PCO is Being Attacked. How to Stay Safe
Friends…it’s time for a candid talk about Planning Center security. There are some sad realities that we’re hearing from PCO that will require us to make some changes to our mindset as well as our policies. I’m going to walk you through what you need to know and give you some practical action steps to make this as easy as I can.1
Planning Center Made a Change
Because of a security issue PCO was seeing, they took away admins’ ability to change another admin’s name, e-mail, and phone number. Learn about it here.
Translation: If you were a manager in people, and I was an org admin, I no longer had the ability to edit your name, e-mail, or phone number. The person had to make the change on their own in the Church Center app.
PCO did it because cyber-punks were calling churches, pretending to be somebody they’re not, asking for the e-mail or phone number to be changed, and then logging into PCO. (It’s called a social engineering hack in cyber security circles.)
What they implemented wasn’t the answer, but I was impressed that they listened to feedback and quickly rolled it back and put a less drastic change in place.
You’re the Problem
Such a harsh statement needs an explanation.
First, the PCO platform isn’t broken. They can help us with the problem (which, they are), but ultimately, we are our best defense.
But you’re not the problem…you’ve the victim, but because you have access to so many people’s data, if you become the victim, you’re also the problem because the criminals used you to victimize others. So you and I, and anybody with access to PCO, must not become the victim. See what I mean?
Cybercrime is the only crime where the victim may also be the conduit to victimize many others.
In most cases, hacks that make headlines are successful because super smart people (who are sometimes not old enough to drive) found a weakness in a program or website. Using that weakness (computer term: vulnerability) they broke in and stole millions of customer records.
Things like the Pegasus spyware are one of the more high-profile hacks that exploited a weakness in Apple’s iOS.
Social engineering is different. It doesn’t take advantage of faulty programming…it takes advantage of you. It’s an old fashion con game with a modern technology twist. The criminals trick you into giving them access and once they have it, they go to work stealing, destroying, changing…whatever they choose to do with your Planning Center data.
You know who are particularly vulnerable to social engineering hacks? Church people!
Why? Because you and I love people. We see the best in them just as Jesus does. When somebody calls and asks to have their information changed, we don’t ask questions. We just assume they are who they say they are.
It’s a cyber criminal’s dream. As the old cliché goes, “it’s like stealing candy from a baby!”
That must stop today!
Not the loving people part…just the assumption that they aren’t a criminal because they called a church. Cybercrime isn’t some small little group of nerds.
Cybercrime is expected to cost the world’s economies $10.5 TRILLION by 2025.
Countries fight wars using computers, and organized crime rings are turning to cybercrime as their weapons of choice.
Cybercrime is HUGE and sophisticated but we can significantly up our chances of not being victims by creating a cybersecurity plan for our church.
This is A BIG DEAL!
In most states, somebody gaining malicious access to your PCO database constitutes a data breach, which comes with a whole host of issues including reporting the breach to the state, informing everybody in your database, and potential fines. (Here’s a link to my state’s data security laws. Notice the up to half MILLION dollar fine.)
More important than following laws, we honor our guests by setting up environments where they are physically safe when they arrive. That’s love but love is also protecting their data. Everything from e-mail and physical address to information regarding extremely private life events must be guarded.
It’s our job to protect that data just as aggressively as we physically protect attenders in our building.
Don’t get mad at me. I need to say this and I’m just going to be blunt: In my work with our Clean My PCO customers, I don’t see much evidence that churches have strong data security procedures. And do you know what’s difficult to admit? I’m the head of IT at my church and although we have many safeguards, we had never thought about how we protect against social engineering schemes like PCO has reported seeing.
No excuses here…it’s time for all of us to up our data security. Let’s talk about how.
Read about how Clean My PCO protects your data. Go to our FAQ page.
Least Access
Before we jump into building a good PCO security program, we need to learn about least access.
