Last week, Symantec issued a surprising report stating that religious web sites are more likely to harbor malware than sites that offer dirty pictures and videos.
I’m pretty sure there’s a reasonable explanation.
IT security is expensive. The equipment is expensive, and the people who know how to configure and maintain it are expensive.
Most churches aren’t flush with cash, so IT security isn’t a high financial priority for them. (The millionaires like Joel Osteen grab headlines, but many churches don’t pay their pastors enough to keep them above the poverty line.) And IT security isn’t necessarily a high priority for the ones that are flush with cash, either. I have firsthand experience with that, having worked in a church body’s IT department for nearly 7 years. I landed at a job that was a significant step down in responsibility, but it paid 15% more. Once I worked my way back to a position of comparable responsibility, I was making a good 25% more.
Attracting good IT security is difficult when you pay 25% below market value for it. Retaining good IT security is even more difficult. The church I worked for did have good people (and somehow still does), but nowhere near enough of them.
And I’ll argue that if you underpay for your security people, there’s a pretty good chance you undervalue security, and therefore don’t listen to those people adequately either. Talent is no good if you don’t utilize it properly. I saw that too–the security people we had would make recommendations, and then management would do precisely the opposite thing they recommended. Consistently.
The situation is potentially even worse if the sites are built by volunteers. The volunteers may very well know how to do a lot of great stuff, but they may not know how to secure it. Or they may have time to build it, but lack the time to maintain and defend it.
A trendy Web 2.0 site built for a church by an amateur is likely to have some security holes that a bad guy can eventually find and exploit. So the next thing anyone knows, the church site is harboring drive-by malware.
I don’t think it has much to do with activist hackers not liking church sites’ beliefs or agendas. That doesn’t help, but the budget helps even less.