Cybersecurity Basics for Churches

At first glance, churches might seem like unlikely targets for cybercrime. After all, why target churches or nonprofit organizations when there’s more money to make by exploiting the vulnerabilities of wealthier corporations?

Yet churches have a great deal of personal information about their members, including giving information and sometimes very private notes and information about pastoral care. With the rise of easier-to-use tools and specialized artificial intelligence agents, the skill level needed to execute sophisticated cyberattacks has dropped substantially in the last several years. Simply put, more attackers are using better tools to carry out these attacks, and churches aren’t immune to them. Fortunately, there are a few easy things you can do to help protect your church’s data and the privacy of God’s people.

Covering the Basics 

We’ll start from the assumption that you’re doing the basics, meaning you have a good firewall/router in place, have a standard antivirus solution on every computer on the network, and are keeping up with software updates on a regular basis. None of those things are particularly difficult today, nor especially expensive. Your local computer geek probably has some solid recommendations for the antivirus software, and the core operating system updates are, frankly, just a matter of insisting on weekly reboots of all machines on the network. Chances are your internet provider set up a basic firewall/router combination. While the basic settings are usually pretty solid, a more custom configuration for maximum protection is best left to a trained network analyst.

What’s Left? 

So what’s a church to do to help itself once the basics are covered? The single most hackable piece of any computer system is, unfortunately, the people. This has been true for years, and it’s the hardest part of the system to properly secure. Most cyberattacks start with individual users, and the attacks are growing more sophisticated with time. We’ll take a look at a couple of different attack vectors that target naïve or inattentive users and how they can mark the beginning of an attacker’s work to compromise your data. 

Social Engineering 

While most of us think of hackers as shady characters in dark rooms working by the light of their terminals, the truth is that many hackers are genuinely charismatic people who specialize in manipulating users to reveal information they shouldn’t. Take, for example, the technician who calls from your internet provider and needs to take a look at your connection equipment. While this could very well be a legitimate request, it’s also a common vector for gaining physical access to your network, or, at minimum, information about the structure of your organization/network. Let’s consider several possible outcomes: 

• The user allows the tech to schedule an on-site visit and access the equipment directly without supervision, or with supervision that doesn’t understand threats from normal updates and operation. This is your worst-case scenario. Ideally, on-site visits should be scheduled with the network administrator and closely monitored to ensure the work being done is within the scope of the visit. 

• The user tells the technician that he or she will have to schedule with the network admin and gives him or her contact information to reach out directly. This is better, but it still gives away a key advantage to the bad guys; they now know who your network admin is, and the next phishing email (more on those in a moment) will no doubt use their name and contact information to make it seem more genuine. 

• The user takes down contact information for the technician and passes that direction to the network admin, who vets the credentials with the company to ensure this is legitimate work and to schedule time to supervise the implementation. This is ideal. We don’t want to go without updates, but we also want to ensure that the people we’re giving access to have been properly vetted and are adequately supervised as they work.

Phishing 

Chances are you’ve at least heard the term phishing at some point in recent years. Phishing is when an attacker sends an email that pretends to be from a legitimate source to deliver a payload (link or attachment) or to attempt to engage a user in conversation to earn trust and exploit that confidence in time. Most data theft incidents start with some form of phishing. Phishing attacks used to be easy to spot, as they’d often have mistakes in the template or layout of the email, but the advances in the tools available to even the least-skilled hackers have made those flaws harder to spot. So what can you look for? 

• An unexpected email that demands urgent action, often with dire consequences and a timetable, is a likely suspect for being a phishing attempt. Examples in the wild include threats of account suspension, fraud warnings for fake Amazon orders, or even urgent warnings from your system administrator (information they got from your website or via social engineering).
  

• A reply to an email that doesn’t match the purported sender. The sender’s emails are often spoofed, but they will include a reply-to that allows the hacker to convince the target that the sender is real if he or she replies. Watch out for lookalike domains, such as googl.com, googlemail.com, or microsoftofficeManagement.somehackersdomain.com. If you don’t recognize the domain, do not click the link or open any attachments. Instead, follow up with the company directly to verify the email before taking any action.

• Do not click on any links in any emails. The attacks are becoming more sophisticated. Often, simply looking at a link address is no longer enough to enable even skilled users to know what’s safe and what isn’t. Take these two examples: 

• • https://www.concordiatechnology.org/ 

• • https://www.cοncοrdiаtechnοlοgy.org/

Visually, these are indistinguishable, but the second link uses a combination of Greek and Cyrillic characters that look identical to our standard alphabet but lead to dramatically different places. (The second one doesn’t lead anywhere right now, but it’s a great example of how even trained folks can’t  tell the difference anymore.) 

So what’s a church office to do? The safest policy is to simply not click links or open attachments in emails unless you expressly know they are coming and trust the source (and the source’s security practices!). Some cybersecurity training firms will even send your users test phishing emails to help train them to spot these sorts of attacks and instill a culture of security first. 

Ultimately, your end users are your greatest vulnerability in network security. But with some training and vigilance, they can become the best defense against attackers who would seek to compromise your congregation’s data. 

To be notified of helpful blogs like this, subscribe to the CTS blog Technology and Your Ministry.