By Rick Schaber
Cyber criminals are turning their attention to easy targets — including religious organizations.
Although cybercrime at Fortune 500 companies continues to make the headlines, more than 70 percent of data breaches are occurring at small businesses and organizations.
“Criminals are targeting small businesses because they’re soft targets when compared to more security-conscious larger businesses,” says Tom Widman, president and CEO of Identity Fraud Inc., a California-based company specializing in providing data breach remedies and insurance coverage for small businesses. “Religious organizations fall into this category. And, like small businesses, they need a big-business mentality concerning their identity and protection of their employees’, volunteers’ and members’ data.”
The objective of most cybercrimes is to access and capture sensitive data with the intent to use it in a fraudulent manner, causing financial harm to the person or organization whose data was stolen. Any organization that collects and stores sensitive data has the legal responsibility to protect that data.
Religious organizations of all sizes have a great deal of sensitive data — although many don’t realize it.
The typical information kept on members is name, address, telephone and email; but, it can also include date of birth, anniversary, credit card information and bank account information. If there’s a children’s ministry, the organization can have health care insurance and provider information on each child. Volunteer drivers should provide their driver’s license and automobile insurance information to the organization. Employee records also will include payroll, taxes, retirement plans, Social Security numbers and other personal information.
“Before you can begin to implement security measures, you must first determine what data you need to protect, the value of the data, and where it is kept,” Widman says. “The necessary starting point for data risk management is to identify and classify your data assets.”
The cause — and the solution
Although technology has heightened the risk of cybercrime, it also offers many of the risk management solutions. This includes encryption, firewalls, anti-malware, scanning software and other system maintenance.
Data encryption secures the data by making it unreadable to those who don’t have the key to decrypt the data. One valuable type of encryption and important layer of security is keystroke encryption. This software program encrypts data as it’s entered.
“A recent data breach involved 130 million records that were exposed when keylogging malware was able to penetrate a system,” Widman says. “A keystroke encryption program would have blocked this.”
Malware is the industry term for any malicious software designed to harm computers or steal data. Keylogging malware can infiltrate your system when you click on an unknown link in an email that has malware. This technique is known as “phishing” or “spear phishing.”
“Encrypting data can provide a safe harbor, depending on specific data breach laws,” Widman says. “However, not encrypting data — and suffering a breach — almost guarantees you’ll be facing a significant hardship.”
A firewall is the protective layer between your computer and the Internet. It can be hardware or software and is placed at the point where the Internet enters your organization.
“Every laptop should have a bidirectional (inbound and outbound) personal firewall installed as part of its standard configuration,” Widman advises.
“This will provide protection against the vulnerability of wireless and other third-party networks.”
Anti-malware also should be installed on every computer, laptop and mobile device as this offers another layer of defense from cybercrime. This includes
programs that can scan your equipment for problems.
Protecting the data your organization has in its possession is important, but so is protecting the data specific to your organization.
“Identity fraud is no longer just a crime targeted at individuals — it also targets organizations,” Widman says. “The methods a criminal will use
to steal your organization’s identity are similar to those used to steal the identity of an individual, but the stakes are often much higher.”
In addition to gaining access to an organization’s sensitive data, criminals will run vendor scams by posing as an organization and diverting deliveries to another address; “business phishing” through what appears to be employee email requesting sensitive information; “pharming,” which redirects traffic from your website to an imposter website; and “vishing” — using your organization’s telephone system to leave voicemails seeking sensitive information. Recipients usually trust your organization and are more likely to provide the information.
Finally, there’s extortion. The criminal steals or threatens to steal your data and demands a ransom to prevent the records from being sold or other-
Cyber-liability insurance financially protects your organization if you’re a victim of a cybercrime and lawsuits, fines or penalties result. Data breach response coverage exists to pay for crisis management, forensic audits, notification and credit monitoring your organization will incur as a result of the cybercrime.
Rick Schaber is manager of CMIC Specialty Services in Merrill, WI, a specialty commercial insurance agency owned by Church Mutual Insurance Company.