Today, IT security and cybercrime are topics that relentlessly demand the attention of anyone charged with the leadership of a church, ministry, school, business, or any other type of organization. The threats and risks associated with cyberattacks are real and growing. It should no longer surprise anyone in church leadership that churches are a chosen target of this trend. Nevertheless, too many churches are simply not prepared to protect themselves against cybercriminals who seek to do them harm.

Church leaders must make it a priority to implement comprehensive, effective cybersecurity plans, procedures, and training. These are “non-negotiables” for anyone involved in a technology-enabled ministry environment. While most leaders understand their responsibility in this area only too well, many don’t know where to begin in planning their strategy. They have not been trained to handle this problem and may very well approach the topic with a sense of confusion and overwhelm.

At Enable, we work with these leaders every day. Over and over again, we hear a familiar set of questions:

“What steps should I be taking to protect our church?”
“What should I tackle first?”
“If I cannot implement all the recommended security measures, which ones are most important?”

Because ministry funds and staff labor are limited, most churches will have to make some hard decisions regarding cybersecurity preparedness. Responsible stewardship dictates that they carefully evaluate the risk and return of implementing possible security measures. In assessing the use of resources for ministry, they will have to make tradeoffs both in deciding what measures they undertake and when they will put those measures into practice.

A Roadmap for Effective Security Implementation

Our aim in this post is to provide a general roadmap for implementing security measures in your church. Our approach balances the helpfulness of those measures against the associated cost in terms of both time and money. Depending upon the specifics of your church’s infrastructure, activities, and characteristics, you may have to modify this roadmap for your situation. But for most churches, this roadmap should give you an excellent start.

In this two-part blog post on church IT security we have broken our recommendations down into three phases. In part one of this post we discuss Phase 1 items that can be implemented quickly and will “give you the most bang for your buck,” Once you have implemented the Phase 1 suggestions, move on to Phase 2, and finally, to Phase 3 as appropriate.  We will discuss Phase 2 and Phase 3 items in part two of this post. Throughout part one and part two of this post, we have included links to a more comprehensive discussion of each recommended security measure.

Each of the phases contains elements that are vital to an Enable-recommended comprehensive cybersecurity strategy, but we understand that planning for and employing ALL of these things at once could feel very overwhelming. “Rome,” as they say, “wasn’t built in a day.” Recognizing this, we hope that our phased recommendations and suggested order of completion will help reduce any sense of overwhelm and can assist you with implementation.

Phase 1 Recommendations

We believe that the items in Phase 1 are “must do’s” and are simply the price of engaging in technology-enabled ministry activities in today’s world. Failure to take these measures can leave you unnecessarily exposed to common threats and damages that you should be able to avoid for the most part. We recommend that all churches implement the Phase 1 measures as soon as they possibly can.  The Phase 1 elements can be implemented quickly and can provide immediate help at some of the most vulnerable points of risk.

1. Implement a Ministry Continuity Plan and Capabilities

Enacting this plan should be your first step in protecting yourself against cybercrime. The sad reality is that whatever measures you take to prevent cybercrime, a relentless hacker who is bound and determined to compromise your systems may ultimately find a way to do so. At that point, you need to have already implemented a written ministry continuity plan and supporting technical solutions that allow you to recover quickly from the attack without a resulting loss of data, money, or ministry operations capability.

A ministry continuity plan involves not only the backup of data but also of the network of systems and servers themselves. A robust ministry continuity plan will ensure that you back up data and machine images in geographically diverse sites. Your plan will allow you to avoid having to pay a “ransom” for your data and will ensure that you have good backups of your data. It will also provide for redundant capacity to continue the technology, reporting, data, and back-office ministry operations while you are recovering from any type of attack, incident, natural disaster, etc.

For more details on ministry continuity plans and capabilities, please read here.

2. Conduct Structured Security Awareness Training for all Staff 

Surveys regarding cybersecurity events reveal consistently that the most vulnerable link in most organizations’ cybersecurity prevention efforts is the human element – their staff. And the team is susceptible, by and large, because they have not been adequately trained to recognize the specific types of security threats, how these threats may manifest, and how to respond in the event of an attack.

