Cybersecurity breaches continue to mount, and the church is far from immune. In fact, sloppy and unmonitored systems, lack of policies and protocols, and failures to follow specific rules and government regulations can leave churches vulnerable and easy targets for cybercrime. These risks not only jeopardize sensitive data and threaten business continuity for churches, but they also can create financial and legal liabilities.
To help churches better understand the issues involved in cybersecurity and cyberliability, Church Law & Tax Report hosted a forum with three experts: Nathan Adams, attorney and advisor at large for Church Law & Tax; Nick Nicholaou, president of MBS Inc., a team of IT strategists serving ministries, author of Church IT: Using Information Technology for the Mission of the Church, and an advisor at large for Church Law & Tax; and Lisa Traina, partner at Traina & Associates, a CapinCrouse company that focuses on data security and risk management.
How would you define cybersecurity and cyberliability?
Traina: In the short version, cybersecurity is the steps taken or measures and controls implemented to reduce the risk and impact of cyber issues—primarily things happening over the internet. And cyberliability would be the potential financial and legal impact of having poor cybersecurity practices in place.
Nicholaou: The only thing I would add is that liability is not only tied to not having good practices in place, but also to not following good practices.
When it comes to the issue of cybersecurity, what are you seeing in companies and churches?
Traina: One trend I've seen is that more and more organizations are starting to realize that cybersecurity is a big problem, and it's not just the concern of the IT department. It's something that management and boards and the highest levels in an organization need to concern themselves with.
It's a good trend, but I believe that churches specifically are not keeping up with this trend. They don't yet have that understanding, and it may be for a variety of reasons. Some of the smaller churches may not have the staff needed to even consider these issues or they just don't have access to the information they need. I think a lot of churches rely on a third-party IT provider. This might give a level of comfort that may not be warranted.
Nicholaou: More often than not, churches prefer to not have written policies. Even in large churches, where they might already have many policies, there is often a corporate culture related to IT policies, where people even brag about ways they've gotten around IT's policies. It is unfortunate because it puts a church at risk.
Along with that, many people who oversee a church's IT are overly restrictive in what they allow users to do. Rather than seeing the users of the network as their customers and trying to make sure they can do everything they might need to in as appropriate a manner as possible, they put up roadblocks that don't necessarily need to be there. There are many roadblocks that do need to be there, but if there are too many restrictions, the staff of the church doesn't understand why "no really does mean no" on a small number of issues.
What is an example?
Nicholaou: Consider the ability for you to install software—which means you have local admin rights. Whereas if you didn't have local admin rights, and you tried to install software on your computer, you would have to contact your network administrator. Here's another example: If somebody brings in a document on a flash drive, they will probably have to submit a ticket or work order if they don't have local admin rights that would allow the user to install the driver necessary to access the flash drive.
Keep in mind that local admin rights is different from network admin rights. You can give employees administrative rights over their local machines, but not administrative rights over the network.
Whenever you open up a vulnerability like that—giving users the right to install software on their computers—you always have to weigh the risks. Consider the pluses and minuses. If you're going to increase a vulnerability, you need a strategy that brings the risk back down.
I am an advocate for giving users local admin authority. Now, if somebody is just bent on proving that they should not have that authority, they can be denied local admin rights. Given the thousands of client computers I'm responsible for, we probably have, at most, two incidents a year where somebody has abused their local admin authority.
Traina: I couldn't disagree more about giving local admin authority to users. Doing so simply increases the church's vulnerability to malware. I think limiting who has admin rights is a critical control, because anything you can do to limit the risk of getting ransomware or malware installed on a computer is something you should do. I think limiting admin rights is a key control for churches.
Nicholaou: I have a different perspective. I've got an unusual role because of the clients we serve—all within the church and Christian ministry community. And we do what we can to try and keep users happy and undistracted, keep them at their tasks so they're as efficient as possible, while protecting them and their organizations as much as possible. And the additional risks can be mitigated.
What are some of the biggest cybersecurity issues and challenges churches are facing?
Nicholaou: The biggest risk that we're seeing now is impersonation scams. Because churches and ministries are very open and welcoming communities, they've published on their websites everything somebody needs to build an impersonation scam. They give pictures, emails, bios, staff responsibilities—all sorts of stuff.
Churches give all the information somebody needs to try to impersonate—let's say the pastor—and send an email to accounting saying, "Hey, I need you to wire $20,000 to an account right away. It's urgent."
The only way I know to defend that is to set and enforce a policy that says, "We never respond to any of those emails or voicemails." It's got to be a face-to-face communication or a live telephone communication where you recognize the voice.
