Thursday, August 11, 2016

Should Churches and Ministries Embrace the Cloud?

To embrace the cloud, or not to embrace the cloud, that is the question. Pardon the Shakespearean paraphrase, but there are a lot of questions swirling around churches and ministries as they consider using cloud services for everything from email and file services to Active Directory. There is also a disconnect between what the IT team says is best for the ministry and what church leadership thinks in terms of utilizing cloud-based services.

Cloud-based services offer many benefits over hosting your own services, but you’ll want to make sure you are using a reputable vender. It is important to look at the SLA, or Service Level Agreement, to ensure that your provider will keep their services running so your ministry effectiveness isn’t impacted. When you host your own email and/or file servers you have much more control over downtime because you probably have physical access to the server and the people running those servers. When you host in the cloud you may not have direct access to the servers so you are dependent on your provider to resolve any issues that create downtime.

Using a reputable host like Microsoft or Google will ensure reliability, but there are other companies that provide cloud based services for just about everything, and you want to make sure a provider’s reliability won’t negatively impact your ministry.

One of the biggest benefits of using cloud-based services is that they take a huge support load off the IT team. No longer are they responsible for maintaining and patching servers. If the servers are on your site then you may also have cooling, power or data issues to consider as well. What happens when the cooling units fail? Do you have sufficient battery backup or a generator for power outages? What happens when your Internet connectivity goes down? Moving to the cloud avoids all these issues as cloud-based services are hosted in large, commercial data centers where power, air conditioning, and data reliability are taken care of for you.

Cloud services can also play a huge role in your disaster recovery and backup strategies. Remember that disaster recovery and backups are not the same thing. Backups are for recovering data, while disaster recovery refers to how much time is necessary to get your services (like email, files, ChMS, etc.) back into operation after a disaster. By placing these services in the cloud you can enhance these strategies. If a natural disaster wipes out your on-site datacenter what would you do? In the church world think of what happens if a significant tornado or hurricane or earthquake (hopefully not all three at once!) hits your area on a Saturday night. Do you have a way to notify your congregation about your plans for Sunday morning? How fast can you get your email and ChMS back up and running?

By placing services like your email and ChMS in the cloud, the responsibility of keeping things running falls to your provider. A cloud-based provider will more than likely have your data spread out across servers and datacenters in multiple geographic locations. The same is true for your backups: they are no longer located on your site and you no longer have to relocate backup tapes to ensure your backups are spread out geographically. Most cloud vendors can also provide more backup space then many churches or ministries would be able to afford on their own. This means when the natural disaster hits your area, your services continue to operate. How many churches or ministries are able to provide geographic and hardware redundancy on their own? And if they are able, is it good stewardship of those funds?

By now you may be thinking to yourself that the cloud sounds too good to be true. “You mean I can place my data, my email, my files, my ChMS, my whatever in the cloud and not have to worry about natural disasters, power outages, cooling equipment failures and maintenance, internet outages, security patches, backups and disaster recovery all while saving the IT team a lot of time, effort, and money? Sign me up!” Hold on, not so fast.

Whether to move your ministry to the cloud may not be so obvious. While there are obvious benefits, there are also a few challenges. Many in the IT profession believe it is their job to protect the data and ensure it is kept safe. This is why I do not believe this is an IT decision, but rather a church leadership decision. The IT team should make recommendations based on their knowledge and experience, but the data belongs to the church, and the church leadership should decide how to keep that data safe, including how and where it is stored. For some that may mean moving to the cloud, for others, they may feel more comfortable keeping their data on-site and managing it locally.

There is also the challenge of the IT team. IT folks don’t like to give up control, and moving data and services to the cloud means they will be giving up some control. I strongly believe the benefits to embracing the cloud far outweigh any negatives, including any control IT might lose. For some IT professionals, especially those who have come out of the corporate world, this can be particularly difficult, but it’s one of the many ways ministry IT varies from corporate IT.

