Imagine that you have installed the most expensive, state-of-the-art security system available to protect your home. A technology marvel, it combines heat sensors, motion detection, hair-trigger alarms, sophisticated locks, intrusion barriers—the whole works. It is a system capable of frustrating and bewildering the most seasoned criminal. But such a system can actually be defeated quite easily. “How so?” you ask. Imagine again if the criminal simply approached the house, rang on the doorbell, and asked someone to let him in. And they did. Not realizing that he was a threat, or possibly mistaking him for someone else, they ushered him right inside. Or just unlocked the doors and gave him free rein. Or just left a key to the house along with the alarm deactivation codes in a nice little package on the front doorstep.
Sounds unlikely, right? Actually, it happens all of the time in churches, ministry organizations, and businesses all over the world as people fall prey to malware, ransomware, phishing, spear phishing, social engineering, and other types of cyberattacks. Surveys regarding cybersecurity events reveal consistently that the most vulnerable link in most organization’s cybersecurity prevention efforts is the human element–their staff. And the team is susceptible, by and large, because they have not been adequately trained to become aware of the specific types of security threats, how these threats may manifest, and how to respond in the event of an attack.
Robust security policies, password management, properly configured hardware, and the latest security software are essential. You do need a properly configured firewall to keep intruders out. You do need programs to keep viruses and other harmful software at bay. You do need security services to watch for suspicious behavior. But in and of themselves all of these efforts are insufficient and can be rendered useless if staff are not adequately trained to deal with the ever-changing cyberthreat landscape. You can have the best antivirus software in the world, and a user can still accidentally install something harmful. You can buy an extremely expensive firewall, but if you allow someone to control your computer, they have access to your network.
As humans, staff can and do make mistakes. They trust fake identities, fall for alluring “clickbait,” and can become entangled in many other sneaky schemes of a cybercriminal. And these mistakes can expose the church to financial loss and the exposure of sensitive member data.
The best protection for cyberthreats is a combination of the right tools, practices, and staff training. So, how should the church proceed in obtaining the proper training for its staff?
The Necessity of Security Training
The first thing is to decide that training really is necessary. The threats are real, and we need to be prepared to deal with them. World-class athletes, airline pilots, doctors, and other professionals never stop training and learning to ensure that they are at the top of their game. In the same way, our church staff, the overwhelming majority of whom are not IT experts, must also train to ensure that they do not subject the church to the effects of a cyberattack. Life and work are busy, and people have a lot on their plates. But given the current environment and an increasing level of dependence on computers and IT in ministry, churches, as a matter of responsibility, must commit to providing necessary security training.
Who to Train?
Get everyone involved. Everyone. It’s all or nothing. You must train anyone who touches computers or has access to church data. You must include board members, senior pastors, part-time volunteers, full-time staff, and interns. Due to the nature of networks, the mistake of just one person can have devastating effects on everyone else. Include everyone.
How Often to Train?
Training should be ongoing and perpetual. Churches should be in a pattern of implementing, enforcing, reviewing, and repeating training. Training is not a “one and done” proposition. Some security experts have advanced the concept of “people patching.” We are all familiar with software patching. We regularly update our software with patches or upgrades to fix software bugs or provide new capabilities. In the same way, we should provide ongoing cybersecurity training to our people (“people patching”) so that they are always prepared to deal with new and changing threats, approaches, and tools.
How to Deliver or Implement the Training?
There are several types of training available to church staff.
- A lunch-and-learn or staff security training session that hits standard recommendations for how you can help keep your data safe. This meeting is a brief “one-time” session that tries to cover the most important content quickly and succinctly.
- Video lectures that offer more in-depth training. These are much more inclusive but are not interactive.
- Online education-style programs that provide interactive sessions followed by quizzes or practical tests to ensure you understand the content. These programs offer examples of the types of scenarios and attacks that are common and assist the user in learning to recognize the threats and approaches in use. There are many providers, but Enable has had great results with KnowBe4.
Regardless of the methods you choose, it is essential that you build a culture of reinforcement and motivation and reward people for diligence and identifiable learning.
How to Measure the Effectiveness of the Training?
So, you have invested time and money into training your staff. How do you know if it was worth it? If your church has experienced security incidents in the past, you should compare the frequency and type of security incidents experienced before training versus security incidents experienced after training implementation. With the education-style security programs, you can immediately test the effectiveness of the training. For example, in the area of email security, you would be able to evaluate the staff’s ability to avoid giving up church data to a scammer. Some programs actually send fake emails to your team and identify those staff who click the wrong items or respond inappropriately. This process allows you to identify issues and enables you to target specific training for those who need additional help.
A Quick Security Training Roadmap
Implementing a cybersecurity training program can seem daunting, but it is just a question of enacting an ordered process and being diligent in committing to ongoing training. Below we provide a quick, step-by-step roadmap that may help:
- Identify specific and primary threats in your organization and develop content to address those areas
- Determine the best method of delivery of the training content, e.g., face-to-face training, online education, etc.
- Set expectations with employees around training timelines, requirements and expected results, etc.
- Deliver training according to schedule and solicit feedback
- Conduct assessments to gauge the effectiveness of training
- Adapt training as necessary to increase its efficacy
- Repeat the process as an ongoing business and ministry practice.
Criminal cyberhackers are relentless. They are continually seeking new ways to exploit weaknesses in your network or gaps in your staff’s knowledge. Churches must “fight fire with fire” in this era of technology-enabled ministry and commit to training staff to recognize and deal effectively with cyberthreats. This one commitment will shore up the weakest point in the cyberthreat landscape.