The thing that's closely related to this scam is where somebody will post a transaction through online giving for $400,000 and contact the church before it has a chance to bounce from whatever account they were using, and they will say, "You know, I meant to hit the decimal, but I didn't do it. Will you please issue a refund for all but $4,000 of that?"
For additional insights on donor scams read “What to Know About a New Donor Scam.”
What is a key indication of an unsafe cybersecurity culture in a church?
Traina: An indication the culture may not be where it needs to be is when you ask church leaders a question about cybersecurity and you get directed straight to the IT person, whether it's the support vendor or an internal person. It's a problem if the leaders can't at least have a basic conversation about security.
And the reverse of that is true. When you ask the senior or executive pastor about cybersecurity and they can talk, at least generally, about how the church is handling risks, that's an indication that they might be further down the road than others.
What are other cybersecurity challenges or vulnerabilities found in churches?
Traina: Lack of vulnerability scanning. By this I mean the automated process by which the systems are scanned to see which updates are missing and where there are vulnerabilities that the hackers could exploit. It's generally nonexistent in many organizations. Other vulnerabilities are using a remote access that's not secure; lack of, or out-of-date, antivirus software; and a failure to update or patch systems. At some point, we also need to address multifactor authentication, where there's an extra means of identifying someone other than just through username and password.
So that's sort of a quick hit list I have.
Adams: My law firm handles some of the country's largest data breaches. Typically, the ones that affect corporations today are fairly sophisticated. The ones that affect religious institutions are not ordinarily those, but some of the most avoidable types of data incidents or breaches. The most common involve losing a laptop, smartphone, or tablet that has confidential information on it about donors. Such breaches are easily preventable. Phishing attacks are also a common cause of breaches in the religious community.
Often times, data breaches are not so much the result of a hacker breaking code, as someone failing to change a factory passcode or some other obvious way that a person could gain access to the system.
According to statistics, the median number of days it takes to discover a breach from compromise to discovery is 146 days. The way these cyberattacks typically occur is that hackers establish a foothold, then root around in the system, elevate privileges, and eventually get to the data that they are really pursuing. This "mining" process typically is long term. I have not seen it too much in the religious world, but that's certainly the next frontier where churches are going to have to be concerned.
Nicholaou: I think Nate's accurate there. Churches have extremely valuable data. If you search for various types of data on the dark web, you'll find the kind of information that's readily and easily available in a church management database.
Think about it. You've got not only demographic information, you've got children's information, often including their schools, their birth dates, and information about their families—that's a pedophile's dream.
You also have contribution information. You probably have some Social Security numbers in there for your employees and for your vendors. There's a lot of valuable information that's ripe for attack. And we're thankful and lucky that it usually goes unnoticed.
Traina: For many of the risks that have been mentioned, I would again stress the importance of multifactor authentication.
You did mention this earlier. What is that?
Traina: It's a security "tool" that helps to verify the user's identity. Let's say I'm attempting to log in to a certain system—whether it's email, my donor management system, or whatever—and it doesn't recognize the device I'm logging in from. It will keep me from logging in until I have validated that I am the right user. I will possibly be asked for a code—sometimes called a "virtual token" or a "soft token."
Or sometimes a user will be asked a question, right? Like, "Who was your best friend in elementary school?" or "What was your mother's maiden name?"
Traina: Yes, that's the idea. But security systems are moving away from questions. Users now need to respond to a more sophisticated version of those secret questions. If you do banking online, the first time you log in, a code will be sent to your smart phone. Such authentication can also include the use of a fingerprint swipe or responding to a prompt in an installed security app.
Nicholaou: Lisa, I'd like to push back a bit—and do so cautiously—on multifactor authentication. It's also referred to as two-factor authentication. In my 30 years of working with churches, I know the computer users we support at churches pretty well, and I would say that a very high percentage of them would not have the patience for this kind of authentication. So, what I do is talk to church IT people about the value of multifactor authentication, and that it needs to be considered, but I also believe we need to ask, "What are your users willing to do? What will they tolerate?"
Go back to what I said earlier. Some churches—even megachurches and multisite churches—have a corporate culture of sharing how they figured out how to get around IT policies and procedures. They just don't like them. We can educate users and try to move them forward, but there are many who, especially in the younger age group, just don't agree that we need to be protective of our data. They're wrong, but they have influence among each other, and that's why trying to implement a multifactor authentication is problematic.
There is no effort to ensure that it meets the needs of the organization and nobody is trained on it. So it sits on the shelf. That's the worst kind of policy because it sets the negligence standard when it is not followed and a lawsuit ensues.
