Churches today depend increasingly on technology to enable, support, and streamline ministry activities and operations. Our church partners utilize a growing array of applications, tools, software, and social media platforms to manage ministry and engage with participants and volunteers. They must therefore manage technology assets strategically and intentionally to ensure that they don’t experience disruptions in their ministry efforts.
Business Continuity Planning and Ministry
Natural disasters, hardware failures, cybersecurity attacks, and even employee sabotage are some examples of predictable circumstances that can affect business and ministry continuity. Churches can implement time-tested best practices in “business continuity planning” to ensure uninterrupted ministry operations.
The premise behind business continuity planning is that no matter the circumstances, the church can continue to operate, conduct business activities, communicate, retain access to essential data, serve members, etc. Redundant systems, secure backups, password management, security policies, and contingency plans are fundamental building blocks of a business continuity plan that apply directly to churches. By implementing the practices we discuss in this article, churches can protect against data loss, ransomware demands, reputational damage, and loss of access to key ministry technology systems.
Staff Transition and Ministry Disruption
Staff transitions can cause ministry disruptions in unexpected ways. Most everyone expects some “drop-off” or a change when recruiting and training a new person to fill a departing team member’s position. But the departure may have other unexpected consequences as well.
Sometimes, a staff member’s departure means you can lose access to your church’s passwords, tools, and data. The departing staff member may be the only one who knows the passwords, or maybe the person set up the accounts via their personal account (to which the church has no access.) Since not all transitions are friendly and cooperative, this can be a real problem.
In other cases, where the transition is healthy and positive, the people involved may have forgotten information or are unaware of any potential problem. For instance, we have witnessed examples where a staff member used a personal or staff account to obtain a web address for the church website. When it came time for renewal, the staff member was no longer employed, and the email account was no longer in use. Since the renewal notices were not received and heeded, the registration lapsed, someone else obtained the web address, and the church no longer owned its longstanding web URL!
Whether the staff transition is due to termination, resignation, or retirement, when only one person knows all the passwords or holds the “keys to the kingdom,” the church can find that is has lost access to critical applications. Or worse, the church’s ministry data may be unavailable, lost, deleted, or in danger of theft.
So, how can churches plan to ensure ministry will not be interrupted during or due to inevitable staff transitions or other circumstances?
Practical Elements of Ministry Continuity Planning
Churches must consider which tools they use for what purpose, who has access to them, where church data is stored, and how to continue ministry operations through staff turnover or other unforeseen circumstances. Here are some helpful guidelines to mitigate these risks as you plan for business continuity with your tools and applications.
Keep a list of all applications, tools, platforms, etc., in use by your staff.
First and foremost, your organization needs to know what tools are in use, by whom, and for what purpose. Document all admin accounts or users with admin privileges. Each ministry should keep this list up to date and review it annually.
Designate an admin for each tool or application.
Ideally, all apps should have at least two users with admin access to add and remove. Each user should be responsible for adding and removing access and making administrative updates to the tool as needed. Multiple admins ensure the church can manage the tool regardless of unexpected absences, staff changes, etc. The application champion (the knowledgeable person on staff that everyone goes to with day-to-day questions about the tool) often makes a great primary admin. The backup admin should be another user with knowledge of the application and its use, or at least someone in the same ministry area if only one person uses the tool today.
Note: Your IT staff should not be the default choice as a backup admin for ministry-specific tools. They will be less familiar with the tool than someone who already uses it, and if the tool requires a license for each user, the church could pay for an otherwise unnecessary license.
Do not allow Church social media accounts to be owned or managed by anyone’s personal account.
The church should set up all accounts used for managing social media with church-managed email accounts. This policy allows the church to handle password resets and related actions when needed, even if the original user can no longer assist.
Use responsible password practices.
In addition to business continuity from a staff perspective, we must consider it from a cybersecurity perspective. Many bad actors are trying every day to gain access to your toolset. Please don’t make it easy for them!
- Passwords should be at least 12 characters long and use upper and lower case letters, numbers, and special characters.
- Passwords should be unique for each account for each tool. If an email address and password are compromised on one tool, it is now compromised anywhere else that password is reused.
- The church should store all passwords for tools and applications in a secure password manager application (not in a spreadsheet, in a browser, in a note on your phone, etc.).
- Turn on Multi-Factor Authentication (MFA) wherever it is available. MFA is the best way to prevent compromised accounts today and requires almost no ongoing effort.
- When the platform requires a single, shared account, the church should follow a consistent, intentional, and secure process for sharing the password. This process could be a church-owned password manager with delegation/sharing features or designated people who store the info in their secure personal password manager. There are different ways to do this, but you should define the correct method for your organization and follow it consistently.
To learn more about passwords, visit Why You Need A Password Manager
Have all invoices sent to a standard address for payment.
Mitigate the risks of unpaid bills due to staff turnover and surprise tools in your environment by routing all bills and invoices to an email address such as [email protected]. This policy also reduces the administrative cost of turnover by maintaining consistent contact info with your vendors, regardless of who the current tool admin or bill payer is.
Make a contingency plan for the unknown.
It could happen that after an unexpected staff transition, you discover a tool the staff member was using and to which they had the only access. Here is an example contingency plan for this case:
- A designated staff person with access to the exiting staff member’s email can access the tool by requesting a password reset through the login page and using the reset link sent to that email address.
- Once logged in, the designated staff person can appoint another admin and deactivate the existing staff member’s account.
- Suppose MFA is enabled on the account. In that case, a traditional password reset via email will not be enough to gain access, so you must open a support ticket with the application company. You will need to explain that the existing account belongs to a former staff member, and needs to be inactivated or reassigned to another staff member.
Designate and communicate the correct location for storing church files and data.
Finally, the church should store all church data in approved areas, such as Microsoft Teams, Google Team Drives, or the church file server. In the event of staff turnover, data stored in someone’s personal account (Dropbox, iCloud, etc.) will not be able to be recovered without the cooperation of the staff person, creating a potential risk of data loss. Ensure you have implemented an appropriately robust backup strategy for this data.
By implementing these recommendations, you can reduce the likelihood of losing access to your church’s applications, data, and passwords. This will ensure the continuity of ministry operations during staff transitions and other changed circumstances.
Written by: Melody Parlett, Managing Director