In today’s world, the threat of cybercrime is everywhere but by implementing Trust but Verify, this can help keep your data safe. 

Imagine for a moment, though, that you have implemented unique, complex passwords, multi-factor authentication, and anti-phishing services. You can kick back and relax because you have done everything right, right? Oh, how we wish this were so! Unfortunately, protecting your accounts is not enough to mitigate all cybersecurity risks for your church. It is tempting to let your guard down once you have taken multiple proactive steps, but the reality is that you still have to play “defense.” We all must learn to practice healthy skepticism to protect our organizations.

Your account does not have to be directly compromised for you to suffer the consequences of a cybersecurity breach.

Suppose someone you interact with has access to sensitive data such as your personal contact information or payment details. In that case, your information can be at risk if their account is compromised. Regardless of the safeguards you have implemented personally, your vendors, friends, or even co-workers may fall victim to an attack. If they have your data or can be a conduit to your data, you can be in trouble. Therefore, you cannot risk falling into the trap of complacency.

Compromised accounts of people you know are especially dangerous to your organization. Instead of taking instant action from a breached account, attackers watch and wait to impersonate better the account owner. They spy to see who the account owner communicates with, the language they use, the subject matter discussed, and the way they format invoices. This approach is becoming increasingly common.  

We are all naturally less suspicious of people we know, and even less so when the emails they send do not appear suspicious or out of the ordinary. Beyond this, messages from legitimate accounts of people you regularly interact with will not be flagged as suspicious by your anti-phishing protections. Because they know your guard is down in these situations, attackers will try to use the compromised accounts of people you trust to attack you with phishing emails, financial requests, malware, etc.

How do we protect ourselves against these harder-to-detect threats? 

We cannot rely on technology alone to protect our sensitive information from being compromised. It requires adopting the Trust but Verify habit.

Trust but Verify means that even if the requesting person seems completely trustworthy, you should verify the legitimacy of their request before taking any solicited action. Here are some helpful guidelines to Trust but Verify:

1. Never update payment details or disclose confidential information based solely on email requests. Instead, verify by calling a phone number you already have on file for your contact. (Do not simply reply to the email or use the phone number provided within the email to verify the legitimacy of suspicious requests. If an attacker has compromised the account, these communications will likely go to the attacker instead of your contact.)
2. Trust but verify that your vendors take cybersecurity as seriously as you do. Choose to work with organizations that confirm they follow best practices, such as using strong passwords, enabling two-factor authentication, and keeping software up-to-date.
3. Trust but verify the status of your financial accounts and online presence. Even when you do not suspect you have been attacked or compromised, regularly look for suspicious activity, such as unauthorized transactions or malicious content.

Implementing the Trust but Verify framework into your daily tasks will help keep your personal data and information less at risk of being compromised. If you have any questions about cybersecurity, don’t hesitate to get in touch with us at info@enable.email

Written by: Melody Parlett, Managing Director, Enable Ministry Partners