Cyber security solutions for churches are becoming a hot topic. Religious organizations, Houses of Worship (HoWs) and missionaries (schools, hospitals, non-profits) often carry a false notion that they are at least risk of cyber security attacks (compared to ordinary businesses), because they are not involved in buying and selling of commercial goods and services. Contrary to this popular belief, cyber criminals have been regularly targeting churches, catholic organizations, and even the Vatican.
As HoWs become more technologically oriented (live streaming services, online donations, social media etc.), the risks of cyber-attacks are only multiplying. Whether it’s extorting money, stealing valuable data from parishioners, staff, volunteers and donors, or carrying out fraud and reputation damage, there are a number of reasons why cybercriminals can target religious organizations.
According to a Homeland Security report, HoWs are increasingly being targeted for financial exploitation, ransomware and website defacement. Time has come for religious leaders to recognize the imminent risk of cyber threats and adopt cybersecurity best practices to protect their organizations, members and the community at large.
1. Build A Program Based on Risk
Information Security Management Programs (ISMP) need to be tailored to every organization because every entity has varying degrees of risk and risk tolerance. Since the technology infrastructure and security maturity of every organization is unique, HoWs must first ascertain what’s at risk and then establish a set of security policies based upon that. The idea is to recognize and assess potential risks and then build an actionable security program of procedures and repeatable processes most attuned to the requirements at hand.
2. Take Account of Compliance and Regulation
Depending on what is applicable, it might be a good idea to leverage frameworks such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and other privacy mandates such as PCI, HIPAA and GLBA. There are state-specific requirements too. For example, if you’re based in Massachusetts and have more than 25 employees, under Massachusetts security and privacy regulations, you are required to have an updated firewall, next-generation endpoint security, encryption for data at rest and data in motion. You’re also required to have somebody designated as your cybersecurity person and are required to have annual security awareness training.
3. Train Staff on Cyber Security Hygiene
This is by far one of the most important things HoWs must focus on. Making people aware of security risks and training them in cybersecurity hygiene (strong passwords, multi-factor authentication, expected online behaviors), spotting and reporting suspicious activity (like phishing) — can turn staff into an extended arm of the security team. Remember that cybersecurity awareness training doesn’t mean showing videos or conducting a one-time classroom lesson; awareness training must be repeated at periodic intervals using real- world examples, table-top exercises and phishing simulations. HoWs that invest proactively in cybersecurity awareness training are most likely to boost their cyber resilience over time.
4. Have a Vendor Risk Management Program in Place
When you’re responsible for your HoW and its data, you’re also responsible for all organizations and third-party affiliates with whom you transact and share your data. This is true especially in the context of security and privacy. Third-
party data breaches are a common occurrence so it’s vital for HoWs to assess their upstream and downstream risks and ensure their supply chains take cybersecurity seriously before sensitive data is shared with partners, vendors and suppliers.
5. Invest in the Right Technical Controls
It’s important that organizations have necessary security controls in place such as Managed Detection Response (MDR), Endpoint Detection and Managed Threat Response (EDR/MTR), Next Generation Firewalls, Intrusion Prevention Systems, Multi-factor authentication (MFA), Encryption, Email and Web Content Filtering. Maintain both online and offline data back-ups to avoid loss of critical information during an incident. Keep all software, web browsers and operating systems up to date so that cyber criminals cannot take advantage of known vulnerabilities. Use security software to scan external devices like USBs and
hard drives.
6. Conduct Vulnerability Tests Regularly
Get a security professional to perform a network penetration test and a thorough vulnerability check at least once annually. All major regulations and compliances require that organizations do this. Pentest your internal and external infrastructure, firewall rules, wireless configurations and applications. This process helps identify and plug security loopholes and vulnerabilities
proactively.
7. Avail Cyber Insurance if Possible
A cyber-attack can cost an organization dearly. Cyber insurance helps offset some costs and aids in faster recovery. Having said that, cyber premiums are skyrocketing and insurers require that certain security controls are installed (for example MFA) before a cyber insurance policy is underwritten. General Liability and Professional Liability policies do not address cyber exposure so it’s important that HoWs consult with their insurance brokers to obtain coverage for cyber risks.
Having the right cyber security solutions for churches iscritical to your success. Both Data Integrity and Towerwall have decades of security experience and can help faith-based organizations establish the right controls and repeatable processes that can safeguard against cyber incidents. From risk assessments to penetration testing, from stakeholder management to keeping everything compliant, from program development to incident response, from technology selection to security awareness — Towerwall and Data Integrity services are tailored to your needs and can help achieve the desired security outcomes.