In 2019, churches, middle judicatories, synods, presbyteries, dioceses, and other governing bodies need to plan how they will manage data privacy issues more seriously than in the past. My suggestion would be to look to Europe and the General Data Protection Regulation (GDPR) which has gone into effect even for churches. Many churches in the US have counterparts in Europe, and you can look to them for guidance.

There is a direct correlation between data privacy and the threat of cyber attacks which is something that every organization needs to consider. Churches and religious institutions are especially at risk due to the nature of the data they store. Not only do churches store financial data, but they also store personally identifiable data and data that many would consider highly privileged. Keep in mind the data about members of your congregation that may reside on a ministers laptop, phone and computer.  The good news is you are not the only entities in the world dealing with cyber attacks, data privacy, and growing regulations.

There is an old saying among cybersecurity professions: “You either know you have been hacked or you don’t know you have been hacked. In either case, you have been hacked.” Just because you have anti-virus software, and or firewalls doesn’t mean you are protected.

As your organizations start to plan for 2019 now is the time to prepare for effective detection and mitigation steps and develop policies regarding how your organization manages data and your congregation’s privacy. I have visited hundreds of church and religious oriented websites only to find there is no privacy policy.  Putting together a good plan will successfully reduce attacks against your church/organization and your congregation members.

In your planning for 2019 consider these factors to better prepare for protecting the data of your congregations. If you outsource your technology to a third party, you are still responsible for the buck stops with you.

1. Use threat intelligence and take a proactive approach to your defense against cyber attacks. No organization on this planet is immune to cyber attacks. If you are thinking to yourself “No one would ever want to attack us, and besides how does anyone know we exist?” Bad actors are scanning the internet 7X24 and they “sniff” for vulnerabilities. Unless your computers never connect to the internet or communicate with other computers you run the risk of having your data exposed. By monitoring hackers and what they do on the internet, the dark web and deep web you can identify key attack attributes early and focus on your response and be proactive versus reactive when it is too late.

2. Perform a Risk Assessment. Evaluate your risks. Use the outcomes of your risk assessment as part of your plan for 2019 to increase your security. Look to financial institutions for some guidance here. I am sure every church and organization has a “banker,” “insurance executive,” “broker,” that can share the steps they take as a financial institution. Always keep in if you think you are compliant it only means you are not entirely secure. You need to focus on managing the risk. Again this all starts with a risk assessment. Remember the KEY to good protection is a proper risk assessment. You will save money by not overbuying for protection.

3. Use automation tools to weed out the “noise’ from the internet. Data is everywhere. Your risk assessment will demonstrate all the places your data touches and is residing and who your information is keeping company with that you may not approve.

4. Keep logs. Track your threats and where they come from anywhere in the world. Do not be surprised to see that someone in China, Brazil, Russia, etc., have made attempts to gather your data. Tracking threats and keeping logs will better prepare you in your response to attacks and threats against the data of your congregation.

5. Monitor your third party if you outsource your technology to them. Just don’t assume they have it covered. Help them know what is important to you and share your risk assessments with them. Be diligent and in the world of cybersecurity trust no one and you are the one who always verifies.

6. Innovate-Educate-Collaborate. Never underestimate those three words. Live by them and primarily focus on educating your teams, volunteers, co-workers on how to become aware of attackers. To know when data is compromised, and to understand how to respond. The key is for all education to be practical and to make sure you collaborate with others who are facing the same situation. It takes more than a congregation to combat cyber attacks and to protect your data.