As an IT staff member in a ministry I view my primary objective to be constantly working myself out of a job. My goal is to equip and empower those I support for greater ministry effectiveness. I have no desire to attempt self-preservation by keeping data or services tightly locked up in my control to ensure the long-term security of my job. That level of selfishness only benefits the IT person, not the ministry. Most ministries run lean, so there is always plenty for the IT team to do. The more I empower others and work myself out of some jobs, the more I can focus my time on other areas that may require a specific technology skillset.

Every ministry has to decide where to spend their money. I would much rather use technology— including embracing the cloud—to save money so they can hire additional ministry staff as opposed to hiring additional technology staff to manage technology that could be moved to the cloud. Again, these are leadership decisions, but this is often where the IT team and church leadership may not see eye-to-eye.

So, should your church or ministry embrace the cloud? I think so—provided the IT team and church leadership have worked together to understand the issues and implement the cloud in a way that empowers the ministry for greater effectiveness.

Wednesday, July 6, 2016

How Tech & Accounting Can Live Happily Ever After

Preparing an Information Technology (I.T.) budget can often be a dreaded task. Tech people seem to always want to spend more money and accounting people want to make sure funds are spent wisely. Both parties are striving to be good stewards of God’s resources, but there’s a critical disconnect between the dollar signs associated with a request and an understanding why the technology is needed.

When the accounting department sees a request or PO for toilet paper they don’t often ask many questions. Everyone knows what toilet paper is for and why it is needed. However, when Accounting sees a PO for a virtual server host they tend to ask a lot of questions. (Granted, one virtual server host costs as much as a year’s worth of toilet paper for most ministries.) This challenge is further compounded when normal ministry politics are involved.

Budgeting for IT, Audio Visual, or any other aspect of technology in ministry doesn’t have to be a bottleneck. Both technology and accounting folks need to work at making sure technology purchases like virtual server hosts are as easy to accomplish as purchasing toilet paper. But it takes teamwork. Technology is complicated. So is accounting.

Accountants learn as much about technology in school as tech folks learn about accounting. Tech folks often think accounting is just math and the accounting folks might think that technology is just browsing the Internet. It’s vital that the communication lines remain open. Technology folks should have nothing to hide. Here are a few guidelines to smooth the process of IT budgeting:

Spell It Out: 
While it’s easy for us to spout acronyms, we shouldn’t. Our requests for funding or explanations of how we are going to accomplish a project should be easy to understand. It is far better to invest the time to communicate than to attempt to snow someone in an effort to save time. Investing the time in communicating builds trust.

Trust One Another: 
Trust is vital to all aspects of ministry. Without trust, giving decreases; without giving there won’t be any money to buy toilet paper or virtual hosts. Trust is sometimes compromised unintentionally as good people try to work towards a common goal. To maintain trust you must not try to hide anything. No question should be ignored and no request for additional data should be put off—whether reasonable or not. Building trust leads to cooperation.

Play Nice Together: 
Cooperation is the sweet spot when the accounting team and the technology team are working together at maximum efficiency. As projects and requests come up both teams are able to quickly process information and produce results without unnecessary drama and without any additional drain on resources. And maybe, just maybe, through this cooperation the tech folks will learn a little about accounting and the accounting folks will learn what a virtual server host is (and why it’s needed). Accounting is able to be accountable while Tech is able to be productive.

Productivity is the ultimate goal—being productive to maximize effectiveness for the Kingdom. The technology team is a trusted resource that communicates effectively and the accounting team is valued for ensuring proper tracking of all funds and stewardship.

These foundations are critical to managing technology projects and budgeting. Technology expenditures should be planned, and not surprises. Equipment wears out: planning hardware replacement cycles is the duty of every technology manager. When you buy a server you know it won’t last forever, just like toilet paper. These plans can be done numerous ways and it’s important for the technology team to work with the accounting team and church leadership to determine the best way to save for and handle these ongoing expenses.

Special Needs: 
There is also the matter of special projects and new construction. It is easy to let the tech costs reach towards the heavens on new construction, but tech budget requests should be prepared and presented knowing that if there isn’t enough money to build the building then there won’t be any need for the technology. Trust can be built when the tech folks show they understand the fiscal realities of a project and don’t attempt to sneak in things just because it is a new building and a much larger overall budget.