Least access is an IT security term where “a user or entity should only have access to the specific data, resources and applications needed to complete a required task.” (SOURCE)
Now, let’s translate this into church language: We’re going to give you the access to PCO that you need to do your job, but we’re not going to give more than what’s needed.
This doesn’t only apply to PCO…it applies to everything that is password protected.
Let’s make this super practical:
- You should have less than a handful of organization admins. At least 2 but not many more.
- It’s not necessary for most people to be admins over folders in PCO Services.
- If somebody needs to see people data, they should be viewers unless they can make a good case that they need more.
- Very few people should be able to make Registrations events
- Anybody who wants access to anything in PCO should be carefully vetted. (More on this below)
- Train your staff to tell you the WHAT and not the HOW. They should tell you what specific task they need to do in PCO, and you will figure out the access they need.
- You should become an expert on each of the permission levels.
WARNING: Least privilege tends to rub people the wrong way. They get blocked from doing certain things and get frustrated. It’s understandable but when we explain the heart behind it and offer other ways to accomplish a similar goal, people are more accepting.
Vetting People for PCO Access
If we put least privilege into action, we need a formalized way to screen people to make sure they are fit for PCO access. Here’s a harsh reality that you need to prepare for: Some people won’t qualify. Be ready to exemplify Jesus when you deny their request. Provide the heart and alternatives.
Step #1- They Should Have to Work for Access
I would suggest requiring that they have 100% completed any onboarding and discipleship classes you offer. This will help eliminate people who may have less than sincere reasons for gaining access. Examples: People looking for sales leads or, to go extreme but real, a person looking for the address of somebody who is trying to hide from them. A stalker, a violent ex-spouse, etc.
Step #2- They Should Complete an Application
Do you have a process for onboarding volunteers? I mean a formalized process that every volunteer goes through including an application and onboarding process. Why an application? Because every volunteer should learn the heart and DNA of your church and they should be onboarded with steps including shadowing another volunteer, an interview with the ministry leader, and ongoing followups to make sure you continue to know them and minister to them.
TIP: On your volunteer application, ask them to provide more than one area where they would be happy to serve. This will allow you to steer them in the direction of a serving area that doesn’t require database access if you see that they won’t qualify
One other VERY important part of the application…it has all the questions like, “have you been accused of, convicted of” etc.
HERE’S OUR VOLUNTEER APPLICATION
Step #3- They Should Complete an NDA2
An NDA, or non-disclosure agreement legally forbids them from talking to others about what they learn with access to your data. Whether you would go through taking legal attention against them isn’t as important as the message it sends.
The NDA is only part of this form. Other items you want them to sign off on:
- They can’t use their access to PCO for anything other than the task assigned to them by their ministry leader.
- They can’t give their login credentials to anybody.
- They can’t allow somebody to look over their shoulder at the information on their screen.
- They may not look at other information in the database that is not needed for the work assigned to them by their ministry leader.
- They may not provide information, regardless of how seemingly harmless it may be, to anybody who asks.
Example: They cannot provide an address to somebody looking to send invitations to a birthday party. - They must have 2 factor authentication turned on as long as they have elevated access of any type.
A non disclosure agreement is a legal document. Legal documents are often specific to the laws of each state. Don’t copy legal documents from the Internet or ask ChatGPT to write it. An improperly written legal document may invalidate it should you have to present it to a court.
As part of this form, they must state why they need access. We train our staff to give the person specific language for this. “I will be helping so and so” isn’t enough. We want to know exactly how they will be helping so and so.
HERE’S OUR FORM.
We call it the Confidential Information Access Agreement or CIAA.
Step #4- Once the form is completed, it triggers a workflow
When somebody completes this form at our church, it begins a workflow. These 4 items are part of the workflow:
- Verify completion of the required onboarding and discipleship classes.
- Review the form.
- Ask the ministry leader further clarifying questions.
- Ask the ministry leader who will train this person.
It’s not uncommon for the workflow card to be sent back to the ministry leader multiple times until we get the answers we need.
If you aren’t using workflows, now’s the time to start. Here’s an article.
