Cybersecurity in the Context of Global Missions
Written by Josh.
Josh is a full-time worker in the global missions community. Though his specialties revolve around cybersecurity, his heart is that all would come to know Christ.
This is the third in a series of articles that will walk through the various aspects of cybersecurity in the context of missions, focusing on the four major groups in our community: (1) Partnering Churches & Individuals, (2) Organizational Offices, (3) Short & Long Term Field Personnel, and (4) National Believers. Each of these groups has unique cybersecurity needs which require that they are addressed separately.
Cybersecurity In the Context of Global Missions – Organizational Offices
The organizational office plays a key role in our community. Many operational processes happen here, including donation processing and disbursement to field staff, mobilization efforts, and many other administrative tasks. In order to provide these critical services, technology is required, which opens the door to cybersecurity incidents. The impact of cybersecurity incidents at organizational offices can have wide-ranging effects: downtime for critical services; financial costs to recover; and negative reputation.
To reduce these risks, let us look at two key areas of cybersecurity for organizational offices: infrastructure and compliance. After that, we will consider some field-specific cybersecurity issues as it relates to the organizational office, secure communication, and traveling staff.
Infrastructure – In order to provide services to field staff, technology is required. Some offices may not have much in terms of technology, but others may have hundreds of devices and servers. All of this technology infrastructure requires regular maintenance as well as routine security configuration. This would include such things as applying security updates, changing default passwords, maintaining a good firewall ruleset, etc.
Compliance – Wherever the office is located, local and national regulations must be adhered to. This would typically include how the office must handle their people’s personal data, as well as how to secure donor information. There are also industry-specific standards that need to be complied with. For instance, if the office takes credit card donations, they are required to comply with the Payment Card Industry Data Security Standard (PCI DSS).
How does one figure out what the office needs to do from an infrastructure security and compliance perspective? The first step is to complete a basic security assessment of the office. This assessment will make it clear what areas are doing well, and what areas need work. Once the assessment is complete, the organization can prioritize the most critical findings and work on a remediation plan.
The good news is that both infrastructure security and compliance concerns are not unique to our community. All organizations, whether secular or not, deal with many of these same issues. With this being the case, there are many quality resources that can help remediate the problems found in the security assessment. One of those is the Center for Internet Security (CIS) Controls. From their FAQ:
“The CIS Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks. The CIS Controls are a relatively short list of high-priority, highly effective defensive actions that provide a “must-do, do-first” starting point for every enterprise seeking to improve their cyber defense.”
You can find more information on their website, https://www.cisecurity.org/controls/.
Within our specific community, one of the best places to find training, resources, and consultation is through ICCM, the International Conference on Computing and Mission. ICCM is a global group of technologists that work in the mission’s community. They meet yearly in different areas of the world, as well as run a mailing list. This should be one of the first places office technology staff should plug into. Their website has much more information: https://ICCM.org
Beyond the items that stem from infrastructure and compliance, there are other, more field-specific concerns that should be considered as well: Secure communication to field staff and office staff traveling to sensitive locations. Because of the sensitivity of the issues involved, practical details will be left out, though follow-up questions are certainly welcome.
Secure field communication: How do you securely communicate to field staff that works in sensitive locations?
First off, the communication method should be encrypted in-transit, and ideally, at-rest as well. Be cautious of using niche secure email providers – they can sometimes cause more scrutiny than just using a more mainstream provider.
Secondly, there may be some situations where it is not appropriate for field staff to have an organizational-branded email. Instead, they may need to use a communications channel that is not associated with the organization. There are many ways to do this, and they all have their pros and cons. Take time to think through what works best for your office, field staff, and organizational culture.
Office staff traveling: In the course of normal business, office staff will need to travel to sensitive locations, sometimes with the need to downplay their ties to the organization. But they also need access to their office email and work documents. One way to do this is to have designated travel devices that can be “checked out” by office staff. These travel devices are clean from an association perspective. The staff member would access their documents and email from a web browser, so as not to have sensitive information downloaded to the device. There are still some issues with this type of a setup, but much less risk than having the staff member travel with their personal devices with office information on it.
Organizational offices fill a critical role in our community, which is why it is important that cybersecurity be well thought out. When in doubt about how your office is doing in cybersecurity, start with a basic assessment. Use the results of the assessment to guide your cyber security efforts. Finally, plug into communities like ICCM to help fill the gaps- we are all in this together.