This excerpt as taken from the ebook Computer Security for Your Church.
The mobile revolution has brought with it a number of new security threats. Modern devices can carry infected files as easily as floppy disks could in ages past. Additionally, the threat of devices being lost, stolen or compromised themselves leave a number of concerns which need to be thought through. While it’s beyond the scale of most church offices to be able to fully secure and administrate these things, there are nonetheless a few simple precautions which can make your data more secure.
USB drives are becoming a greater security risk as time goes on. Not only can they carry viruses and malware (more on that in a few pages), but they can actually cause hardware damage to machines now. At least one company today is selling USB based devices that can deliver voltage sufficient to damage a computer’s motherboard simply by plugging it in. Some newer motherboards are building in defences against such attacks, but most today are vulnerable.
For IT folks, USB drives (and USB charging) are a major headache. When adopting a policy, consider why users want to plug in devices, and what secure ways exist to meet those same needs. For example, if the primary reason people bring thumb drives is to print, consider a copier with a USB port built in as an option for direct printing. If people are using their PCs to charge (and thus opening the risk of malware on their phone infecting things), consider providing a multiport charging station for folks who run through their phone batteries. (That last is probably a good idea anyway…)
Users should be trained in account management, and should be required to use strong passwords and to change them often. (More on that in technical matters.) They should also, however, be made aware of general password security, and should not write their passwords down or share them with coworkers. No account with privileges should be accessible by more than one individual. This provides a simple audit train to ensure any data access can be verified and investigated later if the need should arise.
An often forgotten area of information security is found in the portable devices such as laptops, tablets and smart phones used by church staff. Laptops in particular are likely to have private information on them, and should be secured in case of theft or loss. Consider encrypting the contents of laptops or portable electronics using software such as Microsoft’s BitLocker to prevent attackers from accessing the data without the appropriate credentials. This requires a higher end version of Windows, and a TPM chip built in to the laptop (at a slightly higher cost), but the additional security is completely worth it. Imagine, for example, if pastor’s laptop were lost or stolen with the data it likely contains about parishioners!
Phones and tablets are more difficult to manage, unfortunately, because they’re so often owned by the individual employee. While frameworks and software packages exist for managing devices remotely, they’re often expensive and beyond the expertise of many parishes. A step in the right direction might be to ask that all personal devices which are used to access congregational information (including via email) be locked with a secure password or pattern and have the ability to be remote wiped either through Apple’s iCloud platform or through Android Device Manager. If devices are lost or stolen they can be easily located and their memory erased if need be.
Finally, no congregational data should end up on members’ personal devices. It’s probably more convenient for the financial secretary to run reports from home, but there are a number of concerns that make it unwise. First, there’s zero control over the physical or technical security of private machines. The user might be savvy and running top of the line antivirus behind the world’s best firewall or they might be surfing completely unprotected and exposing your data. You can’t tell and you definitely can’t control it. More concerning, though, is that if the situation should arise where that data needs to be returned to the church, destroyed for security reasons or otherwise accessed, it’s possible that the member may be unwilling to provide access to their private machine.
To continue reading and learning about keeping your church's technology secure, download our free ebook Computer Security for Your Church.