DATA BREACHES, HACKS, ransomware, and malware. None of these are terms we want to think of—especially when it comes to our church. Unfortunately, churches aren’t exempt from targeted attacks.
In 2011, St. Ambrose Cathedral had over $680,000 stolen when hackers took over their account.
On April 21, 2018, Ada Bible Church announced that an unauthorized person took over their computer network servers, preventing them from being able to access their network.
Rev. Justin Johnson wrote about a breach of his church’s account information and the theft of funds from multiple accounts. The investigation led them to believe the hacker got the account information from “a phone app, phone usage, or unsecured laptop connection.”
We tend to think of big corporations like Target, Yahoo, Macy’s, and others who have had large data breaches or hacks in recent years. While larger companies are certainly in the spotlight, hackers view smaller organizations as easier targets since they may not have the same level of security protections in place.
Don't miss the WFX Conference & Expo Safety and Security sessions in Orlando on November 13-15, 2018
As Thomas Tyler, cyber services advisor at Traina & Associates stated in our interview, “To the hacker, it’s just an IP address. It doesn’t matter whether it’s a big corporation or a rural church. They’re looking for vulnerabilities.”
A hack doesn’t only have the potential to impact the church’s bank account (as terrible as that would be). It could also impact the lives of each person who has donated to, or otherwise shared personally identifiable information with the church (name, address, phone number, email address, etc.). This includes current and former staff members whose information the church collected for employment purposes, volunteers from whom you’ve gathered vital data to run a background check, donors, and more.
If someone managed to get into the church’s systems and stole that information, (s)he could try to sell that data or even use it to potentially gain access into bank accounts of those individuals as well. As imagined, this scenario would create a dire situation for those individuals as well as for the church’s own finances and reputation.
PREVENTION IS KEY
You need to protect data entrusted to your church and to guard against theft of church finances, so it’s critical to take steps towards minimizing potential vulnerabilities.8 Worship Facilities JULY/AUGUST 2018 worshipfacilities.com
TIP #1: STAY CURRENT WITH SECURITY PATCHES
You know those messages that pop up on your computer to update software? Opting to “do this later” can leave your church’s network and sensitive data vulnerable to hackers. Software vendors provide those patches based on the latest malware, computer viruses, and hacks. The patches are designed to reduce or eliminate vulnerabilities they’ve discovered as hackers become more sophisticated.
Take the time to educate employees on the need to keep software up-to-date. However, don’t just rely on staff to always make the right call here. “We advise clients to have a centralized IT management system in-place to update software and security patches on desktops, laptops, and mobile devices,” emphasizes Tyler.
TIP #2: EVALUATE VENDORS – NEW AND OLD
Like most churches, you probably rely on vendors to have solid security systems to protect your sensitive data. Church management software, accounting software, and even HVAC control systems are often cloud-based. Tyler recommends evaluating vendors before you decide to use their software and on an annual basis to confirm they’re staying current on the proper security protocols. He suggests asking for the following information to help evaluate each vendor:
- Recent financial statements (to confirm they’re financially stable)
- Security audit reports
- Disaster recovery plan
- Documentation on the vendor’s own vendor management process to ensure they’re vetting their vendors effectively.
- Incident response plan
If you don’t have an IT expert on staff, you may need to bring in someone to serve as your church’s Information Security Officer on a contract or volunteer basis as you’re deciding on a hardware/software vendor or when you conduct these annual reviews.
TIP #3 – EDUCATE EMPLOYEES & VOLUNTEERS
Anyone who has access to your church’s network, email, or systems (ChMS, accounting, etc.) could put it at risk unknowingly. It’s imperative to educate staff and volunteers who have access to the church network on how to keep it secure.
Educate them on the following:
Phishing emails – According to Zdnet. com, “a basic phishing attack attempts to trick the target into doing what the scammer wants. That might be handing over passwords to make it easier to hack a company, or altering bank details so that payments go to fraudsters instead of the correct account.” These could be executed via an email that hackers send to trick the recipient to click on a link that goes to a fake webpage intended to get the victim to enter personal information or a link that installs malware onto the victim’s computer. Hackers are getting more sophisticated on how they target these emails and to whom, as well as how authentic they look. Provide examples of what a phishing email could look like and talk with church staff and volunteers about how to spot a phishing email.
Passwords – Discuss the importance of not sharing login information with those who have access to church systems. Also, make sure they know it’s best to not use the same password for multiple applications.
Personal devices – While you can’t make sure people keep their home laptops or personal cell phones up-to-date, you can inform them of how they could put the church’s network at-risk if they access their church email or systems from a personal device that doesn’t have the latest security patches installed.
TIP #4: USE MULTIPLE LAYERS OF CONTROL
If you’re looking to secure your home, you might install high-quality doors and deadbolts. You might also use a security system to alert you in case someone breaches the locks. Similarly, you want to use more than one type of control to secure your church’s network and data.
One example Thomas mentions is multifactor authentication. This is where in addition to entering your username and password to access your bank account, you also must answer security questions such as the city you were married in or the name of your first pet. Another example is when you sign in but then have to enter a confirmation code that the software sends to you via text message or email.
Including multiple layers of security controls serves as a backup in case the first layer fails (e.g., a hacker gets login and password information but doesn’t get the text message).
IF PREVENTION DOESN’T WORK
Unfortunately, we can prevent every malicious attack. While the focus should be on prevention, you also need a plan to respond to and protect your church should a hacker be successful.
TIP #1: CONSIDER PURCHASING CYBER LIABILITY INSURANCE COVERAGE
A hack can be expensive for your church. Even if the hacker doesn’t steal directly from church bank accounts, (s)he might steal data. This could mean your employees, volunteers, and donors are at risk of identity theft if their data was compromised. Insurance can help offset the costs associated with dealing with the fallout (paying for credit monitoring services for those impacted, hiring forensic IT specialists to find the cause of the breach and fix the problem, etc.).
TIP #2: DEVELOP A RESPONSE PLAN
While we don’t want to think any of these would happen to our church, it’s wise to develop a plan to deal with various scenarios such as:
Hackers have taken over entire networks and held the data for ransom. How would your church respond if that occurred?
How would you communicate to those whose data was stolen about the breach and what your church plans to do about the situation?
If a hacker took over your church website, how would you handle that scenario?
What would you do if church bank accounts were wiped out and credit cards were maxed out by hackers?
We are increasingly dependent on technology. The incredible benefits of technology do come with some amount of risk. Invest in the effort to prevent and plan for potential issues. Taking the time to consider these risks and how to mitigate them is part of being an excellent steward of the resources God has entrusted to your church.