I’m sure everyone can find traffic laws to be frustrating at times. What if you knew that there were no consequences for speeding or running a stop sign? Most of us would probably do it when we thought we could safely. However, that would very likely result in many wrecks, injuries, and worse! If there were no consequences for disobeying traffic laws, the road would instantly become a very dangerous place to be. Traffic lights, signs, and laws are designed to keep people safe, but in order to work, the limitations imposed by such restrictions must be enforced!

Similarly, in the world of technology and cybersecurity, we must have policies as well. And in order to actually work, these policies must be enforced!  As with any other organization, cyber security in churches is impacted by the operation of administrators, users, computers, and data systems. In order to keep the church’s technology systems running smoothly and safely, policies must be crafted and enforced at each of these points of impact.

Types of Policies to Consider

1. Password Policies

   Weak passwords pose a huge risk to your church data. Simple passwords containing personal information like important dates or a pet’s name can be easily guessed by the least seasoned of hackers with a quick social media search. Saving your passwords to your keychain in Chrome or Safari is also dangerous. Imagine if the church’s finance administrator left her laptop logged in at a coffee shop. A thief could open her web browser, click on their history, and attempt to login to banks, accounting software, credit card sites and so on. Enforcing strict password rules, like requiring a certain number and type of characters and encouraging the use of a secure password manager, is the most basic and majorly important first layer of security for your church.

2. Multi-Factor Authentication

   MFA is the next layer of security for individual users after strict password requirements. It works by linking a second device to a user account, and sending a timed security code to that device when a login attempt occurs. The goal of MFA is to verify identity and to make sure that the person logging into an account really is the person they are claiming to be. Using Multi-Factor Authentication as a policy can greatly increase security for user devices and accounts.

3.  Data Protection Policies

   Churches gather and store a lot of very personal data, and there should be strict policies in place for the storage and use of this information. Where do you store financial data, as it pertains to budgets, church costs, staff salaries, and giving & contributions? Who has access to this data and how do they access it? What about all of the health data from youth trip medical release forms? Churches should put policies in place that limit who can access information like this, dictate how it is sent to people to need it, identify and limit the acceptable platform(s) on which it may be stored, and provide clear direction on how to handle or dispose of old files that are no longer needed.

4. Bring Your Own Device (BYOD) Policies

   It’s safe to say that probably every single person on your church staff and volunteer list has a mobile or personal device of some kind. Many users would prefer to use their own personal device rather than one this church-issued. While this can be very convenient for a church in that they don’t necessarily have to provide a device for everyone, it also poses many security issues. Personal devices are all configured according to the whims of the individual user. They have varying security settings. Typically, the individual devices have connected to different networks in the past, some of which are unprotected and unsafe. Thus, like the fabled Trojan horse, these personal machines often transport viruses, vulnerabilities and other security threats directly into the church’s network. Therefore, it is very important for a church to create policies around these issues when allowing staff and volunteers to “BYOD.” Who can use a personal device to conduct church business? What if that device is lost or stolen? Are these machines allowed to connect directly to your servers? How do you ensure they have good antivirus software installed to protect against them infecting your network?

5. Acceptable Use Policy

   An effective AUP covers many areas of technology use, from personal communication to web browsing. It is important to have a written acceptable use policy that all staff members and volunteers must sign that explains what is or is not appropriate when using church equipment or programs. Who can purchase computers or software? Can you print personal materials on church printers? Can you use your church email for personal communication during break/lunch/after-hours? What about using your work computer to stream videos? These types of issues are important to think through when creating an acceptable use policy, and as situations arise, it would be wise to keep revising it accordingly.

6. Configuration Policies

   Keeping devices up-to-date is imperative for proper function and keeping them secure. Putting polices in place that speak to what settings should be applied to all computers, when and how to run updates, which antivirus is installed, which printers should be connected to which devices, and which applications are routinely installed will all help maintain a safe and stable environment. By enforcing consistency across your managed devices, it will be easier to spot and fix issues as well.

Enforcing Your Policies and Why They Matter

There are many ways to enforce any policies that have been put in place, but certain policies are easier to enforce than others. For example, there are ways to enforce a common configuration for devices like Group Polices for Microsoft domains or third-party configuration management programs. Additionally, most systems have a password requirement mechanism built in automatically. However, this does not include barring users from saving their passwords in their browser keychains. Therefore, implementing a written policy with included disciplinary repercussions is an important consideration. In order to really enforce a rule, it should be written down, distributed to the people that are supposed to follow it, and repeated often.

Organizations must be vigilant in communicating both the cybersecurity policies and the consequences for breaking them, because it doesn’t take much to compromise an entire network! No one wants to impose unnecessarily burdensome rules and consequences, but often users just don’t understand how even the most basic technology actions, if done incorrectly, can provide an opportunity for cyber criminals to do great harm to the church and its members. Sometimes, all it takes is one person making a mistake, and a hacker could gain access to the entire organization. Clarity is key.

In the world of cybersecurity, we are just beginning to scratch the surface of knowledge about all of the ways organizations can be compromised. It is hard to stay on top of this ever-evolving landscape, but one of the best ways to stay ahead of the game is to create concrete security policies that are intentionally formed and vigilantly enforced.