When First Baptist (not the church's real name) hired a network engineering firm to help them with their computer system, they never dreamed they were inviting in thieves. But when employees of the firm saw the scope of information saved in the church's database, they copied it and rented the list to businesses that wanted to reach people in their community, segmenting it by various demographics—including contributions!
Data is one of the most valuable assets a church has, but trying to figure out what it's worth so we can adequately protect it is challenging. Protecting data isn't difficult, but the task must be approached as deliberately as the fire and security protection we apply to our church buildings.
The first step is to recognize that your church has different kinds of data, and classifying data helps set a value to strategically protect it. While some data is mission-critical, other data is merely convenient. The difference is often found in answering the question, "What would happen to our church and our ministries if this data was made public or was destroyed?"
Data that might be considered mission critical includes:
Databases. Databases contain names and contact information, and sometimes include contribution, attendance, baptism, and other data that help us serve our congregations. Unfortunately, most churches have more than one database. In addition to lost efficiencies and synergies, multiple databases add complexity to the task of data protection. Church databases can include true databases, spreadsheets, document files, contact lists, and, of course, the Rolodex™.
Sermons and Lesson Preparation. Sermons and lessons and the research behind them.
Communications. Letters and e-mail between the organization and others—both internal and external.
Graphic Files. Photos, videos, bulletins, programs, promotional posters, and audio files.
Governmental Documents. Church meeting minutes, agendas, meeting notices, etc.
Custom Programming. Templates or any other items that have been customized to help communicate and serve with uniqueness.
Threats to data security can be classified as either internal or external.
Internal. Good employees sometimes become disgruntled employees. Hardware sometimes crashes. Vendors sometimes develop sticky fingers. We are constantly being attacked with malicious software (called "malware") in the form of spyware and Trojan horses.
External. Burglars, external catastrophes like hurricanes and earthquakes, and those who try to hack into systems that are connected to the Internet. As we monitor our clients' network security, we see almost constant evidence of Internet programs (called "bots") trying to exploit operating system vulnerabilities. Their goal is to grab data or computer resources to serve the interests of others.