The synod headquarters office — being a central repository of a great deal of sensitive information — had taken security very seriously, in every possible regard.
By Michael J. Bemi
The synod building itself was accessible only via secured passkeys issued only to employees — never to contractors or guests — and the use of which was monitored and registered, so that a computer log was maintained which could be referenced to determine whenever an employee entered or exited the building and who that employee was. Guests were required to log in and log out and were given guest IDs that had to be visibly attached to clothing and returned for log entry at the time of guest departure. All entry / exit points were monitored by closed-circuit television, which recorded tapes for later review by building security.
The building also employed a central station smoke / heat / fire and burglar alarm system. Archival storage areas in the building were accessible by a very limited group of employees, and the storage cabinets and containers for files, tapes, records, discs, etc., were themselves constructed to be highly fire-resistant, and all were continuously kept locked.
This level and quality of attention to detail was also reflected in the information technology / digital realm. IT Department access and synod server access were stringently controlled. An internet service provider (IPS) was selected not only for its available download / upload data transmission speeds and capacities, but also for its data security measures (external to the synod’s measures). The synod IT system was protected by hardware and software firewalls. The system also employed three different anti-malware (anti-virus, spyware, adware, etc.) products which the IT Department configured to be updated automatically on all synod servers, desktops and laptops and which were also configured to automatically run scans daily.
The few laptops, tablets and peripheral devices which were allowed to be taken out of synod headquarters were all encrypted. An excellent policy and related protocols were distributed to every employee regarding their privileges and obligations in relation to the synod system and its devices, plus employees’ use of their own electronic devices for work purposes (part of the synod Bring Your Own Device to Work, or BYOD, protocol).
By most all conceivable measures, the synod had done everything possible to protect and secure the sensitive personal information which it produced and maintained on employees, volunteers and church members themselves.
So, what went wrong?
One such critically sensitive set of information was the background screening check data developed in relation to the synod’s very robust safe environment program, for the protection of children and other vulnerable individuals. Apart from any actual criminal history reported, this information contained other highly sensitive personal information, such as social security numbers.
Unfortunately, one day a highly regarded and long-standing employee was duped by a quite excellently crafted “phishing” email that essentially duplicated the appearance of the website of the synod’s primary banking partner. Clicking on a link that would supposedly redirect the employee to bank personnel that could address and resolve a serious issue, the employee inadvertently loaded malware onto the synod system, which allowed hackers to breach system security and harvest a huge amount of personally identifiable information (PII) stored on the servers.
Worse yet, the breach was not discovered until well after its initial occurrence. The costs to the synod of crisis management for credit monitoring, forensic investigation, repair of public relations damage — and still possible third-party lawsuits — has been very significant and remains as yet incalculable in total.
What the synod overlooked
It should have had an education program for employees helping them to recognize and avoid “phishing” and other systems-related scams.
It should have encrypted all of the most sensitive data it kept.
It should have employed some nature of continuous system monitoring to “flag” system anomalies.
And, it might also have considered using an outside firm to perform occasional penetration testing and threat assessment.
Michael J. Bemi is president & CEO of The National Catholic Risk Retention Group, Inc. (Lisle, IL) — a recognized leader in risk management. To learn more about available coverage — and to get valuable tools, facts and statistics — visit our website.