Adams: The reality is, there are many policies that churches have that they don't follow. The tendency is to find a policy that somebody else has or that somebody recommends and to adopt it in its entirety. There is no tailoring or internalization of the policy.
For IT policies to work, someone needs to ensure that they address the particular risks of that organization, oversee their implementation, and train staff. This needs to be someone with authority who understands the church's culture and can be realistic about what staff will and will not do.
Nicholaou: You're right. The challenge is to grab the attention of a church's top leaders and get them to say, "We know we need this IT policy. We will give it full buy-in and support." Often times, however, those top leaders are among the people not following policies.
Traina: I agree the worst policy is one that's not followed, and I think we're all on the same page there. I also think that the churches need to have their own system of controls that work for them. I think we would all agree on that, too.
But I must insist on the idea of multifactor authentication. I believe it is one of the single best things that could and should be done by every organization. It's not that difficult. With the rise of email being hijacked—and the example about the "pastor" saying you've got to send out the $20,000 today—you just eliminate the risk of a criminal using a compromised password.
Multifactor authentication is critical for securing your computers. There's a menu of things needed for cybersecurity. You've got to have every system updated. You've got to have good antivirus software on every system. And you also need multifactor authentication—it's just one of the items needed on a cybersecurity menu. Even if computer users push back, it's our responsibility as the professionals in the industry to educate them on why it's so important. Because we had that same pushback, say, 10 years ago in the banking community. And now they realize, "Oh, this is just part of doing business." And that's why you've got to bring the churches along.
Nick, you're still not convinced of the effectiveness of multifactor authentication?
Nicholaou: I am convinced that it's very effective and appropriate. The problem is going to be that some users in our church communities don't have the patience to make use of it. I still run into users who resist putting a password on their system, and I always tell them, "Well, we're going to make it so that you don't have a choice." Now, if I try to get them to do two things they disagree with, they're probably going to simply walk away.
Traina: Well, you need to just let them walk away then.
Nicholaou: I'm not saying it's not good. I'm just saying that depending on the people who are in an organization, it might be tough to implement. But if we're wanting to put forth best practices, then multifactor authentication is a best practice. Absolutely.
What are the potential short-term and long-term consequences of a major breach due to the vulnerabilities we just discussed?
Adams: In the event of a data incident or breach, a church should consult state and federal law to determine what is required. There's not much applicable to churches under federal law, but all states now have data notification and data privacy laws. For example, a church may have an obligation to notify the attorney general in all of the states where those impacted reside, as well as an obligation to notify those who are impacted. The notification requirement often depends on whether or not a threshold number of individuals are impacted. In Florida, for example, notification is required with breaches of 500 or more.
Many churches would not meet the threshold, but for those that do or for those that believe they have a moral obligation to notify victims, it can be a major task. Typically, name and address databases are outdated and only partially accurate. A church will probably need to bring in outside professionals to help identify the current addresses of all those persons affected by the breach.
For breaches that meet the threshold, a standard requirement under most state laws is that the organization impacted provide some sort of remediation to affected individuals. Affected organizations do not just send an apology to those individuals, but a letter that includes an identification code that will enable them to access free-of-charge credit monitoring and other services.
The attorney general notification usually has to be handled by counsel. So a church will typically need to retain an attorney in the event of a data breach. A church will also need digital forensic services to help identify the source of the problem so that the church can resolve it and assure the government regulators that it has done so.
To minimize reputational harm, large organizations such as megachurches typically will also want to retain a marketing or public relations team that interacts with the legal team and the forensic consultants. Altogether, the response can be costly. And, of course, cost varies with the number of individuals and records impacted. The per-record average cost of a data breach in the United States was $141 in 2017. That's an average across a number of industries. I suspect that the number would be less for churches. Even so, there's a lot of cost.
Even if your church doesn't meet the threshold reporting requirement, some will wrestle with moral or theological reasons whether to take notification steps. Churches that experience a data breach will also need to consider the threat of lawsuits, including class actions from the individuals negatively impacted by the data breach.
Traina: Another consequence is that people could lose their jobs. So, it's critical that the executive pastors and everybody get on board with the need for strong cybersecurity measures. If there is a breach, and it's determined that certain leaders weren't doing what they should to protect the church's data, they could be held responsible. You certainly don't want that occurring in your church.
Adams: And you can never underestimate the harm to the reputation of an organization. Consider the number of companies that have gone through this, then experienced significant economic downturns because of the impact of a data breach. And it's going to be true for a church as well.
