The value of some church assets is difficult to assess. Personnel, congregational goodwill, and data are just a few examples of assets whose value is usually understood only once it’s gone. None of us would say our data has no value to the organization, but trying to figure out what it’s worth so we can adequately protect it is challenging.
Data is one of the most valuable assets a church has. Protecting it isn’t difficult, but must be approached as deliberately and strategically as fire and security protection.
Churches have different kinds of data, and categorizing them can help set a value to strategically protect them. While some data (like email, databases, etc) is mission-critical, others might just be convenient. Mission critical data may include:
- Communications. Our availability to our congregation when they need us is important. That includes email, telephone (like our VoIP system), and letters.
- Databases. Our databases contain names and contact information, contribution, attendance, baptism, and other data that help us serve our congregations well.
- Sermons/ Lesson Prep/ Program. The research behind them, and the actual sermon, lesson, and program files themselves are valuable in that replacing them would be costly and, to some degree, impossible.
- Graphic Files. Photos, videos, bulletins/ programs, promotional posters, and audio files.
- Governmental Documents. Church minutes, agendas, meeting notices, etc.
- Custom Programming. Templates and anything else that has been customized to help communicate and serve with uniqueness.
What would happen if some of these, like email or the database, were made public or were destroyed?
Data threats are internal and external:
- Internal. Good employees sometimes become disgruntled employees, hardware sometimes crashes, vendors sometimes have sticky fingers, we are constantly being attacked with malicious software (called ‘malware’), and buildings are sometimes destroyed by internal causes.
- External. Thieves, external catastrophes like storms and earthquakes, and those who try to hack into our systems just because our systems are connected to the Internet. In fact, our firm sees evidence of almost constant Internet programs (called ‘bots’) trying to exploit system vulnerabilities. Their goal is to grab our data or computers to serve the interests of others.
Prioritizing Data Protection
Some data, if lost, would cause no serious damage. But other data losses could really hurt! Consider, for instance, if the database were no longer available, or if members’ private information was made public!
We recommend thinking through the data you have and how it’s protection should be prioritized. Ask the following question about each category of data:
How long are we willing to be without this category of data when going through a disaster of some kind?
The answer will help determine the priority of which data needs to be restored first in the case of a major disaster. The answer will also set the disaster recovery/ business continuity budget. For instance:
- If all data needs to come back online within a couple of hours, the cost for that strategy will be in the tens of thousands.
- If, instead, the data were prioritized, the cost may only be a few thousand dollars.
Some strategies worth considering:
- Communications (email and telephone) is probably the highest priority category for business continuity, followed closely by the database. The best way to ensure the highest possible uptime for these is to have them hosted off-site in a high-availability datacenter. A high-availability datacenter is one that never goes offline, which means that if you can get someplace where you have an internet connection, you can access and use these systems.
- Data of other types may not be as critical, and can be located on the church premises as long as a good backup strategy is in place. We recommend:
- Centralize all data so it can be easily backed up.
- Use current tape backup hardware that has adequate capacity and speed to do a full data backup every night.Some recommend incremental backups (only backing up changed files on a daily basis with a full backup once weekly, for instance), but that only makes restoration more difficult at a time when you’ll have many pressures and would appreciate not having that too. We disagree with the incremental backup strategy.Our clients use LTO 3, 4, 5, or 6 tape drives depending on their capacity needs. We set them up with four weeks of tapes so they can have a backlog in rotation in case a file corruption isn’t discovered for a few weeks.This is also a better strategy than using portable hard drives, which can fail due to their many moving parts, drops, etc.
- Most churches would say that Monday is their heaviest data processing day. We tell our church clients to take the backup tape from Monday night off-site every week so that if the church buildings were lost in a disaster we could still quickly get them within a week of their data.
An additional strategy worth considering is to reduce the number of databases your team relies on (actual databases, spreadsheets, etc) as much as possible, the ideal being only one. This helps ensure that a high-priority focus on protecting it will be maximally effective. It also has the benefits of saving staff time (updating a record only once takes less time than updating it multiple times in every database or list) and increasing staff synergies. The downside is that some ministry areas may have to adjust the way they maintain their data.
Layers of Protection
Protection from those who want to do you harm only shows its value when it’s needed. We recommend:
- Server rooms should be locked and accessible only to those with a need for access. And they should not be used as storage areas since doing so reduces security and increases the fire hazard.
- Passwords should meet or exceed minimal policy requirements, avoiding words, names, dates, etc that are easily guessed, and should never be shared with other staff members.
- Most of today’s systems have fulltime connections to the Internet. That means the following are a must:
- A firewall that is fully configured, updated, and tested to keep unwanted intruders, like bots and hackers, out.
- SPAM filtering that is fully configured and updated to minimize the impact of malware in email.
- Anti-Malware software installed on all servers, desktop computers, and notebooks.
- These each usually come with an annual subscription that keeps them current on the latest attack strategies, and should always be kept current.
Your data, though difficult to objectively value, is one of your most significant assets. Implementing some fairly simple policies and procedures can go a long way towards protecting your data and your ministry.