Cybersecurity rightfully occupies a spot at the forefront of the news today and is a topic of great concern for leadership in churches, ministries, businesses, and organizations of every kind. The concept can be overwhelming to many, and unfortunately, too many churches do not have a comprehensive strategy in place to prevent attacks from those who may desire to cause them harm.
In the current environment, good stewardship and responsibility demand that churches implement robust cybersecurity plans, procedures, and training. Implementing an effective cybersecurity plan is similar to buying insurance. While you aren’t always thrilled to pay the premiums, you are BEYOND glad that you have the protection when you need it! Put plainly, robust cybersecurity measures are a “must have” in any technology-enabled ministry environment.
The 10 tips provided below can help you prevent cybersecurity attacks and protect the people, data, and equipment in your church. Depending upon the specifics of your church infrastructure, size, and characteristics, some of these areas will be more critical than others. Nevertheless, a thorough plan will include careful consideration of all eleven pieces of the puzzle.
1. Perform regular security assessments and checks.
Always be monitoring! You have to be running ongoing, active tests to know whether something is wrong! Much like the maintenance of a car, you must perform periodic check-ups to make sure your environment is consistently up to date. Finding out something is broken in your engine by experiencing a breakdown on the highway is exceptionally inconvenient and potentially dangerous. It is much better to discover the issue during your routine oil change, where you can get it fixed then and there. Similarly, by running regular security assessments, you can find holes and vulnerabilities (and repair them!) before they result in much bigger problems.
2. Provide ongoing employee security training and testing.
While staff and users potentially are your church’s first line of defense, they can also be the church’s most vulnerable link in the cybersecurity chain! Attackers know this, and love to use fear and social engineering to trick people into handing access and information to them on a silver platter. Make sure people know WHY, HOW, and WHERE they can become a security liability, train them to recognize and avoid dangerous situations, e.g., ransomware, phishing, etc. Cybercriminals are vigilant; anything less than ongoing training and testing of staff and volunteers will leave the church susceptible to attack.
3. Implement enforced security policies, password policies, Multi-factor Authentication, and mobile device security.
Write down your expectations and be clear about technology “dos and don’ts.” Require everyone, from the most senior positions to part-time volunteers to learn, review, and adhere to the enforced security policies strictly. That means all the time! Consistency is vital. We understand that senior staff in many organizations like to have a second set of “more relaxed” rules that apply only to them, and churches are not immune from this. Ignoring the stated policies in some other ministry areas may not have a huge impact, but it absolutely can spell disaster in the cybersecurity realm. It only takes one shortcut or “workaround” to cause unforeseen, but significant harm. Help users by requiring all devices with access to your data to implement basic security features like device encryption and passcodes/PINs. Also, requiring users to use multi-factor authentication will help ensure that stolen passwords don’t allow easy access to your systems. Finally, we recommend utilizing a password manager that enables users not only to employ unique, complex passwords easily, but also helps to enforce password standards and policies.
4. Implement a robust Business Continuity plan and infrastructure.
It is crucial that the church has and follows a written plan! This plan should do more than merely enable the church to recover data from backups, but it should provide true business continuity. Real business continuity means that the church can keep the technology, data, back-office and reporting aspects of the ministry moving forward during the same time that they are recovering from a cyber-attack, or any other natural disaster, fire, flood, etc. The goal of an effective business continuity plan is to be able to recover from an attack or another event via on-premise resources or the cloud with little to no data loss and near-zero downtime.
5. Utilize Unified Threat Management (UTM) Firewalls and Secure Wi-Fi.
Basic firewalls have been a necessity for years. Today’s firewall platforms include UTM features such as Intrusion Detection and Prevention, Gateway anti-virus, Geo-IP filtering, objectionable content filtering, and more. A basic firewall doesn’t do enough to protect you without these advanced capabilities. Likewise, ensuring that devices and users already inside your firewall use Wi-Fi securely and safely is very important. It’s also essential to ensure that your wired and wireless networks properly segment/isolate traffic and that you encrypt all sensitive Wi-Fi traffic to the highest available standards.
6. Utilize and implement Disk Encryption.
Most users now have both laptops and mobile devices (phones, tablets, etc.). All vendors provide built-in encryption mechanisms and tools. Use these tools and manage them to ensure that all devices with YOUR data are keeping that data encrypted. That way, a lost or stolen device doesn’t lead to missing or compromised data.
7. Be diligent about patching.
One of the very BEST things you can do to keep your technology environment secure and healthy is to stay up-to-date with software and firmware patches. Those annoying update notifications are there for a reason! The updates and patches are what helps to keep your network secure as you stay one step ahead of cyber criminals trying to circumvent the current safety technology.
8. Evaluate whether SIEM (Security Information and Event Management) software and services apply to your environment.
Every keystroke you make and every action that you take on your computer, as well as all the traffic that flows through your network, CAN be logged. Many compliance programs such as HIPAA, PCI, and NIST 800-171 require aggregation and evaluation of all system-level log files. This requirement means that you must compile and store any log data from your firewall, network switches, servers, and even individual user workstations in an off-device location, and in an immutable format. Maintaining the storage of that data is daunting, but the information contained in these logs is priceless in identifying security weaknesses in your environment. SIEM tools are designed to help aggregate all of this log data. The tools also help to analyze and evaluate the data by searching for patterns of suspicious behavior. Searching for data in these logs is like looking for a needle in a haystack. Working with a SIEM vendor who helps aggregate, filter, and flag suspicious activity provides a great ‘second set of eyes’ on the network health of your environment. SIEM vendors will alert you to things you should investigate. Because they have the advantage of seeing these suspicious activity patterns in many other client environments as well, they can more accurately identify what looks ‘safe’ and what looks ‘suspicious.’ This enables you to focus your time on investigating only the suspicious elements.
9. Implement robust Content/DNS Filtering, SPAM filtering, and Phish filtering.
Keeping intruders out of your network altogether is your church’s best case scenario, but that isn’t always easy. Utilizing a system that filters incoming email for known or suspected SPAM or Phishing attempts is a significant first step. Also, limiting your users’ access to harmful or inappropriate content on the Internet is undoubtedly helpful. The UTM firewalls mentioned above can help with that for devices connected to your network. But that still leaves some exposure from staff mobile devices such as laptops, phones, and tablets. Churches should also consider implementing tools that can provide content filtering at the device level as well, regardless of the network to which the device is connecting.
10. Consider a specialized Cyber Insurance policy.
Cyber insurance, also referred to as cyber risk insurance or cyber liability insurance, is a specialized insurance product designed to help an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event such as malware, ransomware, distributed denial-of-service (DDoS) attacks, or any other method used to compromise a network and sensitive data. These policies are designed to cover specialized losses. As churches increasingly are handling sensitive personal and financial data of members, it is prudent for church administrators or officers to consult regularly with their insurance broker or carrier to determine whether the church’s coverage levels are appropriate for their given risk.
Do any of these points resonate with you and the state of your church? Does any of this sound daunting and overwhelming? Enable specializes in helping churches assess their cybersecurity preparedness and implement optimal solutions that are based on your specific needs and mission. Email us at [email protected] for more information about how Enable can help your church!
Originally published on June 2019. Revised March 2023.