This is a guest post by my friend Lincoln Kaffenberger.
Lincoln was a member of our church plant, served as a military officer, and now works as an information technology professional in the financial sector. He has over a decade of experience helping organizations understand the threats they face and make informed, risk based decisions.
Beloved, do not be surprised at the fiery trial when it comes upon you to test you, as though something strange were happening to you. -1 Peter 4:12
Cyber-attacks are already a common part of daily life for businesses. Unfortunately, they are becoming a common part of life for churches too. Many churches are unprepared for common cyber-attacks that businesses regularly experience. Too often church leaders simply consider cybersecurity an IT issue without considering the organization-wide impacts a successful cyber-attack could have on their church’s ability to function, its reputation, and its congregation. Times have changed. Cybersecurity is now an organizational issue that pastors and other church leaders must care about.
There have been several examples in the past few years of churches that have been victims of cyber-attacks. Churches have lost the money in their bank accounts, had their congregants’ and staffs’ identities stolen, have had their websites defaced and brought down, have had sensitive information put at risk of being exposed, and have been victims of an increasingly common type of cyber-attack – ransomware. Any one of these events can hurt the trust a church has with its people and community and hinder its ministry to those outside the church.
One way churches can improve their security in a meaningful, cost-effective way is to do tabletop exercises working through plausible cyber-attack scenarios. Churches should consider both the most likely and the most dangerous cyber threat scenarios to understand what the impacts of each could be. By working through these scenarios in a low stress environment before a cyber-attack happens, church leadership can rehearse their response plans, identify gaps in their plans, and ultimately improve their security. Additionally, table top exercises serve as educational events for those in a church who are not as familiar with cybersecurity.
Some questions church leaders should ask when they think of different cyber-attack scenarios are:
- Could this scenario happen to us? What conditions would have to exist for this scenario to be feasible?
- If this scenario happened, what would the impact be to our reputation and credibility? How would we rebuild our reputation and trust with our congregation and community?
- How would we respond? Who would we turn to for help? Who could we call?
- How could this attack have been prevented? Could we detect this attack at its early stages?
There are five possible cyber threat scenarios that have affected churches recently:
1. Cybercriminals empty the church’s bank account;
2. Hackers deface the church’s website with politically charged images;
3. The Church is a victim of a ransomware attack that denies the church access to their files;
4. Pastor’s accounts get hacked and the hackers publicly release sensitive information;
5. Church Staff and Congregants Identities Stolen After Church Database Breached.
These scenarios each represent a kind of attack or a kind of harm that a cyber-attack could bring to a church. If church leadership walk through these five scenarios and answer the questions as an organization, they will discover their level of exposure to cyber risk, better understand what the holes are in their cybersecurity, be better positioned to respond to a cybersecurity incident, and importantly be ready to adopt and create a culture of security within the church that allows it to do the Lord’s work securely.
Resources and Recommendations
In addition to conducting tabletop exercises with these threat scenarios, the following are other resources that can help improve your church’s cybersecurity. First, every leader should start by securing themselves by following the “Cybersecurity Basics for Individuals.” Next, leaders should ensure their churches are following “Cybersecurity Recommendations for Organizations.” These will not provide perfect security, but they are a good start to a more cyber secure online ministry.
Cybersecurity Basics for Individuals:
“UPDATE Protocol” from Marc Goodman’s “Future Crimes”:
a. Update frequently all operating systems, firmware, apps – everything
b. Passwords should be unique, long, strong, stored securely (e.g. password manager), and use multi-factor authentication
c. Download programs and files only from trusted sites; be wary of “free software”; enable “white-listing” settings on Windows or Mac so only approved programs run; pay attention to app ‘permissions’
d. Admin login has the highest permissions and shouldn’t be used to do normal activities like surfing the internet; have a separate ‘user’ account for checking email and surfing the web
e. Turn-off your devices (or at least their internet connection) when not in use, which reduces the opportunity for criminal attacks by 1/3rd
f. Encrypt your data while on your devices using Bitlocker and Filevault programs to encrypt hard disk on your Windows and Mac respectively. Encrypt your data while in transit using a Virtual Private Network (VPN).
Cybersecurity Recommendations for Organizations:
● Identify and protect your most important digital assets – your cyber crown jewels
● Establish policies and procedures for your church’s information security – here is an example
● Have a cyber incident response plan – Create an incident response plan if one does not already exist: NIST’s 800-61 is a good resource to begin with – https://www.nist.gov/publications/computer-security-incident-handling-guide
● Follow cybersecurity best practices by implementing the Center for Internet Security’s Top 20 Critical Security Controls. Many times, doing the basics of security such as properly configuring devices, requiring everyone to follow secure practices, and reducing exposure will require very little money but pay huge dividends. Other security measures such as malware protection may be discounted for churches. In some cases, churches can receive donated or discounted security technology – http://www.techsoup.org/bitdefender