Cybercrime and the threats and risks associated with various types IT security breaches are a real and growing trend. And while churches are a chosen target of this trend, too many churches are simply not prepared to protect themselves against cyberattacks. The bottom line is that IT security is one of the most important considerations for any church’s technology infrastructure and plan.
To assist churches in protecting their members, data and ministry operations, we have written this two-part post on a Roadmap for Implementing IT Security in your Church. In part one of this post, we discussed several foundational security measures that any technology-enabled church should adopt as first steps. To review, those steps were:
- Implement a Ministry Continuity plan and capabilities
- Conduct structured security awareness training for all staff
- Implement enhanced email security
- Perform regular patching
- Implement Multi-Factor Authentication
If you haven’t read part one yet, we would encourage you to do so first. In this part two of the post, we outline the second and third phases in our roadmap for implementing a comprehensive IT security strategy.
Phase 2 Recommendations
The following Phase 2 recommendations will be appropriate for almost every church. Enable strongly recommends that churches implement these steps as soon as is practicable. The primary reason that we have not listed them in the Phase 1 section above is that Enable understands that not every church can implement every suggestion all at once. Placement in the Phase 2 level is not indicative of lesser importance; instead, it just recognizes that you may have to make tradeoffs and may have other timing considerations and competing interests.
6. Conduct Regular Security Assessments
Regular, thorough IT Security Assessments are indispensable. IT Security Assessments can provide insight into issues with your church technology infrastructure and operations that might otherwise go unnoticed. Very few churches will tolerate or knowingly allow dangerous security vulnerabilities to exist in their church. Still, without someone measuring their IT infrastructure objectively, church staff might not be aware that potential danger even exists for them. It’s understandable. Most church staff do not have regular access to tools and training to prevent, discover, or repair these types of hidden security vulnerabilities.
An objective third party with proper tools and training will be more likely to recognize and be able to point out security risks and weaknesses. Given the pace of technology change, you should consider conducting security audits and vulnerability tests on at least an annual basis. Penetration tests can also be beneficial but are expensive and must meet a rigorous cost/benefit basis evaluation. Your church’s resources, ministry activities, and the types of data you collect and maintain will dictate your needs in this area.
For more details on security assessments, please read here.
7. Install a UTM Firewall (Unified Threat Management)
Basic firewalls have been a necessity for years. But increasing security threats call for firewall platforms with enhanced protection. Today’s firewall platforms include UTM features such as Intrusion Detection and Prevention, Gateway anti-virus, Geo-IP filtering, objectionable content filtering, spam filtering, and more. A basic firewall doesn’t do enough to protect you without these advanced capabilities.
In addition to the capabilities mentioned above, today’s firewalls leverage the cloud-connected world in real-time to better detect “Zero Day” (previously unknown) malware and intrusion schemes. Current UTM firewall technology also gives IT administrators great flexibility and customization capabilities that allow them to manage Internet traffic and bandwidth, to block traffic from specific applications, etc.
Due to the nature of the threats propagating on the Internet today, we recommend that all churches protect their network technology resources with a robust Unified Threat Management gateway.
For more details on UTM firewalls, please read here.
8. Design and Implement a Secure Wi-Fi Infrastructure
If the church is intent upon meeting the expectation of its members and guests for mobile connectivity, it must provide safe, secure, and robust Wi-Fi access. This is not even a conscious expectation in the mind of most average church members—it has become an expectation in their daily existence and it’s just there. People no longer see Wi-Fi as an “optional item” or a “nice to have.” Most now consider it unconsciously as a utility on the order of electricity, air conditioning, and plumbing.
When it comes to Wi-Fi, there is no one-size-fits-all solution. The church must custom-design and plan its technology infrastructure carefully to ensure that it can provide secure and effective coverage throughout its facilities, to all of the various groups who need access, e.g. staff, public, students, etc. Church IT staff must properly segment/isolate traffic across the church’s wired and wireless networks and must encrypt all sensitive Wi-Fi traffic to the highest available standards. A secure wireless environment will utilize 802.1x RADIUS authentication, will have a separate scalable guest network, and should work in tandem with a UTM firewall solution as described above.
For more details on secure Wi-Fi, please read here.
9. Utilize Disk Encryption
Even if a church conscientiously observes all of the policies discussed above, there are still opportunities for cybercriminals to wreak havoc on your church’s technology systems. Disk encryption is a vital additional method of protecting your systems and thwarting those determined to misappropriate your data.
