All too often when I first begin my interaction with a church, I’m contacted through an email address that looks something like this: [email protected]
If the communication is with a pastor, often it’s their own personal email account or something similar to the previous example, but with the word “pastor” added to it.
Whether you’re planting a new church or keeping an established one running, the allure of using a personal email account for church work is strong. After all, it’s free and you know how to use it. Unfortunately there are downsides which can hamper church operations and even lead to compromised information security. In this article I’ll talk about a few of the pitfalls of using a free personal e-mail, and some of the options that are available instead.
Trap 1: Hindering Church Operations
Initially, signing up for a free e-mail account through G-Mail, Outlook.com, or any of the other free personal e-mail services, seems like the simplest and quickest way to get an “official” e-mail address for your church. This short term decision, however, can have long term negative impacts.
At first it’s just you: the pastor or the office manager that uses the account. Soon you have another volunteer that wants to help and the information they need is in this “personal” e-mail account. What do you do? Do you share the username and password with this volunteer? Do you create a second free email account? Unfortunately, both options are commonly used.
If you share the username and password, this is now setting the ground for a security nightmare. There will be more about this in the next section, but now a precedent has been set that this account and its password are ok to be shared. Eventually this can lead to multiple individuals attempting to login and use this account, reset the password, etc. Additionally, one user might delete an e-mail from the inbox, and another user is getting frustrated because they can’t find the e-mail that someone else deleted.
If you don’t share the account credentials and opt to create additional personal e-mail accounts (let’s say it’s “[email protected]”), you’ve now created two accounts that are completely siloed away from each other. Any security authentication is now tied to an individual’s phone or number, and if something were to happen to the individual or the account is compromised, there is no central administrator that can reclaim the information stored in that account.
Trap 2: Compromised Security
I briefly touched on this before, but here’s where I’ll go into detail. Most of these free accounts intended for personal use have some security requirements such as Multi-Factor Authentication (MFA) which are enforced by default. If User A received the setup prompt and created the MFA on their phone, then they are now the sole individual that can authorize access. If User B gets a new phone, attempts to log in to the shared account, they now need to coordinate with User A to either click “Yes” on the prompt, or provide the generated code, etc. An unexpected danger here, is that this type of environment benefits malicious actors.
Let’s imagine a scenario where the password for the shared account is compromised and a malicious individual attempts to login using the username and password. This scenario is exactly what MFA was designed for. Without it, the difficulty of accessing the account goes up dramatically. Unfortunately, User A received a prompt that says “New Sign-in From…. Is this you?” User A has now been conditioned to assume this is one of the multiple individuals that share this e-mail and password, so they click “Yes”. This has now allowed the malicious actor to successfully login and begin reading all the information stored in the inbox.
In the scenario, as well as the “multiple personal accounts” option, the malicious actor could change the password, change the MFA settings, and immediately lock out anyone from using the account. Since this is an account intended for personal use, this will involve a lengthy support call with the e-mail provider and may ultimately end in total loss of the account and all of the information stored within.
The Solution
Now that I’ve harped about all the negatives, it’s time to talk about the best path forward. The good news is that if you have your organization registered as a Nonprofit and have obtained a 501(c)(3) then you can get professional e-mail for your organization for free. There are other costs involved if you choose to upgrade the licensing or purchase other features at a later date, but initially you can sign up and get started for free.
Both Google and Microsoft offer non-profit subscriptions for their Google Workspaces and Microsoft 365 environments. If you already have a website and a domain (my-church-name/com/org/ etc), then once you’ve signed up with either of these e-mail providers, you can have church accounts such as “office@my-church-name” or “pastor@my-church-name”.
Additionally, if there is an account compromise and the password is changed, you now have a central management interface where a designated administrator can suspend the account, change the password, and reset the MFA (among other abilities).
You can find more information about these nonprofit subscriptions directly with the respective companies, but I recommend setting up an account with TechSoup. Located at techsoup.org, TechSoup helps gather available nonprofit subscriptions and pricing from multiple businesses into one place. Both Microsoft and Google are partners of TechSoup and can share your information for a faster sign-up process.
Moving Forward
Look for another article coming soon that breaks down the differences in the Microsoft and Google plans, and other considerations to determine what’s best for your organization.
If you’d like to know more, or if you want my help in working through this process then don’t hesitate to contact me for a consultation session.
No responses yet