Share:

Home > For NAD Pastors > Articles >
.
Four Things You Need to Know About Church IT Security
.
By Tony Vargas

Information Technology (IT) Security for Churches?  So what is the big deal and what is it all about?

While dealing with unlocked doors, open windows, vandalism and other such costly issues, many churches don’t give much thought to the security of their technology.  What this document is intended to do is to illustrate why IT Security should be at the top of the list along with the question of who has keys to the building.  Each can be just as costly as the other. 

For many the world of information technology, computers and all things technical can appear daunting. In this article we will give you the administrator’s view of IT security. These are the things you need to know as the leader, so that as you implement safe practices at your church, or as you work with the computer experts in your church who do the implementation, you will understand the issues and recommended solutions enough to ensure that best practices are being used.

As we discuss the importance of IT Security, we intend to focus on these primary topics:
  1. What do I need to protect and why?
  2. Layers
  3. Access control
  4. Backups

What do I need to protect and why?

Many church and other related organizations may not consider that they have anything of much importance on their computers.  However, in this day and age, information is money.  And so you may be surprised just how much the information that you have is worth.  And that information can be used in a variety of damaging ways when accessed by the wrong people. 

Take for example, your church members list, including phone numbers and addresses.  In this scenario, armed with this information, a criminal can contact church members selling goods and services which may not even exist.  However, when these perpetrators know and use names of other church members, it lends them credibility.  Your church members can be scammed simply because your church member list falls into the wrong hands.  What else may be on your computers?  Do you have financials information, bank account information, and passwords?

Let’s consider another scenario.  Your computer is hacked and the individual who now has control of your computer may use your computer to store or share with others, information or material of an inappropriate nature or they may even use your computer and Internet service to launch attacks against others.  Some may simply be interested in causing damage like any typical vandal who paints graffiti. Did you know you could be held liable for their actions?

And while nothing is guaranteed to keep everyone out, the steps you take will keep you safe from the “general hacking community”.  These are the people who will do random scans just to see what is out there.  Criminals of opportunity, you might say, who are looking for an open door.

So where to begin?  The best approach to your IT security is layers.  The more layers, the more protected you, your systems and your data will be.  Each layer you put in place will overlap the next, creating an environment that is unwelcoming to those who would do harm.

Layers

Approaching your IT Security using a layering approach allows you to evaluate each level of your technology infrastructure.  And so let’s start from the top down, so to speak, with your Firewall.

Your firewall is the device that connects you to the Internet.  It sits between your computers and the Internet provider’s device like a cable or DSL modem or router.  Never connect your computers directly to the DSL or Cable Modem. 

There are many types of firewalls and just as many price ranges for them.  Talk to your church IT department or ask others what they use. 

The most basic purpose of the firewall is to allow or deny certain types of network traffic into and out of your computer network.  Like a doorman at the door of a building who based on certain policies, chooses who or what to allow through the door.

As you look at choosing an appropriate firewall, consider features such as intrusion detection and prevention, stateful packet inspection (a stateful firewall keeps track of the state of network connections traveling across it[1]) and filtering. 

Remember, when configuring your firewall, never use the default credentials.  Be sure to change the passwords using 10 or more digits that include numbers, upper and lower case letters and special characters if you can.

The next layer in your security to consider is network segmentation.  This is the practice of separating your network into logical sections to separate communication types that do not need to see each other.

Take for example, your wireless network.  You may want to offer your members wireless Internet access while at church as well as to provide wireless Internet access for your Pastor and other church computers.  But you don’t want member computers to have access to your church computers as this would expose your church computers to risk of infection or intrusion since church member computers and devices may or may not be protected from viruses or other vulnerabilities. And since you cannot control how well they are protected, you should keep them safely separate from one another. This is network segmentation. 

Many affordable access points now come with the capability to provide both a business and guest network connection for wireless users by providing multiple SSIDs or networks.  One for church business and one for your church congregation. 

The next layer would be your computers themselves.  Just as for all of your other devices such as firewalls or routers, you need to be sure that you are installing your operating system updates and patches monthly.  And not just for your operating system like Windows but for all of your software applications such as browsers, Adobe, etc.

In addition to computer and software updates, be sure to run a branded antivirus / anti-malware program to protect your computer from infection.

There are additional layers that should be mentioned that can be added to your security approach such as using a filtering service to scan your emails for virus, malware and phishing attempts and removing this type of content before it ever reaches your firewall and even web-filtering services that filter the types of content the computers on your network can browse to on the Internet such as known infected websites or sites with questionable or inappropriate content.  There are many affordable choices for these types of services that add significant levels of protection to your IT Security approach and yet they can be some of the easiest to implement.

Access Control?

For each layer discussed above, you should always consider access control.  This is the practice of keeping adequate control of access to each of your systems. 

Remember that your security is only as strong as the weakest link and often times this can be passwords that are too simplistic or often non-existent.  

Additionally, providing access to users and having that information passed on un-intentionally or even intentionally to others is a common failure in access control.

Be sure to only provide passwords for these systems to those who need them.  And remind them that these passwords are not to be shared.

For all of your devices such as firewalls, access points, computers, projectors and other similar equipment, start by implementing password complexity.  This is the process of using passwords with 10 or more digits that include numbers, upper and lower case letters and special characters wherever you can.  And remember to change your passwords regularly.

Additionally, for computers, you should also consider setting your computers to not automatically login but instead to require a user to press Ctrl + Alt + Delete when logging in.  Also, never show the last logged in user.  And consider always locking your computers when you are away from them.

For access points, use a hidden SSID (network name) for your church staff computers so it doesn’t even show up for member or guest use.  And consider changing your wireless passwords at least four times per year or more.

And what about physical access?  How often do you find doors at your church left unlocked?  Following the password rules above, you reduce the chance that someone may easily obtain access to sensitive information on your church computers.  However, if someone steals your computers they will have unfettered access which will allow them to eventually bypass your password and to obtain your data.  So to protect your information on those computers, you may want to consider encryption of your computer hard drive(s).  There are many affordable or even free hard drive encryption applications that can protect your data in the event that the computer is stolen.

Backups?

Remember in all cases, you should have backups of your data that if possible can be stored offsite in a secure location.  In the event that your computers crash, or are hacked and data is destroyed or damaged what would it take to restore your data? 

Now think about the time it would take to rebuild the computers if it was a catastrophic loss due to a natural disaster or a theft.  How long would it take to reinstall all of your applications and configure them on a new computer?  Does anyone know how they were configured or will you have to start from scratch?  Do you have all of your software to reinstall or was that damaged or lost as well?  Will you be relying on church members to get things back up and running or will you need to hire an expensive consultant who charges by the hour?

Fortunately, there are easy ways to reduce the impact from both of these types of loss.  While backing up your files and data is important, there are a vast number of affordable programs that will “image” your entire hard drive.  Imaging is the process of essentially taking a picture in time of your computer hard drive.  From that image, you can not only restore files but you can literally restore that image to a new or repaired computer and within minutes, your Operating System, all of your software applications and your data is restored and you are up and running.

Imaging technology, along with larger hard drives, allows for weeks of computer backups to be safely stored and taken offsite allowing for recovery from even the most disastrous of events. 

Conclusion

In looking at everything we have discussed, we can now realize that just as we need to mitigate risk to our church property by securing against those who are looking to vandalize or perhaps even steal from our church, so must we also take care to secure our technology from those who wish to damage our systems or steal and misuse our systems or information. 
 
Tony Vargas –is the Manager of Information Technology at Adventist Risk Management, Inc.