As churches conduct more banking transactions online (from checking the church bank account balance to paying bills) more than ever, we need to be aware of the potential vulnerability of our church's financial data and accounts.
You and your staff may already keep church checks secured; limit who can access banking information; ensure multiple people are involved in counting and depositing the offering each week; and limit access of church debit cards to a select few.
Are these actions enough to prevent cyber-theft?
While they may prevent potential theft of church funds, money isn't just stolen through tangible methods anymore.
Hacking, malware, phishing, identity theft and other online threats can end up costing an unprotected church—-a lot.
Cyber-theft can occur a variety of ways; here are just a few possible scenarios:
- Anyone on staff could open an email attachment and accidentally install a computer virus or malware onto your church's computer network. From there, the sender can steal banking login information, credit/debit card numbers, information useful for identity theft purposes and more.
- A hacker gains access into the church computer network and steals data, passwords, payroll data including social security numbers, plus information on church members.
- The financial manager of your church has their laptop stolen, enabling the thief to gather financial information from the hard drive and/or any saved logins.
HOW TO PROTECT YOUR CHURCH
Tip #1: Educate staff and volunteers
Technology changes rapidly, including the technology developed to steal data and money.
As more people use their mobile devices to access the web, conduct financial transactions, and more, thieves continue to develop new ways to trick the unsuspecting user into giving up their information.
To prevent this from happening with church data, educate staff and volunteers who have access to the church network and devices (computers, phones, and notebook computers). They need to know how to identify suspicious emails (especially those with attachments or that look like they're coming from a banking institution but are fake) and what to do if they receive one.
They also need to be aware of scams run via text messages or mobile apps that look legitimate but contain links to websites containing malware that will automatically install on the phone or other mobile device.
Therese DeGroot, with the Community First Financial Resources Team, recommends churches "establish online protocols to block staff and volunteer access to certain websites and to invest in robust anti-virus software that will protect company systems from external attacks."
Tip #2: Bring in the professionals
It's tempting to cut costs and not hire anyone to monitor and maintain the church network and computer equipment. However, that decision can end up costing the church in the long run.
One click of an email attachment could be all it takes to infect your entire network with a virus. Dealing with that security breach could cost thousands of dollars along with many hours of lost productivity.
First off, develop and enforce a policy regarding keeping anti-virus software up-to-date, reviewing all software programs installed on the church network and/or computers for updated versions with the most current software protection, etc.
You'll also want to install a firewall to protect the church's internal network from outside attacks.
Also, establish separate wi-fi networks one that can access the church's internal network and has a password only shared with staff members, plus one that can not access the church's internal network with a generic password.
Next, whether you contract a vendor periodically or hire someone full-time, bring in a professional who knows how to protect your church's network and computers.
You need someone who stays educated on the latest viruses, malware and other security threats. A professional will have the knowledge of how to defend against each. Don't leave this to a volunteer who can only stop by once a quarter for a few hours.
Finally, talk with your church accounting software and/or church management system (ChMS) vendors about their security measures. Make sure they're staying up-to-date on the latest cyber threats and taking appropriate steps to protect their servers and software from security breaches.
If you're looking to purchase new software, cyber security and data backups need to be part of your vendor evaluation process.
Even if one vendor's product is less expensive, beware that if their software doesn't have solid security in-place you could end up spending much more down the road.
Tip #3: Guard login information and access
How many user names and passwords do you have to remember? It's a lot, right? It's hard to keep all those logins straight so it's tempting to leave a few written down and stashed in your desk somewhere. Bad idea.
Depending on how your church office is setup, it could be very easy for someone to quickly access your desk and get your login to the church bank account. It's hard to think someone you serve alongside and trust would do this, but not all theft occurs by someone outside the church. Make sure you carefully guard banking and database related login information.
Segmented Security Access
Another way to protect church financial data and the personal information contained within your church database (or church management system) is to segment security access. Most database or financial software programs have the capability to create different types of users. You can have users with read-only access who can only look up basic information about a member (name, phone number, email address). You can also have users with access to update existing records or create new records. For church accounting software, you should be able to limit who can enter deposits versus who can initiate online banking transactions such as online bill pay or ACH payments. Additionally, Therese DeGroot of Community First Financial Resources Team, recommends church leaders, "establish dual control for all online payments, including initiation, approval and validation of payments." This can help prevent issues with outsiders trying to initiate a payment to themselves with stolen user login credentials.
Tip #4: Monitor and protect
The church accountant or CFO should review banking and credit card transactions daily. A quick login to the church's accounts online can help you identify any suspicious transactions.
If you notice a payment that doesn't look familiar, you can do some simple research and then contact the bank or credit card company to report the fraudulent activity. Check on your financial institutions' policies regarding suspicious transactions to determine how quickly you have to report them, what numbers to call, and what they'll do once you've contacted them (will they immediately put the money back into your account or do they have a waiting period while they investigate the transaction?).
Unfortunately, cyber attacks and financial theft aren't 100 percent preventable. With that in-mind, it's wise to consider insurance (such as cyber crime liability insurance) to cover expenses related to the theft of church member data (identity theft) and/or direct financial losses.
Online banking websites, church management software, and other web-based tools can make running the back-office aspect of church easier.
While cyber crime is a potential threat, it's one your church can mitigate with sound processes and IT security steps. Be aware of the potential risks, but don't allow the possibility of a cyber threat keep your church from using the latest technology to advance the Gospel and serve your congregation.