As the financial clerk I am not the only one who uses MLS, but some other users are not as good about performing backups. Additionally I sometimes forget one of the 3 steps:
- Backup to C: drive.
- Backup to USB drive locked in cabinet.
- Update to offsite backup (on USB drive in my pocket).
We do those same three steps in our ward. And perhaps sometimes someone forgets Step 2 or 3 -- especially Step 3, since different people might be doing the back up at different times.
In thinking through the security risks, there is potential for the whole MLS database to fall into the wrong hands from loss of the USB backup in clerks' pockets.
The risk of a lost USB drive itself is fairly high. People lose these things frequently. The MLS backup file is itself encrypted, but I think it can be decrypted automatically by loading it into any test installation of MLS. So if an unauthorized person did come into possession of the backup file and were disposed to explore it maliciously, all they would need would be an install package for MLS.
Everyone who thinks the access to that MLS install package is restricted by high security, raise your hand. (Yes, I know it is restricted.)
There obviously is risk in users violating policy and backing up the files to a third-party site of their choosing. There also is risk in following policy and keeping the offsite USB drive -- perhaps even more risk than using a reputable online site.
The risks of online backup seem more manageable if CHQ picked a trustworthy online vendor, or just stored more frequent backups on Church servers so that at least the most recent backup was archived remotely. Storage bytes and bandwidth get cheaper all the time.
Meanwhile, perhaps we should rethink how we handle the "offsite" USB drives in Step 3 above. Using an encrypted drive would add a significant layer of protection -- at the cost of some hassle in entering and maintaining the password.