In this digital age, everything an organization does must have a cyber security component because technology touches every aspect of our lives. Churches often store the personal and financial information of their members, which can be tempting to hackers who are looking for ways to steal such information.
In the past 10 years, there have been data breaches at major companies, like Equifax, Yahoo!, and Target. These breaches occur when sensitive information is stolen digitally, and churches and ministries are just as vulnerable to data breaches as any other business or institution. In fact, a data breach is more likely than a terrorist attack, but many churches are more prepared for physical security issues than digital ones.
If your church is hit with a data breach, it will cost you in time and money, as well as severely damage your ministry’s reputation. Fortunately, there are ways to reduce the risk of a data breach and to protect your church and its members’ information. Below are a few steps your church can take to help keep your data safe.
Never reuse passwords. More than 80% of people age 18 and older reuse the same password across multiple accounts. It’s easier to remember a few simple passwords instead of multiple complex ones, but reusing passwords puts your information at risk. You should also make sure your passwords are tough to guess—some of the most commonly hacked passwords include words like “God” and “Jesus.”
Limit password access and train staff to keep passwords private. In addition, be sure to issue new passwords every time an employee or volunteer stops working in the office.
Keep software updated. Set computers to automatically check for updates and install them right away, instead of putting them off. Old versions of software, browsers, and operating systems often have security issues that are repaired in the updated versions. Forty-four percent of data breaches used known vulnerabilities, meaning the attacks could easily have been prevented by installing updates. Always make sure updates are legitimate—only install those that come directly from the vendor.
Make sure your information is well defended. The internet is a minefield—malware and malicious code hide all over websites and in seemingly safe downloads. To help mitigate these risks, use a firewall and have an IT professional maintain your systems and computers. Be sure to hire someone who is familiar with church software and cyber security.
Train staff and volunteers. One of the most important things you can do to protect your data is to train staff and volunteers on what they need to do to help prevent cyber-attacks. Establish policies and guidelines for computer and internet use in the office and be sure everyone is aware of these policies. And make sure you pick the best people to work with your church’s sensitive information—background checks can help you eliminate applicants who may have a history of data theft or other criminal activity.
Develop a response plan. It’s essential to create a plan for how your church would respond to a data breach, just like any other element of disaster preparation. Detail the steps you will take in the event of a breach and designate a response team with specific roles for each member. Consider working with an attorney or legal team to ensure that your plan meets the requirements of state and federal laws.
In the event of a data breach, there are several steps an organization should take.
- Collect and organize evidence. Be sure to document all efforts to investigate and mitigate a breach. Seek advice from legal counsel on the best methods for organizing the evidence.
- Take action to reduce the impact. Determine what data, devices, and systems have been affected, and secure the devices, preserving any data that has been compromised. Change passwords immediately to prevent the attacker from continued access to your information.
- Notify members who have been affected. If information is exposed, the owners of that data must be notified. Each state has different laws about notifying those who are affected, so be sure to speak with legal counsel about the timeframe and content of the announcement.
- Review your response. After a data breach has been contained, take time to determine the effectiveness of your church’s response and how you can improve your cyber security measures and response plan.
Just as washing your hands does not completely eliminate the possibility of contracting an illness, implementing cyber security measures won’t guarantee that your ministry will not experience a data breach. But practicing cyber security can help your church reduce the risk of such an event and be prepared if information is compromised.
For more information on church risk management, check out our risk management resources here.
This information is not legal advice. Information is from sources deemed reliable. Information is subject to error, omission, withdrawal, or change. Contact your own legal advisor before taking any action that would have a legal consequence.