This series is on Church IT, but our guest really likes to think of it as mitigating risk. From help desk to cyber security, their company does it all. Today’s topics will discuss how to prevent data breeches by learning some of the basics of IT cybersecurity.
Cybersecurity is basically multiple layers of protection. Every desktop needs an EDR (essentially a rebranded anti-virus) that is managed and monitored. All the things discussed today need to be managed and monitored (preferrably by someone who knows what they are doing) but this one especially, needs to be monitored and set up by an IT professional.
Next up, firewalls need to be set up. And there should be a line between guests and employees – trusted devices are usually more open then what your guests are allowed. There should also be distinctions between all your needed technology. For instance, AV and security cameras should both be on seperate networks. And churches, just like businesses need business grade firewalls.
On a basic level, you have your internet that comes into the organization through a modem, the modem is pluged into a firewall, and the firewall goes to your network. These are the basic layers of cybersecurity needed.
Now let’s talk about everyone’s favorite: MFA. Authentication is proving who you are. There are three ways that the industry uses this, by: something you have, something you know, or something you are. Passwords are the something you know, and are a very low entry point – cheapest and easiest to hack. Something you have, would be a key fab or phone. Something you are is bio-metrics: finger print or iris scan. (You aren’t going to see biometrics in a church, don’t worry.) So with MFA (Multi-factor Authentication), you are going to combine something you know with something you have. That way it ups your security.
As we know, this can be inconvenient, adding the second layer, but it does help protect your organization. Our guest likes to equate them to seat belts and smoke detectors. Neither one are designed to add comfort – or convenient – to your home or vehicle. But both could save your life.
VPN are pretty common technology right now. If you’re going to provide a remote employee with access to your network, you are going to have to use a VPN to give them that access. VPNs, on a personal level, can mask where you are going on the internet. Remember, you get what you pay for. But the VPN needs to be audited. (This is how you can watch a show that is not normally in your country.)
According to our guest, any cloud based access into a church membership database needs multi-factor authentication. There is personal information (and often times giving information) in those systems, and we wouldn’t want that information to get out. Or you may not want everyone in your organization to have access to that information. Nathan says that is one area he consistantly sees as a need among church clients.
Good EDR on desktops, good firewall, MFA, good network serperation – those are most of the big things that needs to be addressed first.
For your wi-fi, you really want it seperated at the network level – either physically or utilizing a VLAN. Most organizations want to have a “guest wi-fi” available for the public without a password. (Again, that needs to be seperated from the employee wi-fi.) But our guest also says there should be a time restriction on the guest wi-fi as well. Not every organization will have people in their parking lot at 2am, just to use free wi-fi, and get themselves (and potentially you) into a bit of trouble with the FBI. But why give them the opportunity?
A note on smart devices
Industry best practice, is to segregate your IOT (internet on technology) devices. These are all your “smart” devices. Give them their own internet access – direct conversation – most likely they are using a proxy anyway.
A note on using public wi-fi
When you are out in public, the best case is to utilize a hot spot on your phone. Not necessarily practical, but best. Most commonly you are on a public wi-fi, which could be opening you up to an outside threat. But in those cases, you just trust that the entity is doing their due diligence, and use the sanctioned (posted) wi-fi for that conference or coffee shop, or from wherever you may be working remotely.
Email threats, ways to protect ourselves and train our team, is the last topic today. The non-45 minute presentation is this: anyone can drop an email into your inbox. (People can guess your organization’s email naming structure in about 3 guesses.) Phishing tests are one way to help train your team. This involves an IT company sending out test emails and seeing how your team responds. Then you circle back and share training with your team – this can gauge the level you are working with.
Just know, you (or someone on your team) is going to click on a suspicious link. Once that happens, that is where the common sense has to take over. If you are asked to use a password right away, that is your red flag. Get out of the browser, maybe even re-start your computer. You can only prepare and guard so much before something gets through.
The greatest IT weakness may be the end user. But talking about and training your team is a great way to start preventing these security threats. IT security is a complex issue we have to tackle daily, even when we don’t think it’s a part of our ministry.
Join us next week as Chris & Nathan continue their discussion on Church IT.
Special thanks to our guest, Nathan Maxwell, and our masters of all things Podcasting, Chris and Lauren Miller, for this second episode in our Church IT series.