Nicholaou: One of the biggest costs is the loss of trust. Think about how long it would take to rebuild that trust and how that affects the church going forward. But just looking at the monetary costs alone, it's wise for a church to have cyber insurance included in their insurance policy. It's not very expensive, and hopefully a church would never need it. But it makes good sense.
Would that be a part of a normal liability policy? Or would that be a special policy?
Nicholaou: It would probably depend on the underwriter, but I think it's something they could add to their liability.
Adams: Until now, cyber insurance has been relatively inexpensive and readily available. But as claims have multiplied, the policies have become more nuanced and the cost for meaningful coverage has increased. So churches have to be very careful when purchasing a policy.
There are some excellent cyber insurance policies, but they vary widely in scope. For example, vendors such as CPA firms, law firms, and network security providers are not always covered. If your church retains such a vendor, and that vendor is responsible for a data breach that proves costly, does your church have coverage?
Breaches caused by employees or insiders are sometimes excluded. Fines and penalties imposed by public agencies are sometimes excluded. The policies that are worth the most are a little more expensive, and they typically require a minimum compliance regime. The insurer will want to be confident that the insured is responsible with data.
Traina: When it comes to coverage, that's what I'm starting to see as well. In the past, you just paid your money and got a policy. Now, the questions the insurer asks are more in-depth, so I'm glad you made that point.
For additional insights on cyber insurance, read “The Growing Need for Cyberliability Insurance.”
Is the threat of cyber breaches most often from insiders or outsiders?
Nicholaou: I don't know if you can say most often. It's just both.
Traina: I would say the scales tip toward external breaches, which people inside might be contributing to because of ignorance or poor decisions. But I think nowadays, in general, the breaches we are seeing are far more from the outside than a number of years ago.
Adams: Phishing is a material threat to churches from outsiders. As for internal threats, we have to mention disgruntled employees who download information to use against other employees or the entire church. That is a pretty common internal problem.
Nicholaou: Internal problems are compounded by the fact that most churches don't have good security policies or practices. But to add to Nate's example about disgruntled employees, too many employees know the passwords of fellow employees. If I work for a church and I'm terminated, I could be sitting at home thinking about what my next steps are for getting even. I might log in through the remote desktop or remote access appliance and use other people's passwords to gain access to anything I want.
What mistakes do church employees make repeatedly that create security risk?
Nicholaou: Again, sharing passwords.
Traina: I agree with Nick. And another mistake is to simply trust vendors. You've got to ask your support vendor a lot of questions related to the issues we've been discussing. Unless it's Nick!
Nicholaou: You should even ask me and my firm a lot of questions! Here is an example of an issue related to a vendor. My firm got hired by a large church after it fired its previous IT firm. The previous firm had copied the data from the church's management software database and sold it to interested parties for marketing purposes. This is just one example of a vendor misusing a church's data. You need to be able to trust your IT vendors because they have access to a lot of sensitive data. They need to be vetted.
Again, as you said earlier, people can be very trusting, right?
Nicholaou: Here's a good example of this: To test other church's security, someone I'm aware of would just show up, walk past the receptionist, go to the unlocked server room, shut off the server, and carry it out. Then on those occasions when he was challenged, he would say, "It's going in for service," and keep on walking. Churches are pretty vulnerable. Most people don't understand a lot beyond their own role, and just assume that everybody is doing the right stuff.
I'd like to circle back to the issue of phishing. Last year it seemed there was an increase in churches being targeted by the phishing scams. From what you've observed, are churches taking good, effective action or is it still a major problem?
Traina: I think it's still a major problem.
Nicholaou: I think so too. I'd also tie that with the impersonation scam that I talked about earlier. A cybersecurity company called KnowBe4 offers email user testing and training. A church can set up a bogus email campaign to their users with KnowBe4's tools, and they look like they're legitimate emails. Everyone on staff receives various emails with links they can click on. KnowBe4 generates reports to show how often staff members clicked on the links, often showing a click rate of 80 percent or more! Those who click the links are enrolled in short video training, and that lowers the click rate dramatically.
Traina: My organization does this kind of testing as well, where we send out the phishing campaigns on a quarterly basis or whatever the client wants. The click rate is alarmingly high. So when we talk about prevention measures, two things are really important. Training and then testing, because it's with those phishing tests that you identify just how at risk your church is. The testing is not terribly expensive, and it can be rolled into training or reemphasize the need for training. Churches and other organizations that do testing and training lower their click rate. I know that from our work.
Nicholaou: Lisa, I'm guessing your reports would identify the employees who are clicking so you could even do target training for them?