Disk Encryption enables you to store the information on your technology devices in a state that cannot be easily accessed by an unauthorized user. So, whether a cyber thief physically steals your computer or obtains remote access to your data, it will be difficult for him to read and utilize this data. There are various ways that you can enable encryption – from individual files to an entire disk.
Your IT team can enact policies and procedures to take maximum advantage of disk encryption to add a powerful layer of security around your data.
For more details on disk encryption, please read here.
10. Implement Mobile Device Management (MDM)
It is no secret that we live in an increasingly “mobile” world. Our expectations for the availability of connectivity and robust computing power continue to extend to more types of devices, in ever-smaller form factors that travel with us wherever we go. And we expect all of them to connect seamlessly and flawlessly with all the other devices in our lives. It can, however, be difficult to ensure the security of all of these devices as our staff use them outside of their “locked down” church network.
The point of mobile device management is to ensure a safe and secure working environment when using ever more powerful and helpful mobile technology while at the same time, stewarding resources effectively through efficient, streamlined management. Your church can improve the likelihood of reaching these goals by identifying how it will use devices, knowing whether it will leverage “bring your own device” plans (BYOD), and by defining clear and sound usage and security policies. By leveraging MDM tools and strategies, you can go a long way towards securing your church’s technology environment and reducing the fear of unpleasant security incidents associated with your mobile devices.
For more details on mobile device management, please read here.
Phase 3 Recommendations
The following items in Phase 3 are robust measures that may or may not be appropriate for your church. Implementation of these measures will most likely occur in churches with more resources to invest in security. These churches are also characterized by transactions, processes, and ministry activities that may place them at a higher risk of a cyberattack. While undoubtedly helpful, churches contemplating these measures should be careful to measure the additional protection received against the extra cost and time involved in implementation.
11. Employ System Information and Event Management Tools (SIEM)
Cybercriminals who desire to compromise your technology systems and infrastructure are employing increasingly sophisticated attacks and are utilizing specialized software, algorithms, and automated attack protocols to compromise your operations in ways that are difficult to detect. IT security analysts are increasingly recommending SIEM (System Information and Event Management) tools and solutions as a significant part of an overall IT security solution and strategy.
SIEM tools proactively collect, store, and analyze the voluminous log file data from all of your IT hardware and software like firewalls, switches, WiFi systems, and intrusion detection systems. Today’s modern SIEM solutions employ sophisticated algorithms, machine learning (ML), and artificial intelligence (AI)) that automatically analyze and correlate all of the log data received and look for patterns of suspicious or malicious behavior. SIEM tools give IT teams the ability to respond before and during threats proactively and to determine the specific type and nature of suspicious activity after such attempted attacks.
For more details on SIEM, please read here.
12. Utilize a Product or Service to Conduct Regular Dark Web Research
Users sign up for various online services and tools in the ordinary course of ministry and business. Cybercriminals routinely work to hack these online services and steal your staff’s email addresses and passwords. Too many users still use the same password for ALL of their online accounts. (Not recommended!) This unwise practice creates a big problem. If a cyber attacker steals a password from one system, he may be able to use that same password to gain access to many other systems, e.g., email accounts, banking information, credit card accounts, etc.
Dark Web Research tools can alert you and your staff any time one of your email addresses is found in an online ‘data dump’ from a hacked website. This notification is very powerful and allows you to notify quickly all affected users in your organization and encourage them to update their passwords on those sites. You can also remind them NEVER to use the same password across multiple sites. However, if they HAVE used the same password across various websites, this alert gives them a chance to update it everywhere quickly.
For more details on dark web research, please read here.
Implementing a robust security plan is important. If any of this feels overwhelming to you, Enable can help! We are passionate about changing lives by serving those who serve. Helping churches implement effective, safe and secure technology solutions is a large part of how we serve. At Enable, we desire that churches like yours benefit from all tools and technology resources that can support ministry, while ensuring that you are able to establish and maintain a secure environment. Technology should be a benefit to you and should not be a source of confusion or fear! When churches are able to utilize technology confidently and securely, they can then focus their efforts fully on ministry, service, discipleship, and the changed lives of the people they serve! Reach out to us at [email protected] to get started!
Written by: Scott Smith, President, Enable Ministry Partners