From passwords to payments, protect your church, says Presbyterians Today columnist

An online security refresher for the new year

by Richard Hong | Presbyterians Today

The Rev. Richard Hong

The start of the 2020 pandemic saw many churches scrambling to do ministry digitally, leading them to hastily create a plethora of online accounts. Now that the pressure has subsided, it’s time to review these accounts to not only assess what’s working, but also to ensure that your organization’s online security is not vulnerable to attacks. In this column, we will address passwords and payments.

Let’s begin with a word on passwords. In addition to your email passwords, you probably have accounts with Zoom, Facebook, YouTube — not to mention online banking, shopping, the Board of Pensions, etc. Hopefully you have a record of your passwords with each account, and you are not using the same password for every account. But there’s something new in the world of passwords that’s becoming almost universal and can create future problems. It’s two-factor authentication.

Two-factor authentication is where a login is followed by a code that is sent by text message to a cellphone. If the cellphone is a staff member’s personal phone, what happens if the person leaves, particularly on unfriendly terms? Consider having a church-owned phone to which all two-factor authentication codes are sent. Also, audit your online accounts to see how you would access them if someone was suddenly incapacitated. Imagine an employee or volunteer leaving, only to discover that you cannot log in to an account without a six-digit code that was sent to their phone. Some sites will allow you to have an organizational account that can be accessed by more than one person. But also, beware of the level of privileges assigned to secondary users on an account. There are stories of employees who had administrator privileges on the church Facebook page removing admin privileges from everyone else, effectively stopping the church from updating their page.

Next there is the safety of members’ financial information. We strive to ensure we never have any member’s personal financial information (credit card or banking data) on-site. Our database and online/mobile giving services are hosted in the cloud, so the data resides solely on the vendors’ sites. We do not even allow a church member to give us their credit card information for a donation. They must do it themselves. We’ll help if asked, but we will not receive such information because we can be held liable if the information is leaked from our systems. Which brings me to the question: Does your church have a cyber-liability insurance policy? We purchased a separate cyber-liability policy that covers us for breaches of financial data, ransomware attacks (where a hacker disables your systems until a ransom is paid) and electronic fraud. You might want to consult your insurance broker about your exposure to computer-related liability.

While I couldn’t do a deep dive (there is more to talk about when it comes to security), I hope I prompted you to explore your processes and take measures to minimize your exposure to possible threats.

The Rev. Richard Hong is the pastor of First Presbyterian Church of Englewood, New Jersey. If you have questions or comments, email him at rich@englewoodpres.org.