Cybersecurity and Churches
By Charles Parker II
As with so many other non-profits, churches likewise have been listed as a target for attackers. This issue has been exasperated due to churches, along with other non-profits, having issues with cash flow and budgetary constraints. For the church’s management structure, purchases of tangible assets may be a much less daunting task. With cybersecurity having such a new focus in mainstream IT and industry, describing what needs to be done, why the project needs to be done, and the potential impact of a breach is difficult. Describing the potential impact of a breach, an intangible, is much different than purchasing a new pew, a tangible asset that would been seen and used with regularity. The management may not be able to fully appreciate the extensive issues directly associated with a compromise and its effects on future rapport with the community/parishioners, remediating the issue from the network, and protecting assets. The lack of understanding is compounded with the church’s need to be connected via the internet only further complicates the issue.
The church needs to be competitive and digitally connected with the congregation and public. This has historically taken the form of the church’s website available for people to search for and gain information on, email updates to the staff, and/or congregation, Wi Fi for the people attending and staff, and many other services. With the current state of technology and the people’s perceived need for this, the churches don’t have much of a choice. These and other points provide ample attack points and vulnerable areas that need to be addressed prior to a system being compromised.
The goal of securing the church’s network or enterprise may be a rather arduous road. This is not an impossible task, however would take effort and time on the part of the IT area and open-minds from the management.
The church certainly can ask for voluntary help and assistance from their congregation. The staff may be amazed at the depth of knowledge there is at the church. People from all walks and industries have been members of the church. Each of these people have different level of expertise in different areas of IT. These persons may also have a varying number of hours to volunteer. Some may have eight, while others may have ten hours per week to put the system in place and later monitoring the security logs. With a few persons in place, this would be less of a momentous task. These persons may not be computer experts, but certainly can help or provide input.
The church also could put in place programs that don’t require a mass amount of effort and time. One action that needs to be addressed is anti-virus and anti-malware. If this is already in place, this may be reviewed to ensure it is a good fit. This solution is not perfect, which has been researched at length, however it does provide for a baseline level of protection.
The church also should train the staff in its entirety. Any of the church’s staff with access to the computer system should be trained for security threats. This training should be focused on phishing prevention and social engineering examples. This vector of attacks has been thriving for a few years and has proven to present rather significant issues for the targets.
If this is not presently being done, the church’s IT department needs to have a robust and timely patch management program in place and being used. Patches should be pushed often. These have been coded for a reason. These have been designed to improve the processing, fix vulnerabilities, and other options. These are not meant to be an inconvenience, but a necessity with most patches.
The church needs to ensure the back-ups are done and tested to ensure the back-ups are done and tested to ensure the back-ups are done and in a retrievable form. This is useful in many forms and reasons. In the case of ransomware, the church would be able to restore the systems from the backup with little loss of data. Without the valid, viable back-ups in place, the circumstances would be drastically different, creating stress and taking much time to fix. Without this in place and being actively tested, the church’s network and system would be susceptible to ransomware, malware, and simple user error. This is relatively simple to implement.
Spam filters are a valid tool to assist in protecting the system. This is always a good idea for the members and staff with email accounts when the email is internal. Spam is sent to virtually every single email address when operating for more than two days. These would entice the users to click on links, pictures, or to visit a website selling products or services, or informing them of “fantastic” offers. The adequate spam filter would remove this issue to a significant level from the users. By extension, this should also decrease the level of malware experienced by the church.
The church should have their policies regarding computer usage. There should not be an issue with this, however when this is in a written form, documented for the users, there is a clear line to cross. The policies would be read, and reviewed by all users on the system and signing a document reflecting this.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.