cyber attack church

Protecting Your Church From Cyber Threats

Data breaches, hacks, ransomware, and malware. Hackers are looking for vulnerable organizations and churches aren’t exempt from targeted attacks.

DATA BREACHES, HACKS, ransomware, and malware. None of these are terms we want to think of—especially when it comes to our church. Unfortunately, churches ar­en’t exempt from targeted attacks.

In 2011, St. Ambrose Cathedral had over $680,000 stolen when hackers took over their account.

On April 21, 2018, Ada Bible Church an­nounced that an unauthorized person took over their computer network servers, pre­venting them from being able to access their network.

Rev. Justin Johnson wrote about a breach of his church’s account informa­tion and the theft of funds from multiple accounts. The investigation led them to believe the hacker got the account infor­mation from “a phone app, phone usage, or unsecured laptop connection.”

We tend to think of big corporations like Target, Yahoo, Macy’s, and others who have had large data breaches or hacks in recent years. While larger companies are certainly in the spotlight, hackers view smaller organizations as easier targets since they may not have the same level of security protec­tions in place.

Don't miss the WFX Conference & Expo Safety and Security sessions in Orlando on November 13-15, 2018

As Thomas Tyler, cyber services advisor at Traina & Associates stated in our inter­view, “To the hacker, it’s just an IP address. It doesn’t matter whether it’s a big corpo­ration or a rural church. They’re looking for vulnerabilities.”

A hack doesn’t only have the potential to impact the church’s bank account (as terrible as that would be). It could also impact the lives of each person who has donated to, or otherwise shared personally identifiable information with the church (name, address, phone number, email address, etc.). This includes current and former staff members whose information the church collected for employment purposes, volunteers from whom you’ve gathered vital data to run a background check, donors, and more.

If someone managed to get into the church’s systems and stole that information, (s)he could try to sell that data or even use it to potentially gain access into bank accounts of those individuals as well. As imagined, this scenario would create a dire situation for those individuals as well as for the church’s own finances and reputation.

PREVENTION IS KEY

You need to protect data entrusted to your church and to guard against theft of church finances, so it’s critical to take steps towards minimizing potential vulnerabilities.8 Worship Facilities JULY/AUGUST 2018 worshipfacilities.com

TIP #1: STAY CURRENT WITH SECURITY PATCHES

You know those messages that pop up on your computer to update software? Opt­ing to “do this later” can leave your church’s network and sensitive data vulnerable to hackers. Software vendors provide those patches based on the latest malware, com­puter viruses, and hacks. The patches are designed to reduce or eliminate vulnerabil­ities they’ve discovered as hackers become more sophisticated.

Take the time to educate employees on the need to keep software up-to-date. How­ever, don’t just rely on staff to always make the right call here. “We advise clients to have a centralized IT management system in-place to update software and security patch­es on desktops, laptops, and mobile devices,” emphasizes Tyler.

TIP #2: EVALUATE VENDORS – NEW AND OLD

Like most churches, you probably rely on vendors to have solid security systems to protect your sensitive data. Church man­agement software, accounting software, and even HVAC control systems are often cloud-based. Tyler recommends evaluat­ing vendors before you decide to use their software and on an annual basis to con­firm they’re staying current on the proper security protocols. He suggests asking for the following information to help evaluate each vendor:

  • Recent financial statements (to confirm they’re financially stable)
  • Security audit reports
  • Disaster recovery plan
  • Insurance
  • Documentation on the vendor’s own vendor management process to ensure they’re vetting their vendors effectively.
  • Incident response plan

If you don’t have an IT expert on staff, you may need to bring in someone to serve as your church’s Information Security Officer on a contract or volunteer basis as you’re decid­ing on a hardware/software vendor or when you conduct these annual reviews.

TIP #3 – EDUCATE EMPLOYEES & VOLUNTEERS

Anyone who has access to your church’s net­work, email, or systems (ChMS, accounting, etc.) could put it at risk unknowingly. It’s im­perative to educate staff and volunteers who have access to the church network on how to keep it secure.

Educate them on the following:

Phishing emails – According to Zdnet. com, “a basic phishing attack attempts to trick the target into doing what the scammer wants. That might be handing over pass­words to make it easier to hack a company, or altering bank details so that payments go to fraudsters instead of the correct account.” These could be executed via an email that hackers send to trick the recipient to click on a link that goes to a fake webpage intended to get the victim to enter personal infor­mation or a link that installs malware onto the victim’s computer. Hackers are getting more sophisticated on how they target these emails and to whom, as well as how authen­tic they look. Provide examples of what a phishing email could look like and talk with church staff and volunteers about how to spot a phishing email.

Passwords – Discuss the importance of not sharing login information with those who have access to church systems. Also, make sure they know it’s best to not use the same password for multiple applications.

Personal devices – While you can’t make sure people keep their home laptops or personal cell phones up-to-date, you can inform them of how they could put the church’s network at-risk if they access their church email or systems from a personal device that doesn’t have the latest security patches installed.

TIP #4: USE MULTIPLE LAYERS OF CONTROL

If you’re looking to secure your home, you might install high-quality doors and dead­bolts. You might also use a security system to alert you in case someone breaches the locks. Similarly, you want to use more than one type of control to secure your church’s network and data.

One example Thomas mentions is multi­factor authentication. This is where in addi­tion to entering your username and pass­word to access your bank account, you also must answer security questions such as the city you were married in or the name of your first pet. Another example is when you sign in but then have to enter a confirmation code that the software sends to you via text message or email.

Including multiple layers of security con­trols serves as a backup in case the first layer fails (e.g., a hacker gets login and password in­formation but doesn’t get the text message).

IF PREVENTION DOESN’T WORK

Unfortunately, we can prevent every ma­licious attack. While the focus should be on prevention, you also need a plan to respond to and protect your church should a hacker be successful.

TIP #1: CONSIDER PURCHASING CYBER LIABILITY INSURANCE COVERAGE

A hack can be expensive for your church. Even if the hacker doesn’t steal directly from church bank accounts, (s)he might steal data. This could mean your employ­ees, volunteers, and donors are at risk of identity theft if their data was compro­mised. Insurance can help offset the costs associated with dealing with the fallout (paying for credit monitoring services for those impacted, hiring forensic IT special­ists to find the cause of the breach and fix the problem, etc.).

TIP #2: DEVELOP A RESPONSE PLAN

While we don’t want to think any of these would happen to our church, it’s wise to de­velop a plan to deal with various scenarios such as:

Hackers have taken over entire net­works and held the data for ransom. How would your church respond if that occurred?

How would you communicate to those whose data was stolen about the breach and what your church plans to do about the situ­ation?

If a hacker took over your church web­site, how would you handle that scenario?

What would you do if church bank ac­counts were wiped out and credit cards were maxed out by hackers?

We are increasingly dependent on tech­nology. The incredible benefits of technolo­gy do come with some amount of risk. Invest in the effort to prevent and plan for potential issues. Taking the time to consider these risks and how to mitigate them is part of being an excellent steward of the resources God has entrusted to your church.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish