Cybersecurity for churches

Week after week, we hear about yet another breached organization or product that exposes personal or financial data to unauthorized parties. Every individual and organization needs to pay attention to cybersecurity.

Is your church acting in good faith with your member data? These four Ps will help you do so.

Passwords

It may feel something of a cliche to talk about the need for strong passwords in a security article, but it’s vital to stress the importance of their usage. The reality is that few people consistently use secure passwords and often reuse passwords across websites — despite knowing it’s not recommended. In fact, the second most popular password is the word “password,” and it’s second only to “123456.”

Over the years there have been major password leaks that have been made searchable by security researchers to see how common your go-to password is. To start evaluating your password security, use their simple tool to determine how common it is from other readily available online passwords.

The reason most people don’t use strong passwords is that they can be difficult to remember. Wouldn’t it be nice if someone could make the passwords as long as they need to be while at the same time eliminating the need to remember them?

If you answered “yes,” you’re in luck! Applications like LastPass and 1Password will not only intuitively generate secure passwords whenever they're needed, they will automatically fill them in whenever you arrive at sites that need passwords. They even have a phone app that will carry that process over to your iOS or Android device. Most of these solutions also offer business plans that allow you to manage and share important passwords for corporate use. Churches utilizing all Apple products may be pleased to hear they have a built-in solution that will work on all of your devices.

Power

Most of the truly devastating hacks require physical access to your computer or cellphone and/or unmonitored internet connections. All it takes is a dishonest person walking by your office who sees that you have left your computer running and logged into your email. In a matter of minutes, they can get online, request new passwords and gain access to every site you use.

Although there are sophisticated solutions like firewalls and VPNs, adding some standard practices to your team’s routine can make an immediate and effective impact in protecting your digital assets.

Most people can drastically increase their security by simply sleeping or turning off their device when it’s not under their control. That means that before you head out for lunch or leave for the day, take an extra minute to turn off your computer (or enable sleep mode), so that it’s disconnected from the internet or at least requires someone to know the password before having access to all of your data. If applicable, take it a step further by locking the door to your office when you leave it. The best way to keep your data secure is to prevent someone from ever having physical access to your machine.

People

The main liability in any cybersecurity protocol is the people carrying it out. People (especially church people) are inherently trusting and may not think about the potential threats that using simple passwords or keeping their computers logged in at all times can pose. That's why it's essential to train your team and equip them with the tools they need (like password managers) to maintain security.

Your staff will come with varying degrees of knowledge on this subject. Take time to do periodic refresher training to ensure that everyone remains on the same page with security tactic expectations and processes.

Remember to lead by example even in this area of church life. Take a moment to consider your own cybersecurity habits. Ask yourself: How are you doing at keeping your private data secure? How strong are your passwords? How easy is it for someone to gain physical access to your device and unlock it?  

Policy

Organizations like churches have to think through their policies in terms of cybersecurity. It starts with passwords (How often should they be changed? Is two-factor required? etc.), but it goes much further.

Cybersecurity policy should address how and where sensitive data is stored and transported, how personal accounts can or can’t be used in the course of business, who gets to take portable hardware off the property and how data is saved/retained when an employee leaves the organization. Once the policy is set, it’s time to return to the third P (People) and make sure to regularly revisit the policy and remind everyone of the expectations.

Proactive (Bonus P)

Ramping up your personal and church cybersecurity can seem daunting. However, by taking proactive steps now, you can save yourself major headaches later. Breaking the process into the manageable topics we’ve explored can help you manage improvements bit by bit so that you know you are caring for your data and the data of your ministry well.