The technology staff should also be looking ahead. At any moment the tech team should be able to enumerate their top three projects, whether those projects are for software, infrastructure, hardware, or employees doesn’t matter. They should also communicate as items age and need to be replaced. Not that every request will get approved, but at least if something important does fail you have communicated in advance—and not in crisis mode.

This is also why a member of the tech team should have a seat at the leadership table. Not because technology is the driving force but so that when ideas and projects and budgets are discussed the tech team is available to provide input and answer questions. Technology should be positioned as a valued resource that improves effectiveness, not a necessary evil. Too many times the people behind the technology cause the technology to be improperly positioned.

There is a great deal of comfort and security that comes when the technology and accounting teams work together as part of the King’s community. Surprises are limited. There is security in knowing what you can and can’t afford. Ministry impact increases. Besides, who wants to be part of a community without toilet paper?

Thursday, June 23, 2016

Keeping Your Family Safe this Summer

Who doesn’t love summer time?  The sunshine and warmer temperatures, the family vacations, the lack of school homework, and of course, an evening on the porch sipping a refreshing iced beverage.  You’d think we would find ourselves outdoors more enjoying creation.  Often times though the opposite is true and we end up spending more time looking at our screens during the summer than we do the rest of the year.

Summer time can also be a cruel welcome to reality.  As kids we look forward to summer time because school is out and we get to play.  As adults we realize that summer time is no different from any other time of the year – we still have to work and life goes on as normal.  That makes it easy to use screens to keep our kids entertained during those long summer days.

Fortunately, the good folks at Microsoft have built some pretty cool tools into the Windows operating system to make it easy for families to manage their screen time.  While other software vendors also have family safety built into their products, Microsoft does it in a unique way that allows for native, remote control over your family’s computers without having to install or manage any additional software.

Windows Family Safety is a fantastic tool built right into all versions of Windows.  Windows 10 has the most features available but Family Safety is still available all the way back to Windows 7.  Using Windows Family Safety, you can set filters and block lists, control access time windows and set curfews, track device location, and even get a detailed report emailed to you about all activity taking place with the computer.

Not only is Windows Family Safety a powerful tool, it is also easy to use and Microsoft has done a great job providing helpful documentation.  All it takes is a few clicks and you will soon be monitoring all of the Windows devices in your family.

One feature that sets Windows Family Safety apart from other filtering or block services that are built into some operating systems is that you can remote control the settings.  Once setup on the computer, the parent can change settings remotely without having to touch the kid’s device.  This allows mom and dad to control the device from anywhere.  It also allows the child to request additional privileges and mom and dad to approve the request via email.

The content rating and restriction tools are most effective.  If you already have content filtering setup on your home network, Windows Family Safety works right along with it.  Then when the child takes their device to a friend’s house or other location where the internet might not be filtered Windows Family Safety keeps doing its thing so you know wherever the device is the content is filtered and your time limits and curfews will still be enforced.

You can also set it up to send you a weekly activity report of each child’s activity.  The report shows you which devices the child used, what they searched for on the internet, how long they used each app, the total amount of time they spent on the device, and any content that they attempted to access and was blocked.  This is a tremendous accountability tool – especially when you see what they are searching for online.

If the device is lost or stolen, you can also use Windows Family Safety to track the last known location of the device and disable it to protect your child’s personal information.

The goal here is not to be oppressive but to use this tool to help teach them to live a godly life, both online and offline.  As the child grows and matures you can use Windows Family Safety to provide additional online privileges – Windows Family Safety works from the youngest of kids to the oldest of adults.  It can even be used for adult accountability.

All you need to get started is a Microsoft account, which you probably already have if you are a Windows user.  Teaching responsibility with technology and providing accountability is made easier with Windows Family Safety.  Visit https://account.microsoft.com/family/about to learn more and get started and see if Windows Family Safety can help your family.

Thursday, May 12, 2016

Protecting the Soft Underbelly of the Church

My latest article, Protecting the Soft Underbelly of the Church is now live at ministrytech.com.

