Cyberthreats: a new reality churches must protect against

By Andy Lott

Cybercrime is a problem on the rise, impacting businesses and organizations worldwide.

Accenture, a multinational digital services company, recently reported an 11% increase in security breaches since last year and a 67% increase in security breaches over the last five years. The cost of cybercrime to businesses and organizations was a collective $2.7 billion in 2018, according to the FBI’s Internet Crime Report.

The rising incidence of cyberthreats and the cost to mitigate them can be attributed in part to the increasingly sophisticated techniques cyber criminals are using to break into systems, steal personal data, hold systems ransom and spread viruses. These malicious actors are equal opportunity abusers targeting organizations of all sizes, from big corporations to small nonprofits. Any organization that uses a computer connected to the internet is at risk for cyberthreats.

Even with the increased awareness of cybercrime, many churches and religious organizations still feel that they are too small to be targeted by cyber criminals or don’t have data that would be of interest to hackers. Nothing could be further from the truth.

Many churches maintain contact information on congregation members and attendees (home addresses, phone numbers and email addresses), donation and credit card information, and employee data — information cybercriminals seek to exploit.

Some of the common cyberthreats churches are exposed to include malware, phishing and technical vulnerabilities.

  • Malware is malicious software installed without a user’s knowledge. Malware attacks start when a user clicks on a link in a phishing email or visits an infected website. Ransomware is a type of malware attack that cybercriminals use to encrypt data and demand money to unlock it or threaten to leak data unless a ransom is paid.
  • Phishing emails are fraudulent emails that contain links or an attachment that, if clicked on by the recipient, allow hackers to infect systems with malware or steal data. These emails can take the form of alerts about package shipments or credit card fraud. Some even look like communication from legitimate sources. Filtering software designed to stop many of these emails does not catch all of them.
  • Technical vulnerabilities can exist in all software, including operating systems and applications. These technical vulnerabilities are essentially holes in software code that allow cybercriminals to gain unauthorized access to a system. Patches and updates can be applied to address these vulnerabilities. However, organizations are not always vigilant in updating systems or in some cases a patch or update isn’t available at the time a vulnerability is discovered.

Unfortunately, all churches today are vulnerable to cybercrime. For example, St. Ambrose Roman Catholic Church in Brunswick, Ohio was recently scammed out of $1.75 million. A phishing email led the church to believe the construction firm doing renovation work on its sanctuary made changes regarding its financial institution. An FBI investigation found that the church’s email system was hacked, and the cybercriminals were able to deceive the church leaders into believing the construction firm had changed its bank and wiring instructions.

Steps to protect your church

There are measures churches can take to protect themselves from cyberthreats, including monitoring, maintenance and education.

Churches should have a properly configured firewall to monitor incoming and outgoing network traffic. A firewall acts to keep threats away from computers, sitting between a computer and the internet to determine which traffic is and is not allowed through.

Regular system maintenance also is key to minimizing cyberthreats. Anti-virus and anti-malware software should be updated regularly and kept running 24/7 on every system. Churches also should continually back up data, patch and update all systems and make sure passwords are changed periodically.

It is important that church staff and volunteers are educated on how to help prevent data breaches. Everyone should be educated on how to recognize and respond to cyberthreats so they can recognize scams and help prevent data breaches.

For example, staff and volunteers should be aware of one of the latest cyber scams that originally started as an email scam and is now being seen on cell phones. Cybercriminals posing as someone in the organization text staff or volunteers asking them to buy gift cards for birthdays or charity. Once the staff member or volunteer confirms the purchase, the cybercriminal asks for the serial number on the gift cards and then uses them.

As part of the education process, it’s important for church leaders to talk to staff and volunteers about using strong passwords containing a combination of letters and numbers for all church computers. One weak password can put an entire system at risk.

Churches should protect themselves from the potential fallout of a data breach, which can threaten church business continuity and create financial and legal liabilities. Cyber liability insurance can help religious organizations cover the high cost of data breaches and recover from a cyber attack.

In general, cyber liability policies protect churches from data breach exposure, covering associated expenses such as notification costs, defending claims by state regulators, fines and penalties, credit monitoring costs, and losses resulting from identity theft. These policies also protect churches from losses stemming from business interruption, computer fraud, data loss/destruction, and cyber extortion.

Religious organizations should not make the mistake of assuming they are covered for cyber liability under their general liability policy. Cyber coverage is a separate policy. There are no one-size-fits-all policies, so religious organizations should consult with their insurance advisor to determine the level of coverage they need.

As organizations and individuals become more connected than ever in today’s digital age, cyberthreats continue to mount. All organizations, including churches, should make cybersecurity a priority, managing risks on the front end through monitoring, maintenance and education. However, should a cyber event occur, churches can protect themselves from the high cost of a data breach with cyber liability insurance.

Andy Lott is a managing partner with Insurance Office of America (IOA). Lott helped establish IOA’s Birmingham office in May 2005. He works with clients of all sizes from coast to coast and has experience with large deductible, self-insured, and captive insurance programs. He also is a managing partner of IOA’s proprietary insurance process RiskScore®, which is designed to act like a credit score for insurance. Lott can be reached at





Leave a Reply

HTML Snippets Powered By :