Once done, access is granted. We almost always start at a lower level of access than they requested. We then adjust as needed.
Finally…we have a list that looks for people with database access who don’t have any record of serving in the past six months. When somebody appears on that list, it generates a workflow card where we ask the ministry leader if they are still serving. If they say yes, we remind them that ALL volunteers must checkin.
Two other notes:
Consider background checks for people doing super high-level tasks like viewing giving records and/or viewing confidential pastoral care notes.
Second, for ALL your admins, you should require that 2 factor authentication be active within 1 week of gaining access. No exceptions. If they don’t activate it, remove their access. (I know I said this above but it’s so important, I’m saying it again.)
Have a process in place to verify that people are still using their PCO admin access. This could be simply asking ministry leaders to send you a list of people that still need access and any that don’t appear on those lists, you remove. We tell staff that if we don’t hear from them, we assume they are no longer serving and remove their access.
How to Fight Back Against PCO Cybercrime
Now that we have some data security procedures in place, put on your favorite super hero costume and let’s fight back against social engineering.
Before we talk about how to battle social engineering, let’s get something out of the way: Security isn’t convenient. Nobody has flown in the past 20 years and said, “Airport security—I really enjoyed that.” And I haven’t yet read feedback e-mail that came to our church that said, “I’m so impressed with how easy it was to get my child to and from the kids area.”
Security isn’t easy, convenient, enjoyable, or sought after. We all wish it could be, but it’s not so let’s toss that expectation aside.
Here’s a playbook for fighting social engineering hacks:
2 factor authorization must be in use by anybody with access to attender data. Last time I’m saying this…I promise.
Only organization admins can change emails and phone numbers of people with elevated access rights. PCO could help us by making this part of the programming but for now, we must train our people that they must send those requests to you.
You could also set up a system where the person, face to face, first asks their ministry leader about a profile change. Because the ministry physically identified the person, they can verify that the request is legitimate.
People with elevated rights must prove their identity. This means that an e-mail or phone call isn’t enough. You decide what to ask but I would suggest 2 questions off this list:
Can you tell me…
- …the volunteer team you serve on and your ministry leader?
- …the small group you’re a part of?
- …a small group you attended in the past?
- …the name(s) and birthday(s) of your child/children?
- …the last date you served?
- …your address?
- …the phone number you would like removed?
- …the e-mail you would like removed?
- …the campus you attend?
- …the name of a church event you recently attended?
Call them back using the number in PCO. If somebody calls and asks that they’re e-mail address be changed, tell them you will call them back using the number in PCO. Don’t trust the caller ID. Numbers that appear on your caller ID can be faked.
Ask them the reason for the change. You’re not trying to pry into their personal life. You want to make sure that nobody contacted them and tricked them into requesting the change.
Send them an e-mail using the e-mail in PCO. If somebody asks that their phone number be changed, send a verification e-mail to the e-mail address in PCO. Do not reply to what was sent and don’t trust what you see in the e-mail.
If it seems fishy, don’t make the change. Trust your gut. If it doesn’t seem right, ask to meet with them on a Sunday.
No exceptions. EVERYBODY is treated the same regardless, of rank, importance, whether they’re a friend, family, or whatever.
Formalize the process. Example: If somebody requests a change to their information, have them complete a PCO form. Include language on the form that tells them about using the Church Center app to make the change on their own. Also include language about how you will contact them to verify some information before making the change. If you ask for the new information on the form, make sure it’s not a form field that will automatically change the information.
What is Phishing?
No talk of security would be complete without addressing phishing. Here’s a great definition from phishing.org.
“Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.”
You’ve seen these before. An e-mail from (what looks like) your bank asks you to login to your account to verify some information. It’s not your bank and if you enter it, the cyberthieves have the login information to get into your bank account.
The same thing could happen with your PCO account. If somebody wanted into your account badly enough, they could send an e-mail looking like it’s from PCO and ask you to login to your account.
How do you avoid being a phishing victim?
