IT Security Assessments: Why?

Most states require yearly safety inspections for vehicles to ensure that they are safe for operation. When driving a compromised car, you pose a potential danger to not only yourself but also to those who share the road with you. Safety inspections often uncover issues of which the driver is completely unaware. For example, I usually find out I am in desperate need of new tires during these types of inspections. Very rarely am I aware of the state of my tires on my own. It’s not that I don’t care about my tires; it’s just not part of my regular, busy routine. I don’t think to measure the tread regularly, and I don’t even own a tread depth gauge. Most people can relate, and this is just one of the reason why mandatory automobile inspections are a good idea.

In the same way, regular, thorough IT Security Assessments are indispensable. IT Security Assessments can provide insight into issues with your church technology infrastructure and operations that might otherwise go unnoticed. Very few churches would tolerate or knowingly allow dangerous security vulnerabilities to exist in their church, but without someone “measuring their tread,” church staff might not be aware that potential danger even exists for them. It’s not hard to see how this can happen. During busy schedules, it is easy to get used to the status quo and not realize that the familiar is hiding some potential problems. Most church staff do not have regular access to tools and training to prevent, discover, or repair these types of security issues. An objective third party with proper tools and training will be more likely to recognize and point out risks than someone who has slowly become accustomed to an issue that they don’t realize is problematic or is one that they can “fix later when they have more time.”

IT Security Assessments: What?

There are 3 main types:

1. In a Security Audit, an Information Technology firm will send an expert(s) to investigate your entire technology environment.  They will assess the status of your computers, servers, networking gear, technology processes, and IT policies. They will conduct interviews with users to obtain details on standard practices and will make a note of any resulting concerns. They will then compare the information gathered against a set of industry best security practices to determine where your church is doing well and where it could use improvement.
2. In a Vulnerability Test, the investigating team will go a step further and investigate whether known weaknesses exist in your environment. They will collect data about software and firmware versions that are known to have security flaws. They will use tools to scan for internal soft spots in your security scheme. They will ask a lot of questions. For example, can a guest access your sensitive data via Wi-Fi? Is the equipment used by the Worship Production team causing communication issues for other staff devices? Are systems vulnerable to known hacking techniques due to missing security patches?
3. In a Penetration Test, a church will engage a company to simulate a cyber attack of their environment and systems to reveal vulnerabilities. The IT company will try to forcibly take over login information to email, computers, and a variety of other applications systems. The “attackers” then try and exploit these vulnerabilities, typically by escalating privileges, stealing data, intercepting traffic, etc. to discover the extent of the damage they can cause. In addition to these technical approaches, they may also engage in social engineering attacks, such as “phishing.” For example, they may pose as the lead pastor and ask the finance assistant to transfer a large amount of money somewhere to see how far they can take the process.

Penetration tests can be very expensive. This style of attack is quite advanced, and such dedicated efforts are usually reserved for large businesses who must meet financial and security certification standards. For many churches, the expense of a full penetration test may not be justified. It will depend upon the type of transactional financial and member data that the church maintains. Some of the strict security standards may apply to the church because of its activities and transactional data, so it is always wise for a church to confer with its security consultant to know for sure.

IT Security Assessments: When?

Security Assessments should not be a “one-and-done” checklist item. Always be monitoring! Just like your annual vehicle inspection, regular check-ups enable you to stay on top of developing issues, the health of your network, and emerging trends in the IT security realm. By running regular security assessments, you can find holes and vulnerabilities (and repair them!) before they result in much bigger problems. Given the pace of technology change, you should consider conducting Security Audits and Vulnerability Tests on an annual basis, at a minimum. If you do not know whether you have had one of these assessments recently, the time to conduct one is now.

Do any of these points resonate with you and the state of your church? Does any of this sound daunting and overwhelming? Enable specializes in helping churches assess their cybersecurity preparedness and implement optimal solutions that are based on your specific needs and mission. Email us at info@enable.email for more information about how Enable can help your church!

Written by: James Grissom, Senior Engineer, Enable Ministry Partners