With many churches now relying upon technology and online platforms to share and store information about the church, the risk of churches being targeted by hackers is a growing threat. In fact, failing to take action to prevent hacking or other cybersecurity breaches is a serious oversight for churches that could result in cyberliability claims in the event that the church is targeted by hackers.
“I think any time you have a church that stores information electronically, whether it’s employee information or the information of members of the congregation, there’s exposure for some cyberliability claims or cyberliability types of events,” explains Joshua Lederman, an attorney with Brotherhood Mutual Insurance Company.
Churches and cybersecurity awareness
Being informed and prepared in the event that the church is targeted by hackers is often not a primary focus of the church.
Lederman points out a startling trend: churches are likely not as informed about cybersecurity threats as are other organizations. “I think across the board there’s less awareness in the church realm,” Lederman says.
That lack of preparedness for cybersecurity threats could make churches more vulnerable to threats.
“That alone could potentially make churches more of a target,” Lederman points out.
Failing to consider the seriousness of cybersecurity threats is something churches cannot afford to do if they want to avoid potential liability issues.
“The church can certainly be liable in the situation where there’s a hacking event if they didn’t take the necessary steps to protect the information or if they have information stored incorrectly,” Lederman explains. “There’s a very real risk of liability for churches because the organization that controls the information is certainly the primary organization or entity that would likely be liable.”
It is important that churches understand what hacking is and who potential hackers targeting the church could be.
Nick Nicholaou, president of Ministry Business Services (MBS, Inc.), offers a broad definition: “Hacking is an unauthorized intruder getting into your system. What they do once they get in could be anything.” Nicholaou points out that hacking can come from sources both with and without a connection to the church. Many people view hackers as highly tech-savvy criminals. But Nicholaou’s definition gives the “hacker” label to anyone who gains unauthorized access, whether a stranger, former church employee, or a volunteer.
Protecting against security risks
One way Nicholaou says churches can protect against potential cybersecurity threats is by not allowing password sharing. “In most churches, a lot of people share their passwords, which is not good,” Nicholaou warns.
Nicholaou offers other practical steps that churches can take to ensure that they are protecting themselves from hackers.
At the top of the list: “they’ve got to have an appropriate firewall,” Nicholaou explains. “[A] firewall is a device or software solution that goes between [a church’s] internet connection and the rest of their network. A firewall stops intruders, and it also stops website embedded malware code.”
When implementing a firewall, a church should consider whether its firewall is protecting it from innovative hacking threats. “The better firewalls will have the ability to constantly update themselves as new hacking strategies surface,” Nicholaou explains.
Beyond installing a network firewall to protect against intruders, churches can also take steps to eliminate spam that might infiltrate email.
“The second strategy is to have a good spam firewall,” Nicholaou states. “That’s different than the network firewall. So the spam firewall is the thing that catches all the spam or nearly all of the spam before it ever gets to your inbox.”
A third step Nicholaou says churches can take to increase their cybersecurity is to install anti-malware on their computers.
Social media and cybersecurity
When using social media, churches should be aware of security risks that exist and should take steps to ensure that shared information isn’t positioning them as a potential target for security breaches.
“As a church, be cautious what kinds of personal data is being shared in your social media stream. And that has to do with prayer requests, or people going on vacation, or anything like that, because both open people up to threats,” Nicholaou warns. “I think churches need to be diligent to review what happens in their social media streams and to shut down anything that might put people at risk.”
Church websites and security
Church websites are also susceptible to hacking activities, but by taking steps to secure these areas, churches can protect information or data stored or processed on a website.
“If they’re allowing financial transactions [on a website], whether it’s contributions to or even registration, or something like that, then they need to make sure that whoever the vendor is that is processing those things, they’re doing their due diligence to protect that data,” Nicholaou points out.
Beyond investing in software to prevent hackers from infecting networks, churches can look to trained IT professionals for support when protecting their system from hackers. “I think having some in-house expertise would be a prudent step for churches to take,” Lederman said.
If bringing an IT professional onboard to help with reducing risks is not possible, Lederman recommends that the church contact its insurance company.
In addition to having a trained IT specialist on staff and investing in software to protect against hackers and other cybersecurity risks, churches should consider investing in cyberliability insurance which can save a church money in the long run if it is targeted.
Lederman breaks down the expenses this way:
A lot of experts will tell you . . . the biggest expense when there is a breach is not necessarily the dollar amount of indemnifying someone for financial damages, although that’s a possibility. A lot of the expense comes in when there’s mailings, notifications you have to send notifying people that are affected by the breach, setting up credit monitoring services. Things like that are not necessarily direct damages to the person affected, but they’re expenses the ministry or the organization that incurred the breach would have to pay . . . to rectify the breach.
When churches consider investing in cyberliability insurance, there are a several things they should keep in mind.
“Churches should make sure that any of their cyberliability polices have coverage for data breach, rectification, or remediation expenses,” Lederman points out.
While churches can purchase cyberliability insurance for the church, they should not see insurance coverage as the only step they should take to protect against liability claims.
Lederman offers insight on how churches can take action to avoid liability claims: “From a liability standpoint . . . the best way to avoid this type of claim is the risk management on the front end—trying to take steps they need to protect information, to store information appropriately, to have firewalls and different steps practically speaking that would avoid a claim.”
By taking steps to ensure that information and data is properly protected from hackers, churches can make sure that their ministry continues to function well without the risks and liability associated with data breaches or hacking events.
Related article: “The Growing Need for Cyberliability Insurance”