security roadmap or plan.
   We have a data security leader/team responsible for creating and reviewing our data security policies and procedures. Our team is engaged with technology experts to develop a comprehensive cybersecurity roadmap to guide our planning.

2. Is access to your critical systems protected from unauthorized access?

   We encourage employees to write down their passwords and keep them in a safe place, so they don't forget them.
   We trust our staff to use good judgment over their passwords.
   Our password policy requires users to use strong passwords and change their passwords every 90 days. Where possible, we have implemented multi-factor authentication (MFA). We encourage users to use an approved password manager tool to keep track of their passwords.

3. Are the software and operating system updates/patches installed in a timely manner?

   If something stops working, we will try to download an update. We trust our users to make sound judgments about their personal devices. Unsure how often our servers are updated.
   We have a couple of tech-savvy youths. When our system slows down, we ask one of them to lend a hand. They are very smart about computer things.
   Our data security policy includes a schedule for patching and updating antivirus systems and firewalls. Roles and responsibilities are defined for loading system and application updates. Major upgrades are usually done in collaboration with our outside tech partners.

4. Are employees trained to be aware of suspicious emails that could be malware or phishing attacks and the steps to take when encountering one?

   Our employees are trained during the first week they are hired.
   BWe offer optional training classes every once in a while. We trust our employees to make good decisions about using technology to do their job.
   All users are expected to know and adhere to data security policies as part of their employment agreement. Regular training classes support our ministry-wide culture of cyber awareness. All users are trained to be able to spot suspicious emails and how respond when they discover a cyber threat.

5. Is your data backed up?

   We were given a backup of everything when the new systems were put in. We keep it hidden in a safe place, just in case.
   Our bookkeeper backs up her data and occasionally hides a copy somewhere safe.
   Our security policies require that we maintain a frequent automated backup schedule. We chose a cloud-based backup solution that is automated. Frequently, we store a tested backup copy securely offline/offsite. Users are encouraged to keep device data backed up with their encrypted cloud account.

6. Are your systems continuously monitored for unauthorized activity, and does your staff know how to respond if an attack is detected?

   Sometimes, our systems may run slow, but it seems to get better after a while. If not, we reset our modem, but we are largely unaware of what is happening in our network. Occasionally if the network gets slow, we ask some of our volunteers to help us get things going again.
   Our security team monitors our systems and is trained to identify cybersecurity activity. Our team initiates our security response plan if an unauthorized breach is detected.
   We partner with our managed service provider to monitor our systems and data environment continuously. Our staff is trained to implement our cybersecurity detection procedures with the assistance of our tech partners. If an unauthorized breach is detected, our security response plan is initiated.

7. Does your organization have a response plan in place in the event of a cybersecurity attack, and do your employees know what steps to take?

   We have yet to consider how we would respond to a cybersecurity attack.
   We would probably contact our local authorities to report the cybersecurity event.
   Our security response plan includes immediate mitigation procedures, containing the attack's spread and determining the impact. The response communication plan includes coordination with technical partners, law enforcement, legal counsel, and incident response resources. Our security team and outside technical resources have reviewed and updated the security response plans.

8. In the event of a cyber-security event, does your organization have the plan to restore services that were impacted?

   We should be able to restore a backup if it hasn't been corrupted.
   We will have to make a few phone calls to figure out how to reinstall our system.
   In collaboration with our data security team and technology partners, we have defined the steps we will take to restore normal operations and reduce the impact of a cybersecurity incident. The recovery plan includes a full listing of critical systems and data to be prioritized during the recovery process. Managing the impact on the organization's reputation is a focus of our recovery communication plan.

* Some of the answers above exaggerate the state of some organizations' cybersecurity plans (or lack of), but the point becomes clear that this is one area where you can’t afford to hope nothing will happen.