| My family lives in a kid-friendly, quiet neighborhood (except when I am outside throwing long football passes to my kids and whooping it up with them). However, the relative serenity and safety of our surburban neighborhood has been challenged lately in relation to a recent string of vehicle break-ins at night. At one point, vandals stole items out of five neighbor’s cars/trucks on our street within a week. Tools, money and even a wedding ring were sadly some of the items stolen. In each case, however, the car doors were unlocked, or the stolen goods/tools were laying in the bed of a truck. It’s one thing to be trusting, it’s another to be smart and trusting. Are you locking your vehicles at night?
Each month the Protected With a Purpose feature addresses issues of cyber security. My disclaimer here is that I am no expert in ChMS software, but given my basic understanding of ChMS combined with having a finger on the pulse of software vulnerabilities, I have noted a few risks posed by these software applications.
Choose Wisely
This first security tip may seem simple but it can also be overlooked. A quick Google search for ChMS packages displayed well over 50 applications. And while the market may be dominated by a select few software offerings, often times these ”popular” programs are geared towards large congregations and can be very pricey forcing smaller churches to look for more cost effective solutions (and remember bigger doesn’t always mean better!). If you research and locate a package that meets your objectives and is a financial fit for your church budget, ask the organization for a trial license and customer referrals prior to purchasing.
Database Security
If you have younger children like me, every time you attend your home church or visit a new church you’re likely running late and rushing to the check-in stations getting your kids signed into their children’s ministry classes as fast as possible. However, each time you check-in, there are a lot of things happening behind the (technical) scenes. Information is entered, collected and eventually organized. Your kids get a nice colorful sticker for identification purposes and parents get the corresponding claim ticket, however, information such as your child’s name, your name, birthdates, contact numbers, email addresses, etc. is also getting stored into a backend database. What I’ve personally found in volunteering at my church (assisting people at the check-in stations), is that while multiple volunteers (helping during different service times, etc.) have access to the front end of the ChMS, maybe only one or two trusted staff members will have complete access to the backend database. This is a good practice, in that in streamlines the gatekeepers of the church family’s personal information. However, in my opinion, the backend database is also one giant risk if not managed and protected well.
The more data collected via the ChMS the more valuable the database becomes not only to the local church but potentially to cybercriminals. The use of insecure (or not properly maintained) databases can lead to data leaks that would result in the exposure of sensitive congregation information. A ChMS database could be deemed insecure based on multiple factors including; implementation, vulnerabilities, group policies, use of weak/default credentials, etc.
I believe a great first question to ask prior to implementing a new ChMS would be, do we have an IT person (or staff) who can be dedicated to supporting the software? Is this person (or team) internal or will they be external (ie. outside consultant/company/volunteer)? Have you put in place a launch team to work through all the aspects of setting up your ChMS? Perhaps a part of that is dialoging and assigning user privilege-levels, such as, Who can see what data (ie. all staff may have access to basic contact info, but only a couple of people have access to things like financial data). A troubleshooting team is a necessary and valuable piece of the ChMS implementation. Trial and error/ and Application of Human Tendencies can be simulated to ease the process, and then both of these areas will naturally occur during your set-up and implementation of the system. A dedicated launch team will assist in maneuvering through the initial bumps and troubleshooting to avoid future ones. People will always be one of our best resources, and although Technology is furthering our ministries, people and personal connections will always be what furthers the Gospel. Our task is uniting the two in productive measures!
As far as vulnerabilities, ChMS is no different than any other database-driven software solutions out there on the market where databases can be exploited based on vulnerabilities known and zero days (unknown) exploits. The simplest attack on a web database would be a SQL injection attack. Other type of attacks would be unauthorized access of data to a cybercrimal, based on the weak privileges/passwords/roles/policies set by the Database Administrator. For anyone who believes organizations, and their most valuable assets (your collected data) aren’t under continual assault by cyber thugs, may want to check out the following link detailing publicly known data breaches in the past: https://haveibeenpwned.com/PwnedWebsites
The best database you can have is a secure one. A couple suggestions for a securing your database and avoiding falling victim to a data breach:
1. Maintain software patches. This is not only true for your ChMS package but also for other software applications running alongside your ChMS (ie. Adobe, Java, etc.). It is also critical that you keep your Operating System patches up-to-date.
2. Install strong security software on your system hosting your ChMS. As always (and I know I am biased) but I would recommend Thirtyseven4 Endpoint Security. We not only offer strong AntiVirus/AntiMalware protection but also many other great features such as Intrusion Detection/Intrusion Prevention (to thwart direct cyber attacks), Patch Management (to automatically check, disperse and install the critical software patches noted above), Firewall, etc. Our product is customized for churches of all sizes.
3. When installing your ChMS and configuring your backend databases, use complex passwords that can’t be easily guessed/cracked. Recent ChMS developments now allow for the option of a cloud-based solution as well (the ChMS can be accessed from anywhere), and so our basic security recommendations stand firm-- do not store passwords in browsers as this can result in unauthorized access to the ChMS and be a huge potential security problem point (like leaving your keys in your car in the driveway!).
4. Secure transactions. If you are utilizing your ChMS for banking, bill paying, tithe collecting purposes, you need to make sure these financial transactions are shared over a secure channel (https), as not doing so could also be a big security risk. My assumption here is that since payment gateways are mostly third party sites, they may tend to have a lot of security including an SSL based communication which secures the link, etc., however, it is still worth verifying.
5. And More. Another possible security breach would be backdoor type operations, and that refers to properly locking down the check-in stations available to the public, which is very important.
Of course in a church “family” we want to trust our members and attenders. And in my own driveway, I would like to believe that my vehicles are safe. But I still lock my doors, and we did not have any valuables stolen during that rash of break-ins, which I attribute to locked vehicles. Like clockwork, you can listen for the “beep-beep” of my clicking the locked-door alarm on our cars every night before I go to bed, but then I ensure that they are secure. It’s up to us to take the measures to keep ourselves, our families, our churches, and our personal information safe. Why wouldn’t we go through those motions at church, as well as at home?
As a refresher, my basic tips for ChMS security include choosing a reputable provider, database security, secure transactions and proper security measures at check-in stations. Putting a check in each of these areas will get your church management system off on the right foot, or if you have already established one, it can steady your footing.
Whether it is breaking in to cars at night for drug money or breaking into a church via their ChMS package…It is all vandalism, where critical, sensitive data of yours can be stolen. In the car it is your wallet and at church via the ChMS, it is your personal information. Crime is crime. However, taking basic security procedures like AV software, software updates, and complex passwords can prevent such attacks, just like taking a moment at night to lock your cars or secure your tools can make the difference of still owning them in the morning.
We all like happy endings. The wedding ring mentioned earlier that was stolen from an unlocked car at night was found! The woman that lost it tracked it down herself at a local pawn shop. Spare yourself the drama, however and keep your valuables (car or church!) well-secured. |
