The word “disaster” usually conjures up images of physical destruction: trees knocked over by gale-force winds, homes submerged in flood waters, bullet holes through a door. But the WannaCry virus attack that infected over 230,000 computers in 150 countries was a reminder that the threat of disaster is sitting right on our desktops and in the palm of our hands.
Organizations like churches face additional risks, as all the financial and personal data they have collected and stored could be vulnerable to hackers who are constantly looking for new ways to attack, steal, and expose such information. Protecting this data requires constant vigilance and attention to the growing and evolving field of cybersecurity.
For some expert insight into this particular type of disaster preparedness, I went to my friend John Weathersby, the founder and executive director of the Open Technology Center (OTC). OTC is a nonprofit technology research entity established through support from the Department of Homeland Security and the Department of Defense at Camp Shelby Joint Forces Training Center. OTC was established to facilitate research, development, evaluation, and transfer of open technology resources that support national defense and homeland security objectives. They help agencies and organizations in rural and underserved areas identify and adopt technologies and practices that have been developed and used by federal agencies, the military, and larger agencies around the nation. He shared with me what churches need to be doing now to secure their digital data and prepare for future cyberattacks.
What are the biggest cyberthreats churches might be overlooking?
Everything we do has a cybersecurity component because cyber touches every aspect of our personal and business lives today—even church leadership. We’re all connected through our phones, computers, financial transactions, health and business records. With a little prevention and common sense, you can protect your personal and business information from most of the risks out there today. It’s like hygiene: washing your hands and being mindful of your surroundings may not make you immune to sickness, but it reduces your exposure and risks. If you think you may be getting sick, you go see a doctor. Similar with electronic hygiene: you do what you can on a daily, regular basis, and if something doesn’t feel right, then you seek help from a professional.
How can a church prepare well? What would be the first steps a church should take?
Anyone who collects and manages other people’s personal information—including churches’ personal information—has a higher level of responsibility and must be more proactive in cybersecurity and defense. If a church maintains any type of electronic records regarding their members, we would strongly recommend they be aware of and implement common-sense cybersecurity measures to protect this information.
The most common-sense approach is referred to as the “3P” rule: policy, practice, and people. Here’s how church leaders can apply it to protect their congregations:
1) Policy. Have a cybersecurity policy. Be aware of what and how your church collects, manages, and protects information on your members. It doesn’t need to be a complicated process; in fact, the more simple the policy is, the more likely it is that it will be applied.
2) Practice. Make sure you follow the policy. There is no silver bullet when it comes to cybersecurity or physical security. We say, “Cybersecurity is a process, not a product.” This includes simple things like making sure that patches and security updates have been implemented. If you have filters, make sure they are turned on. If you have old equipment and software systems, consider upgrading—or at least be aware that those systems may be more vulnerable. Most importantly, don’t download or open files or emails that seem suspicious. That’s part of training: to help people be aware of what to look for or how to handle these situations. Simply being aware of threats and scams that are out there can save you a lot of trouble and headache.