Thursday, May 12, 2016

Protecting the Soft Underbelly of the Church

My latest article is now live at ministrytech.com.

Last month we talked about the cyber challenges churches face.  This month we will look at some simple ways the church can protect itself from those bad actors using wise policies and procedures.  This assumes you have a firewall and a proper network design.  How do we provide maximum Kingdom impact while also being good stewards of the data God has entrusted to us?

First, let’s look at your Church Management System or ChMS.  Do you rely solely on the ChMS vendor to keep your data secure?  Do you test the security of your ChMS or do you just take the vendors word for it?

Do you have security audits with your financial audits?  I assume you have financial audits.  Even then the security questions in a financial audit can be useless.  A church IT friend of mine answered the security audit question, “How do you keep your data secure?” with, “12 flying monkeys.”  He never heard back from the auditor regarding that answer.  He should have.  Use a security company for a dedicated security audit or ask your ChMS vendor for a copy of the security audit they have done on their product.

Remember the Anthem hack of early 2015?  The hackers were after data that is similar in nature to the data we store in our ChMS software: names, addresses, phone numbers, and SSNs.

Second, what is your password policy like?  Is it written down?  How do you enforce it?  Does it make sense?  Research has shown that longer, more complicated passphrases are more secure than shorter, complicated passwords that users have to change frequently.  Forcing users to change their passwords, whether to their computer, ChMS, or any other system on a regular basis leads to the passwords being written down on the bottom side of the keyboard – where some of those bad actors know to look.

I suggest using long passphrases.  15 characters or more, with a capital, lowercase, number, and special character all required.  Using a phrase from your favorite song or Bible verse works.  “InthebeginningGod1!” as an example – but don’t use anything obvious or inscribed on a plaque hanging on your wall.  A passphrase like this will never need to be changed unless it is compromised.

Your password policy should also include the ability to enforce preventing users from sharing their passwords, even with volunteers.  It is far better to invest the time and issue a volunteer a login then to share staff access.  The same is true for your ChMS.  Does your password policy also apply to other sites and services that require your users to login?

If you find that a user has shared or compromised their password I suggest setting it to something like, “Isharedmypasswordsonowittakesme5minutestoentermypassword?!” and forcing them to use that for a week.

Third, do you have any data access policies?  Who gets access to your data?  What level of access?  Does everyone see everything or do users only see what they need to see?  What criteria do you use to determine who sees what?  Do you allow people to snoop around your database?  Who can view giving data?  How do you determine who sees what?

Volunteers are great and we use them all the time but do they need ChMS access at home?  While doing visitor data entry should they see SSNs and giving information?  It may take a little more work to set users up so they only see what is necessary but it is better – especially when you consider the amount of turnover volunteers have.

Fourth, physical access should also be addressed, that’s physical access to the hardware storing the data.  How do you protect your server room or is it just a closet everyone can get into?  I’m convinced I could walk into most churches, steal a server, and walk it out to my car and drive off with it if I just pretend that I own it.

Finally, our people or personnel policies also have to be reviewed.  Having the right people in the right positions is often times half the battle.  What happens when folks are dismissed or fired and access must be removed?  While we would like to say that doesn’t happen in the church world we all know it happens far too frequently.  Are you hiring people you can trust with your data?

People are the biggest security risk any organization has.  They fall prey to phishing scams and because they want to help they click on things they shouldn’t trying to help people they shouldn’t trust.  This leads to data loss.  Do you provide training for your users to teach them how to avoid such threats?

It is vital that security and cyber threat protection decisions not be made by tech people – they are leadership decisions and hopefully the tech folks have a representative at the leadership table.  I’ve written about this before and the importance of IT being in submission to the church leadership.  Contrary to popular belief tech people aren’t wired to say no.  But we are trained to keep things safe.  Leadership needs to get input and make wise, informed decisions about how to keep data safe, how much money to invest, and policies and procedures.

Again, the nature of our business makes this a challenge.  We use volunteers.  But decisions made in the light of day with the involvement of the necessary parties is a huge step towards avoiding disaster.