Wednesday, April 6, 2016

The Soft Underbelly of the Church

My latest article is now live at

If I was to someday turn to the dark side, and for the sake of argument let’s say I haven’t yet, I’m convinced that I could retire hacking churches.  Churches are treasure troves of data that has a relatively high black market resale value.  Churches also aren’t as obsessed with security as the corporate world is.  Of course, if you are a hacker, my intent here is not to encourage you to go after churches but rather to encourage churches to be vigilant when it comes to their cyber security.

Everyone is getting hacked.  It doesn’t take much to see that your data isn’t really safe anywhere.  But that doesn’t mean we go hide under a rock.  It seems that hacking is in the news daily.  Remember Target, The Home Depot and a small outfit you may have heard of called the United States government? 

When a corporation is hacked their profits and shareholders may suffer but what happens when a church is hacked?  Our message is much more important than selling goods and our reputations and balance sheets often aren’t strong enough to weather a hacking storm.

While cyber-attacks are a threat we have to manage it is no different than the threat of someone slipping on the ice in your parking lot and suing you.  At some point if you are doing ministry effectively you will be sued.  You will be hacked. 

Churches are sitting ducks.  So then why aren’t churches targeted more?  Mostly because the hackers don’t think we are big enough to warrant any attention.  I think that is their mistake, mega churches are plenty big and contain just as much key black market data as the big box stores.  Hackers are after demographic info like name, address, phone number because they can sell those records to bad actors conducting phishing schemes and other online criminals.

The value of that information goes up tenfold if you have a social security number tied to that record and even more if you can connect a credit card to it.  The bad guys don’t realize how churches work and that we are sitting on tons of that very information.  Nor do they realize that we don’t protect it very well. 

Their ignorance -- for now may be our bliss but at some point they are going to figure it out or someone from inside church ministry is going to go rogue and open their eyes.

Churches are sitting ducks by the very nature of our business.  Our business it to be open and welcoming.  We don’t want to shut anyone out and we preach a message of salvation and forgiveness.  Our goal is to draw people in not push them away.  Our business is based on people voluntarily giving us their money.  What is the great commission?  That makes us a target, or at least it should.

We also lack the deep pockets of corporate America.  How much did the Target hack cost them?  They have deep pockets so a $160+ million hit due to hackers can be weathered.  They also have the additional millions to pour into fixing the problem, hiring security specialists, etc.  We don’t.

Churches are sitting ducks by the very nature of our people.  We have all levels of economic status in our churches and we strive to reach out to those who have nothing.  We teach our people to be kind and loving and forgiving and to be trusting.  We teach them to evangelize and influence others with our message and not to let pride or shyness get in the way.  Our people are our biggest asset, and also our biggest liability. 

We also use volunteers.  Go into your local bank, set up an account to become a member, and then volunteer to help them and see if they give you access to their database.  Churches do this all the time – and we should as our survival depends on it.

In my opinion our data is pure gold.  As I mentioned, I think we are getting by for now because the hackers don’t know much about what we store. 

Churches are sitting ducks by the very nature of our beliefs.  What does Jesus teach?  Lock it all down and throw away the key? 

While we are taught to love people and minister to them we are also taught about stewardship.  Stewardship is what really kicks in here in terms of data management and security.  Remember the parable of the talents in Matthew 25:14-30?  Think of the talents as our data. 

We need to provide access to the data so we can accomplish our mission but we also have to be a good steward of the data so it isn’t stolen.  We tend to do the former and not the latter as it is difficult for church leaders to take a step back and evaluate data access policies.

Stewardship is difficult – which is why we struggle with it.  Pastors aren’t taught about cyber security in seminary.  They want to use technology to connect with people and they don’t want to hear about any security hurdles.  How did the malware get into Target’s system?  Through an unpatched server.  Pastors and church administrators don’t like to hear technology and data management requires an investment in security but if you believe in accountability before the Creator then you may want to think twice about that.

I admit this is a difficult balance to strike but we have to do better because we are sitting ducks.

Next month’s article, entitled Protecting the Soft Underbelly of the Church will address ways we can help protect our data while still maintaining maximum efficiency and Kingdom impact.