Traina: Yes. And we've even had employers who would get creative and have a pizza party for you or let you wear blue jeans to work if you didn't click—just all kinds of things to reward those who didn't click and make the point to those who did.
As mentioned in Nick's Church IT, regular backups is a way to protect the system. Can you explain what that means?
Nicholaou: Backup is a fallback protection. It's not preventive. It's a recovery protection. In my mind, it comes under the category of disaster recovery. And so you've got a copy of all of your data and you can restore any of what you need. You've got a backup of all your servers and you can replace them within moments based on the backup. We recommend churches and ministries keep at least a month's worth of full backups.
Are churches careful when it comes to backing up?
Nicholaou: Not always. A few years ago, I took a call from a client. She said, "We got hit by ransomware and we need your help." I told her I was surprised that happened because I knew they had three layers of protection. They had a firewall, anti-malware on the servers, and anti-malware at their desktops and notebooks. She said they had decided not to renew their subscription to these services a couple of years ago. What that meant was the anti-malware and the firewall no longer had the ability to recognize new threats.
I said, "Okay that's easily resolved. As far as the ransomware goes, all we have to do is restore the backup from before the night you guys got hit." And there was silence again. I said, "You've got a backup right?" And apparently the backup had not been working properly for years. So, they had no backup. The result was they lost a lot of data.
For additional insights on malware, read “New Malware Attacks Routers: What Churches Should Do.”
What about password strategies?
Traina: People have too many passwords these days, and they can't remember them, and that leads to people writing them down, which I used to think was a terrible idea. But now when I see people typing them into a little note in their phone that's not secure, I'd rather have them go back to writing them on paper. There's probably a better chance of them losing their phone than losing the piece of paper they wrote them down on.
Really, I think it comes down to something Nick mentioned earlier: layers of control. And, as I said early on, I think an essential layer of control would be multifactor authentication. Yes, have a strong password, but back it up with authentication.
Nicholaou: We've been seeing for years that forcing folks to periodically change their passwords actually lowers security. I do want to point out that security is greatly increased when passwords can only be set by the IT department and are maintained in an encrypted file for reference. With this security approach in place, if someone accidentally shares a password, they must go through IT to get a new one. If they don't share their passwords, I would let them keep that password as long as they want—if it's a good, strong one. And that is contrary to IT experts who say, "You've got to change your password every 90 days." The Federal Trade Commission published on its blog a couple of years ago that it had, based on studies, come to the conclusion that it was time to rethink mandatory password changes. Like my organization's current thinking, the commission now takes the position that forcing people to change their passwords periodically actually lowers security.
What about OnePassword and other services that basically set a unique password for a user across all of the user's password-protected activities?
Nicholaou: I shy away from those who maintain your passwords on their server. Doing so makes them a bigger target to hackers. I prefer digital wallets that synchronize across a user's various devices, such as computer, tablet, smartphone. That keeps the encrypted data local on those devices. It's another layer of protection I call security by obscurity.
What recommendations would you have for firewall protection?
Nicholaou: You've got to have a firewall. The firewall sits between the internet and everything else on your system. So nothing can get to the internet, and nothing can come in from the internet unless it goes through your firewall. That's one of your first lines of defense. There are a lot of good firewalls out there, but I recommend SonicWALL as the best solution for most churches and ministries. You can buy better and more-expensive firewalls, but we don't see churches taking advantage of the extra features that come in the better firewalls. And SonicWALL is adequate for doing what is needed for most churches and ministries.
Traina: I tend to agree with Nick about SonicWALL. A church needs a firewall, and it certainly needs to be robust enough, and SonicWALL has good products at a reasonable price.
Before we close, what other cautions, concerns, or recommendations would you like to cover?
Traina: Church leaders haven't done much planning for what they would do if they have an issue. They should have conversations about how they would respond and who they would need to contact if there ever was a breach or another problem. They should do their homework ahead of time, so that they're not under the gun if something does happen.
Adams: Don't gather what you don't need. A lot of churches are still gathering sensitive information such as Social Security numbers and dates of birth. Churches that don't have this information don't have to worry about it.
Nicholaou: I recommend churches do a cybersecurity risk assessment to identify the weaknesses that exist and that can be reasonably improved. "Knowing" lets a church do adequate risk management in an area that is very vulnerable.
Traina: Again, have ongoing conversations. Make sure you raise the level of awareness and understand that there are big risks when it comes to cybersecurity and cyberliability—and not just something to be delegated to IT. I think that's probably one of the best things to do. Keep having conversations and keep learning more.
For additional insights on protecting your church, read “Best Practices for Avoiding Cyberliability Problems.”