Last month we talked about the cyber challenges churches face.  This month we will look at some simple ways the church can protect itself from those bad actors using wise policies and procedures.  This assumes you have a firewall and a proper network design.  How do we provide maximum Kingdom impact while also being good stewards of the data God has entrusted to us?

First, let’s look at your Church Management System or ChMS.  Do you rely solely on the ChMS vendor to keep your data secure?  Do you test the security of your ChMS or do you just take the vendors word for it?

Do you have security audits with your financial audits?  I assume you have financial audits.  Even then the security questions in a financial audit can be useless.  A church IT friend of mine answered the security audit question, “How do you keep your data secure?” with, “12 flying monkeys.”  He never heard back from the auditor regarding that answer.  He should have.  Use a security company for a dedicated security audit or ask your ChMS vendor for a copy of the security audit they have done on their product.

Remember the Anthem hack of early 2015?  The hackers were after data that is similar in nature to the data we store in our ChMS software: names, addresses, phone numbers, and SSNs.

Second, what is your password policy like?  Is it written down?  How do you enforce it?  Does it make sense?  Research has shown that longer, more complicated passphrases are more secure than shorter, complicated passwords that users have to change frequently.  Forcing users to change their passwords, whether to their computer, ChMS, or any other system on a regular basis leads to the passwords being written down on the bottom side of the keyboard – where some of those bad actors know to look.

I suggest using long passphrases.  15 characters or more, with a capital, lowercase, number, and special character all required.  Using a phrase from your favorite song or Bible verse works.  “InthebeginningGod1!” as an example – but don’t use anything obvious or inscribed on a plaque hanging on your wall.  A passphrase like this will never need to be changed unless it is compromised.

Your password policy should also include the ability to enforce preventing users from sharing their passwords, even with volunteers.  It is far better to invest the time and issue a volunteer a login then to share staff access.  The same is true for your ChMS.  Does your password policy also apply to other sites and services that require your users to login?

If you find that a user has shared or compromised their password I suggest setting it to something like, “Isharedmypasswordsonowittakesme5minutestoentermypassword?!” and forcing them to use that for a week.

Third, do you have any data access policies?  Who gets access to your data?  What level of access?  Does everyone see everything or do users only see what they need to see?  What criteria do you use to determine who sees what?  Do you allow people to snoop around your database?  Who can view giving data?  How do you determine who sees what?

Volunteers are great and we use them all the time but do they need ChMS access at home?  While doing visitor data entry should they see SSNs and giving information?  It may take a little more work to set users up so they only see what is necessary but it is better – especially when you consider the amount of turnover volunteers have.

Fourth, physical access should also be addressed, that’s physical access to the hardware storing the data.  How do you protect your server room or is it just a closet everyone can get into?  I’m convinced I could walk into most churches, steal a server, and walk it out to my car and drive off with it if I just pretend that I own it.

Finally, our people or personnel policies also have to be reviewed.  Having the right people in the right positions is often times half the battle.  What happens when folks are dismissed or fired and access must be removed?  While we would like to say that doesn’t happen in the church world we all know it happens far too frequently.  Are you hiring people you can trust with your data?

People are the biggest security risk any organization has.  They fall prey to phishing scams and because they want to help they click on things they shouldn’t trying to help people they shouldn’t trust.  This leads to data loss.  Do you provide training for your users to teach them how to avoid such threats?

It is vital that security and cyber threat protection decisions not be made by tech people – they are leadership decisions and hopefully the tech folks have a representative at the leadership table.  I’ve written about this before and the importance of IT being in submission to the church leadership.  Contrary to popular belief tech people aren’t wired to say no.  But we are trained to keep things safe.  Leadership needs to get input and make wise, informed decisions about how to keep data safe, how much money to invest, and policies and procedures.

Again, the nature of our business makes this a challenge.  We use volunteers.  But decisions made in the light of day with the involvement of the necessary parties is a huge step towards avoiding disaster.

Wednesday, April 6, 2016

The Soft Underbelly of the Church

My latest article, The Soft Underbelly of the Church is now live at ministrytech.com.

