9 of the most at-risk ministry areas — and what you can do to keep hackers out
By Charlie Cutler
How much do you know about cybersecurity and cyberliability? Is it enough to keep your church safe from massive data or financial loss?
If you missed part 1 of our three-part Church Executive series on cybersecurity and cyberliability (July / August 2016), you should know that the risk of data breaches goes beyond Hillary’s server or Sony and Target’s credit card breaches.
Cyberliability is becoming increasingly problematic for churches and non-profits.
A data breach occurs when sensitive information is stolen digitally using a computer. According to Hackmageddon.com, in 2015, a sizable 3.4 percent of the 40,000 hacks made per day were against religious organizations, and nearly 20 percent were against non-profit organizations.
Areas of ministry risk (and what you can do)
Step 1 of the battle against cyberattacks is to know which areas of ministry are most at-risk, as well as some techniques you can use to prevent hackers and thieves from gaining access to your church’s financials and other data.
#1: Passwords: Jesus123? John316? Did you know that some of the most commonly hacked passwords include words using “God,” “angel” and “Jesus”?
It is imperative that your church implement a password policy that encourages staff to use tough-to-crack codes that brute force attacks won’t be able to easily guess. (Hackers use software that tries to guess your passwords over and over again.)
One technique that I like is to take the first letter of each word in a favorite verse, with the chapter and verse at the end. For example: ‘iAyWsThAhWmYpS356’ is Psalms 3:5-6: ‘in all your ways submit to him and he will make your paths straight 356.’
Additionally, make sure employees never leave their passwords on their calendars or desks (not even under blotters).
#2: ‘Phishing’ and ‘whaling’: This isn’t a reference to being ‘Fishers of Men’ or Jonah! Phishing involves requesting secured data from an individual while masquerading as a trusted party. Whaling is the same concept, but targeted toward high-value persons, such as pastors or financial department staff.
#3: IT support: Ministries count on volunteers in so many ways, but IT Support shouldn’t be one of them. If you outsource IT, find someone who understands ministry and church software. If you have an IT person, get them involved in ‘The Church IT Network’, a group of ministry IT professionals which connects to support each other in their ministry roles.
#4: Software and the Web: Sometimes your risk is hiding in plain sight. It might be inside that free, indie (independently developed) software package your pastor downloaded to his computer. Or even worse, did you know that just visiting a website could put your staff at risk?
Malware, malvertising, drive-by downloads and rogue security software haunt the Internet. Malicious code hides within seemingly benign free software, antivirus programs, and even advertisements on web pages. Installing the programs or clicking on the ads can infect your system with code that allows hackers to gain access to your system and mine it for login credentials to your banking and credit card companies.
To help prevent these risks, update software regularly, use a firewall, and have an IT professional who is familiar with church software maintain your systems and devices.
#5: Church Wi-Fi: Many churches have fallen victim to ‘evil twin attacks’ — where someone sets up a Wi-Fi network that sounds like one the church would have. It allows the attacker to collect information that is transmitted over the network.
Also, ask your IT team about protecting your ministry with SSL-protected apps and VPNs.
#6: Children: We have a duty to protect children in so many ways. One of them is to make sure there is no personally identifiable information about them on your website or in any social media.
Posting a bulletin? No pictures or names of children should be included.
If you are collecting their data, make sure that you are in compliance with the Children’s Online Privacy Protection Act.
#7: Protect volunteer and employee info: Personnel records include personal information which, in the wrong hands, could be used to create fake credit profiles. If a breach were to occur, laws in virtually every state would require that your church pay for ongoing credit monitoring for every stolen record.
#8: Back-up: Back up your computer’s financial records somewhere other than in the cloud. Print hard copies of financial records quarterly (or more frequently) in the event you lose access to your computer systems.
Lock your extra hard drives in a place where they can’t be carried from the building. This is important in the event your church is a victim of a burglary.
Avoid dumping private records in the trash. There are people who will (legally) “dumpster dive” and (illegally) learn all your secrets.
#9: People: Your greatest weakness is the people in ministry. The first step is to educate your staff on what they need to do to help prevent cyberattacks.
Train your staff on how to spot these attacks; you’ll find resources at www.churchcyberliability.com.
In the next issue, we’ll further discuss how you can mitigate these risks to your church.
Charlie Cutler is the Managing Partner of ChurchWest Insurance Services in Redlands, CA, an insurance agency that specializes in insuring churches. ChurchWest currently insures more than 3,000 faith-based organizations.