Cybersecurity on a budget

Has anyone in your church ever received a request for money in an email that appeared to be from your pastor, but was actually a scam? Or, have you ever learned about a security breach that could compromise your members’ financial information?

These days, most large corporations are making significant technology investments to stay ahead of resourceful cybercriminals. But where does that leave churches — especially those that are already struggling to make ends meet?

Here’s how to shore up your cybersecurity on a budget.

It can be overwhelming to face the prospect of increasing our cybersecurity. Where should we start?

Vaernhoej: The best place to start is by taking an inventory of all the devices and systems your church uses, and which people need to use them. Only the people who need to use the systems should have access. Then, you can determine what other security measures you have in place, and whether they are working for you. Once you have a clear idea of where your security needs are, you can make fact-based decisions about how you should invest your time and money.

How many people should have access to the church’s internal system?

Vaernhoej: You should be restricting access to the bare minimum of people. At Church Mutual, we recommend using the Zero Trust security model, which requires all users — inside and outside the organization — to be authenticated and continuously validated before receiving access to a system. If your church is growing, you need to keep a close watch on who can access which information. This is especially important as people enter and exit your church.

When we have used email filtering systems in the past, we have missed some important emails. How can we prevent that from happening while still protecting our system?

Vaernhoej: The cost of mistakenly blocking an important email pales in comparison to the cost of someone in your organization being successfully phished. The best way to avoid missing emails is by making a regular practice of checking your spam folder.

What are some of the easiest ways to protect our system without breaking the bank?

Vaernhoej: Use layers of complimentary security controls. For example, pairing a content filtering firewall with antivirus software is a simple mix of foundational tools that will stop the vast majority of problems before they can cause any damage. Multi-factor authentication is also important. It is relatively simple to set up this added layer of protection for all your systems, requiring users to prove they are authorized to access that information in two or more ways.

Another way to protect yourself is to maintain a clean computer or device. Keep software and apps on all internet-connected systems up to date and delete unused apps to reduce the risk of
infection from malware or ransomware. Regularly review app permissions to ensure they are correct. When you make sure all your systems are up to date, you can take full advantage of the protections that are already available to you, free of charge.

When it comes to cybersecurity, prevention is a far easier task than dealing with the fallout from a cybersecurity attack. It should be a top priority for all churches.

Nick Vaernhoej is Assistant Vice President — IT Chief Information Security Officer at Church Mutual. He joined Church Mutual in 2022 as the assistant vice president — IT chief information security officer.

Nick holds an associate degree in applied science: system administration from Southeast Technical Institute in Sioux Falls, South Dakota, as well as a bachelor’s degree in information systems security from American Public University System in Charles Town, West Virginia. He also holds a Certified Information Systems Security Professional (CISSP) certification.