Nick B. Nicholaou serves as president of MBS Inc., based in Huntington Beach, California. In his role with MBS—which stands for Ministry Business Services—Nicholaou has served churches as an IT (Information Technology) consultant and strategist for many years. Since 1987, he has helped churches through a number of IT transitions, and he wrote the Christianity Today book Church IT. I spoke with him about how churches should approach IT.
Churches tend to be open, welcoming places with a heart for saving the lost. What potential risks can this create when it comes to IT risk management?
Churches today offer WiFi access for their guests as part of being a welcoming organization. They want to provide an appropriate suite of services to help meet people's needs. But most churches do not strategically approach how to set up the WiFi for those needs.
I talk in my book, Church IT: Strategies and Solutions, about the need to segment WiFi for guests versus staff, and to make sure that WiFi access for guests is filtered for appropriate content. Churches need to either use a password to protect their WiFi and/or turn it off when WiFi doesn't need to be available.
Why is that important?
At a church in Missouri, someone pulled into the church parking lot after hours and distributed child porn over the church's unsecured public WiFi. The FBI was called in to address this, and investigators saw that it was coming from the church's public IP address. The FBI then confiscated all of the church's computers, including servers, to do a forensic analysis to make sure no one on staff was involved. The forensic audit took months, so the church was without their computers for that length of time.
Churches need to protect their public WiFi access, either with a password, which is recommended—but most churches don't want to do this because they want to be open, accepting places—or they need to at least turn off their WiFi when it doesn't need to be in use.
In your book, you talk about changing paradigms such as the cloud. What is the cloud, and what risk management issues are associated with it?
The cloud refers to where data and apps reside and how they're accessible. If they reside on servers, and those servers are accessible over the internet, that's the cloud. It doesn't matter if the servers are in your building or in a datacenter somewhere else. The fact that they can be accessed over the internet means they're in the cloud.
If churches use cloud storage, they need to make sure their security is up-to-date. That means that nobody can access the data except those who are given access.
Another changing paradigm you mention is BYOD. What is BYOD and what risk management issues are associated with it?
The cloud enables BYOD, but BYOD is its own issue. BYOD stands for "Bring Your Own Device." We see a growing trend where people want to use their own computers, or organizations that want people to use their own computers rather than computers that are bought by, engineered, managed, and controlled by the organization. BYOD makes many IT people very nervous.
There are certain policies you need to have in place to protect the organization and the user if you're going to do BYOD. BYOD makes sense for most organizations today, but there are issues of responsibility.
For instance, what is the organization responsible for and what is the user responsible for? If someone says, "Hey, I would like to use my own computer instead of the computer you have given me," what happens if the hard drive on their personal computer crashes? Who's responsible to fix it?
From a risk management perspective, the organization should require that the user's machine run the organization's preferred antimalware solution. The user also should be willing to submit the personal computer to the organization periodically to confirm that the antimalware solution is still running and is properly configured.
Why do you think BYOD makes sense for most organizations?
A couple of reasons. One, it makes for a happier user community, and two, it can save the organization money.
If I'm a church pastor, why would I want to buy my own computer?
That's a good question. So maybe we're a church that only allows Windows machines. And we've just called you as a pastor, fresh out of seminary, and you've done everything in your computing life on a Mac. Should we care if you use a Windows machine or a Mac? With today's technology it doesn't have to matter. We should focus on how to make you optimally productive. So how do we make you as productive as possible? Probably not by requiring that you switch to a church-owned Windows computer.
You emphasize the need for organizations to have a disaster recovery plan for their IT. In your experience, are most handling that issue well?
Most handle it, at best, on a mediocre level. They might be doing backups daily. They might be taking one backup offsite on a weekly basis. But they're probably not testing their backups on a regular basis. And the reason usually is not enough staff. I understand that this is a situation many find themselves in, but in a disaster the only way you're going to be considered heroic is if you know for a fact that you're going to be able to recover your data.
I know a church that lost its entire IT operation for a month because a storm took out all of its servers. This was a megachurch that had multiple IT staff. One person was responsible for testing the backups on a regular basis, but because the backups had always worked, he just decided—on his own—to stop testing. Then the storm came through, took out the church's entire IT infrastructure, and guess what the church didn't have? Backups of data!
That leads right into my next question, which is how scary should this IT arena be to churches?
Well, it needs to be appropriately assessed. God did not give us a spirit of fear, and that's an important piece of the puzzle. But he did give us brains and gifts of administration and wisdom, so we need to apply them and say, "How should we best approach this?"
It really is a risk management issue. And, just like any risk management issue, we need to decide where we feel the appropriate setting is on the risk meter that we're comfortable with. To ignore IT in that evaluation is unwise because today everything depends on IT.