NEVER…and I mean NEVER…log into an account using a link in an e-mail.
NEVER…give login information to somebody over the phone. That includes the code that goes to your phone or an authenticator app.
If you believe a request might be legitimate, call the company and ask them. 9 times out of 10, it’s a phishing scam.
One of the best ways to protect against phishing is to educate your users and block the e-mail before it reaches their inbox.
Many companies now subscribe to services that send employees phishing e-mails. If the employee falls for the attack, somebody in your company is alerted so they can further train the employee.
Also, if your e-mail provider isn’t Microsoft or Google, you’re missing out on some of the industry’s best anti-phishing e-mail protection. On top of that, there are paid services that provide you with an even higher level of protection.
It’s a bit too much to go into here but e-mail me and I’ll give you the rundown.
Phishing is a type of social engineering hack. There’s a good chance that a cyber criminal will try a phishing attack to gain access to your PCO account. That’s why you must have procedures against phishing attacks.
Security and Jesus Can Coexist
I’ve used a lot of words to seemingly convince you not to trust anybody.
I still want you to be the church. I want people to see Jesus in you, and I don’t want you to assume that everybody is a criminal. If you know the person, you could get crafty and strike up a conversation by bringing up a memory that you two share. If they can talk about it in a way that only they would know, you just validated their identity.
And if you follow my advice above and be super choosy with who gets access rights, next to nobody in your church will know about these procedures.
What is Clean My PCO Doing?
Clean My PCO was designed with security in mind.
- We don’t download your PCO database. We only store records that were created or changed.
- A record only stays in our database for 7 days. After that, it’s 100% deleted.
This means that even if a hacker were to gain access to Clean My PCO, they won’t find much.
Considering PCO’s concern that an increasing number of social engineering attacks are taking place, we have a few new features planned to combat this issue. These will take some time to develop but we will do our part.
What to Request From PCO
PCO does a fantastic job of listening to its users. Here are a few feature requests to ask from them to improve security:
- Audit log- This is common in most larger platforms. Simply, it’s a listing of every action taken by an individual with higher level access. Audit logs help you to look for activity that is outside of your policies or looking for people who have access but are inactive.
- Ability to make lists from the audit log. If somebody took an action that is not allowed, you will know and can train based on the mistake.
- Only organization admins can modify e-mails and phone numbers.
- Allow the organization admin to create custom user types that can only do certain things. Examples could include only being able to view a certain campus, people only being able to see the profile of a person or household in a workflow they have been assigned, or the ability to pick items where they are a viewer or editor.
- Do not allow profile fields on a form to change the e-mail or phone number of an admin.
These enhancements would limit the exposure to user data should a cyber thief gain access through somebody’s account.
I run a software company so I can tell you that we have a list a mile long of things we want to add to Clean My PCO but these things take a lot of time. My suggestions above are not to imply that PCO is doing a bad job. If I were an employee of PCO, I bet I would find at least some portion of these on their to-do list.
Final Thoughts
I know that you don’t want to deal with topics like this. One more SOP, one more training, one more restriction put on staff…it’s not the fun part of church work you signed up for. I hear you and I get it. Unfortunately, the church is being attacked from multiple directions from active shooters to cyberthieves.
It stinks but protecting our people is part of our mandate as ministry leaders. The good news is that once it becomes habit, it becomes a lot easier. It will take a while to make the change but might as well get started now.
I’m here if you need me.
Clean My PCO supercharges Planning Center People to keep your data clean and accurate. First, PCO sends records to us for examination and cleaning. Second, using Planning Center lists and workflows, we alert ministry leaders within 24 hours of issues that need human eyes. Watch our product demo video here.
1-I’m not an employee of Planning Center, I don’t have any inside knowledge, and I didn’t consult with them before writing this. This is what we are doing at my church. I hope it’s helpful.
2-I’m not an attorney. Anything that sounds like legal advice should not be taken as such. Use this information as topics of conversation with a qualified attorney in your state.