As humans, staff members can and do make mistakes! They trust fake identities, fall for alluring “clickbait,” and can become entangled in many other sneaky schemes of a cybercriminal. The best protection for cyberthreats is a combination of the right tools, practices, and staff training. Training should include all staff, regardless of title, role, seniority, etc. Training should be ongoing and perpetual, delivered in a variety of formats tailored to the specifics of your church staff, and should be measurable, i.e., are people genuinely learning?

Two training areas that can yield particularly powerful results are password management and anti-phishing/ransomware training.

If you provide your church staff with knowledge and tools in these two areas, you will go a long way towards protecting yourself from most of the attacks waged against you.

For more details on security awareness training, please read here.

3. Implement Enhanced Email Security

Email is, far and away, the preferred method for hackers who desire to steal information, money, and access. We recommend implementing a system that filters incoming email for known or suspected SPAM or Phishing attempts. This one move is a significant first step in protecting against vulnerability in this area. Affordable solutions are available that provide much more protection and power than those supplied with your email hosting platform.

However, SPAM and phishing filtering solutions are not enough in and of themselves. Fraudulent email schemes are becoming increasingly more sophisticated, and we must train our staff to recognize and avoid common email attacks, e.g., spam, phishing, malware, encryption, spear phishing, etc. That is why it must start with training, and we must be vigilant about educating all of our email users about proper email security practices.

For more details on email security, please read here.

4. Perform Regular Patching

One of the most useful and straightforward things that you can do to keep your technology environment secure and healthy is to stay up-to-date with software and firmware patches. Software developers regularly update their software code to not only make it operate more effectively but also to stay ahead of cybercriminals trying to circumvent the current safety technology.

Patching is not difficult; it just takes disciplined, consistent attention. The security payoff for rigorous patching is enormous; unfortunately, the reverse is also true. Failure to patch consistently can be very costly.  In most successful cyber breaches, hackers obtain access to data or systems via well-known software bugs for which patches already exist, but which IT administrators have never applied! If IT administrators consistently apply readily available software patches to their systems, they will significantly reduce the likelihood that their computer systems will be compromised.

For more details on patching and updates, please read here.

5. Implement Multi-Factor Authentication (MFA)

The goal of multi-factor authentication is to verify identity and to make sure that the person logging into an account genuinely is the person they are claiming to be. MFA is necessary because passwords, alone, are not sufficient deterrent to security breaches and cybercrime. Everyone is familiar with the stories of large companies that have been compromised and have exposed thousands of customer passwords and other data to cybercriminals. Once these passwords are out in the public realm, they are sold and resold on the dark web.

Users need to conceive and maintain their passwords properly; that is clear enough. MFA then provides a second layer of protection and method of security. MFA can assist churches in preventing a breach that can be harmful, embarrassing, and costly. While MFA provides excellent value, it also adds some complexity and requires some user training and process changes. But the benefits greatly outweigh the efforts involved in the implementation and a slightly longer sign-in process. MFA strengthens security during the login process and is an accessible, useful, and easily implemented solution.

For more details on multi-factor authentication, please read here.

Next Steps

In part 2 of our Roadmap for Implementing IT Security in Your Church we will turn our attention to Phase 2 and Phase 3 recommendations. These recommendations are a vital component to a solid IT security solution. Once you have implemented the recommendations in Phase 1, and as soon as church resources allow for it, we strongly encourage you to pursue the next phases of implementation.

As we mentioned in the beginning of this article, however, the specific characteristics of your church’s infrastructure, resources, and ministry activity may require that you modify this roadmap for your situation. We fully expect that to be the case for some churches as each congregation is responsible for stewardship of its own unique flock and ministry. Our desire in this Roadmap is simply to give you some helpful assistance in protecting your church while utilizing resources wisely.

Enable would love to assist you in thinking through a cybersecurity strategy for you specific church. Changing Lives by Serving Those Who Serve is why we do what we do, and enabling churches to operate confidently and securely in their technology is one of the many ways we do that. Please do not hesitate to reach out to us at info@enable.email to have a conversation!

Written by: Scott Smith, President, Enable Ministry Partners