By Steve Robinson
In recent years, discussions about data breaches with my church and nonprofit clients have moved from “what-if’s” to, “This just happened to one of my clients.” Cyber Liability insurance is no longer a coverage that is nice to have; it’s saving organizations money, time and reputations.
But, cyber insurance is only part of the risk transfer equation — we are often asked for basic tips a church can take to help prevent a cyber loss from happening in the first place. A few points to consider:
#1: Have someone own it.
Data breach studies have consistently shown that organizations that identify a staff member as having ownership responsibility for information security are less likely to suffer a data breach. If they do, the financial impact is smaller. We understand that for churches of varying sizes, this individual could range anywhere from a worship / media pastor who is assigned this task because he or she is computer-savvy (“Hey, give it to Jud — he likes computers!”), to a full-time IT specialist.
The important thing is that someone is responsible and held accountable for ensuring other items in this article are given proper attention. Make sure that person is equipped with the knowledge he or she needs to protect your data.
#2: Take inventory of the data you collect.
If your church’s giving records are older than the headstones in the yard, you might want to rethink that practice. Collecting only the data that is absolutely necessary — and keeping it for the minimal amount of time — will significantly reduce the volume of information that could potentially be breached.
If you are storing credit card numbers, stop doing this; transfer some of that risk to a third party who has the resources to properly secure this data.
On your website, only collect data that is absolutely necessary, and make sure you have permission to collect it.
You know that recycling box on the floor next to the receptionist’s desk? If that person is dropping sensitive information (confidential prayer requests and so on) in that box, make sure the practice stops immediately. Use locked boxes for document destruction, recycling, etc.
#3: Remember: the best firewalls are useless if the front door of the church is left unlocked.
Secure servers, laptops and any other equipment that provides a pathway to your data with locks, access limitations and unique passwords. You know that router you just bought? It came with a factory-installed password.
Remember Jud? Make sure he changes that password when he installs it for your church. The bad guys know that the Juds of the world can be lazy, and this is the first place they look when trying to get in.
When it comes to laptops and portable storage devices, the name of the game is encryption. Employing full disk encryption on laptops provides safe harbor under most state data breach notification laws. It is an extra step, but one that might save your church significantly if a laptop gets left in an airport on the way back from a youth conference.
When it comes to computer use, make sure your staff is well-versed in the common sense practices of locking access to their computers when they step away for lunch. While trust is prevalent among ministry partners, we need to be aware of the fact that others who might not share our same ideals can enter our office space. Janitorial services, contractors, mail delivery personnel, document destruction companies — you get the picture. When employees or volunteers leave your church, be sure to immediately disconnect any privileged access they have.
#4: Beware of the click.
My team is working an active data breach claim as we speak, because one administrative person clicked on a link in his email that opened a door for a virus that quickly gave username and access rights to 90 users on the network. Within three weeks, the bill on IT forensics and legal assistance — just to figure out what happened — has tallied into the six figures. Seek resources on the appropriate use of email, and communicate this to your staff.
Social media: great outreach tool / great threat to information security
Churches are increasingly using social media in creative ways to connect with their members. That’s the good news.
However, churches need to make sure that social media policies are implemented that don’t allow connections between social media websites and sensitive server data.
Additionally, setting clear expectations on the dos and don’ts of using social media can help avoid costly claims involving invasion of privacy, intellectual property infringement and personal injury.
The majority of data breach claims we receive could have been prevented with the most basic levels of due diligence on the front end. Not every claim is a sophisticated hack. Don’t get overwhelmed by the technology of it, and understand your church’s best defense can sometimes be good, old-fashioned common sense.
Steve Robinson is Area President, Technology & Cyber at Risk Placement Services, Inc., a division of Arthur J. Gallagher & Co. and its Religious Practice, in Cambridge, MD.