Keeping Your People’s Personally Identifiable Information Safe

by Matt Cohee, CISM, CISSP
Senior Manager of Network Infrastructure
Brotherhood Mutual Insurance Company

In an era where digital threats are evolving, safeguarding sensitive information has become paramount for all organizations, including ministries. Daily, I oversee a team that is dedicated to protecting the data of Brotherhood Mutual and MinistryWorks customers and employees. Keeping data secure is just as important for ministries who are collecting personally identifiable information (PII) about attendees, employees, volunteers, participants, donors, students, parents, and alumni, for example.

Storing PII
Cybersecurity in ministries involves protecting sensitive data and systems that are vital to the operation of churches and related organizations. Data is a broad term, so I like to suggest ministries focus on anything from donor data to volunteer data to even minors’ data. All of this usually contains personally identifiable information. Examples of PII include social security number, birthdates, driver's license number, financial account numbers, payroll info, credit card number, personal addresses, and personal phone numbers. It's crucial to safeguard this information to prevent unauthorized access and potential breaches. Ministries have a responsibility to protect this PII. 

The first step in protecting PII is knowing where it resides. This could be on paper or digital platforms like Planning Center, Church Center, or Pushpay. It’s important that data is stored securely and that access to it is controlled. For paper records, ensure they are securely stored behind locked doors and cabinets. For digital records, use secure applications and control access to sensitive information.

Find an IT Security Champion
One of the biggest challenges is educating and training employees and volunteers on how to keep sensitive information safe and what to do if a breach happens. Having an IT security champion within the ministry can bring consistency to training and ensure everyone understands how to protect PII. Leverage the expertise of IT professionals within your congregation. Additionally, seek help from your local colleges and libraries. Oftentimes they have outreach programs that include free educational classes on cybersecurity open to the public.

Understanding Cyber Incident Response
Sometimes a ministry’s data can be used against them when a hacker or attacker is trying to steal it for financial gain. When a cyber incident occurs, the initial response is critical. Contrary to popular belief, shutting down systems immediately is not always the best first step. This isn’t always true, but generally speaking, if a ministry is going to have a cybersecurity event, it will be one of two things. One is called malware, where you download something or click on a link. And the second is what’s called data exfiltration. Data exfiltration is a fancy word for an attacker trying to get onto your system to take data that you have on your PC or server and hold it ransom over an individual or church.

The first action should be to disconnect the internet to prevent data exfiltration. Shutting down systems can result in the loss of forensic evidence needed for recovery. Instead, focus on preserving evidence and creating a timeline of events. Know what roles and responsibilities each team member plays should a cyberattack occur and have a dedicated person to manage internal and external communications.

Assessing Damage and Recovery
Assessing the damage after a cyberattack can be challenging, especially for smaller ministries with limited IT resources. Engaging with IT professionals or outsourcing IT services to handle recovery is recommended. Regular backups, both local and remote, are essential to restore systems quickly. Having an offsite backup ensures data recovery even in the event of physical damage to the church.

Wrapping Up
Keeping PII protected is an ongoing challenge that requires proactive measures and continuous education. To stay updated on the latest cybersecurity trends, such as the use of generative AI tools in creating convincing phishing emails, videos, and phone calls, I recommend resources such as thehackernews.com and CISA.gov. Additionally, local colleges, libraries, and government outreach programs may also provide valuable information tailored to regional threats. Additionally, work with your insurance agent to discuss risks and challenges your ministry may be facing. Your agent can help connect you with the right tools and resources from training to insurance.

Watch Matt's full interview here, or listen to The Lightwell Podcast on your favorite streaming service.

About the Author: Matt Cohee has worked in the IT field for 17 years and has been with Brotherhood Mutual since 2019. When he’s not taking classes, Matt is consuming books, content, and podcasts. He holds 20 professional certifications, including the world’s premier cybersecurity certification: Certified Information Systems Security Professional (CISSP).