If I was to someday turn to the dark side, and for the sake of argument let’s say I haven’t yet, I’m convinced that I could retire hacking churches.  Churches are treasure troves of data that has a relatively high black market resale value.  Churches also aren’t as obsessed with security as the corporate world is.  Of course, if you are a hacker, my intent here is not to encourage you to go after churches but rather to encourage churches to be vigilant when it comes to their cyber security.

Everyone is getting hacked.  It doesn’t take much to see that your data isn’t really safe anywhere.  But that doesn’t mean we go hide under a rock.  It seems that hacking is in the news daily.  Remember Target, The Home Depot and a small outfit you may have heard of called the United States government? 

When a corporation is hacked their profits and shareholders may suffer but what happens when a church is hacked?  Our message is much more important than selling goods and our reputations and balance sheets often aren’t strong enough to weather a hacking storm.

While cyber-attacks are a threat we have to manage it is no different than the threat of someone slipping on the ice in your parking lot and suing you.  At some point if you are doing ministry effectively you will be sued.  You will be hacked. 

Churches are sitting ducks.  So then why aren’t churches targeted more?  Mostly because the hackers don’t think we are big enough to warrant any attention.  I think that is their mistake, mega churches are plenty big and contain just as much key black market data as the big box stores.  Hackers are after demographic info like name, address, phone number because they can sell those records to bad actors conducting phishing schemes and other online criminals.

The value of that information goes up tenfold if you have a social security number tied to that record and even more if you can connect a credit card to it.  The bad guys don’t realize how churches work and that we are sitting on tons of that very information.  Nor do they realize that we don’t protect it very well. 

Their ignorance -- for now may be our bliss but at some point they are going to figure it out or someone from inside church ministry is going to go rogue and open their eyes.

Churches are sitting ducks by the very nature of our business.  Our business it to be open and welcoming.  We don’t want to shut anyone out and we preach a message of salvation and forgiveness.  Our goal is to draw people in not push them away.  Our business is based on people voluntarily giving us their money.  What is the great commission?  That makes us a target, or at least it should.

We also lack the deep pockets of corporate America.  How much did the Target hack cost them?  They have deep pockets so a $160+ million hit due to hackers can be weathered.  They also have the additional millions to pour into fixing the problem, hiring security specialists, etc.  We don’t.

Churches are sitting ducks by the very nature of our people.  We have all levels of economic status in our churches and we strive to reach out to those who have nothing.  We teach our people to be kind and loving and forgiving and to be trusting.  We teach them to evangelize and influence others with our message and not to let pride or shyness get in the way.  Our people are our biggest asset, and also our biggest liability. 

We also use volunteers.  Go into your local bank, set up an account to become a member, and then volunteer to help them and see if they give you access to their database.  Churches do this all the time – and we should as our survival depends on it.

In my opinion our data is pure gold.  As I mentioned, I think we are getting by for now because the hackers don’t know much about what we store. 

Churches are sitting ducks by the very nature of our beliefs.  What does Jesus teach?  Lock it all down and throw away the key? 

While we are taught to love people and minister to them we are also taught about stewardship.  Stewardship is what really kicks in here in terms of data management and security.  Remember the parable of the talents in Matthew 25:14-30?  Think of the talents as our data. 

We need to provide access to the data so we can accomplish our mission but we also have to be a good steward of the data so it isn’t stolen.  We tend to do the former and not the latter as it is difficult for church leaders to take a step back and evaluate data access policies.

Stewardship is difficult – which is why we struggle with it.  Pastors aren’t taught about cyber security in seminary.  They want to use technology to connect with people and they don’t want to hear about any security hurdles.  How did the malware get into Target’s system?  Through an unpatched server.  Pastors and church administrators don’t like to hear technology and data management requires an investment in security but if you believe in accountability before the Creator then you may want to think twice about that.

I admit this is a difficult balance to strike but we have to do better because we are sitting ducks.

Next month’s article, entitled Protecting the Soft Underbelly of the Church will address ways we can help protect our data while still maintaining maximum efficiency and Kingdom impact.