Connection
LEADERSHIP
Cybersecurity Best Practices for Churches
6 FALL 2020
PRESBYTERIAN
presbyterian.ca
 By Canadian Ministries
You have probably noticed that there is a lot of news about cyberthreats and cyberattacks lately. We hear about these attacks affecting banks, hospitals, stores and government systems. But did you know that con- gregations are also at risk?
Many congregations mistakenly believe that they are not at risk when, in fact, cyberattacks are a threat to anyone who uses a computer that is connected to the Internet. Organiza- tions and businesses that retain peo- ple’s personal and sensitive informa- tion need to be particularly vigilant against cybercrime.
When you stop to think about it, congregations often hold a great deal of data that is highly vulnerable to cybercrimes, which include Internet and email fraud. Congregations may possess or have access to com- monly targeted data, including per- sonally identifiable information from congregation members and staff, donation information (donor records, credit card and banking information), financial records (church banking in- formation) and security data.
Congregations are responsible for maintaining the safety and integrity of the data stored on their comput- ers with the same standard of care and confidentiality applied to paper records. Paper records need to be kept under lock and key and away from prying eyes. The same goes for digital records.
There are a few key things you can do to strengthen your congrega- tion’s cybersecurity defences. Cy- berthreats are always changing, and therefore require best practices to be updated regularly, but here are some helpful tips to help mitigate the risk.
Raise Awareness
The old saying, “an ounce of pre- vention is worth a pound of cure” is very true when dealing with the risk of cyberattacks. The first step in pre- vention should be to make sure that anyone who works with computers or other devices connected to your church’s network is aware of the risk. Whether the congregation is small or large, urban or rural, financially sta- ble or struggling, cybercrime is a real threat. Regularly train and provide in- formation on the latest cybersecurity threats, how the threats are likely to present themselves, and what to do when they are identified.
The Session, working with the Board of Managers (or appropri- ate equivalent), may choose to ap- point someone to be a cybersecurity champion for the congregation. The
cybersecurity champion’s responsi- bilities will include keeping up-to-date about new threats, informing all staff and volunteers about the risks, and helping to put necessary preventative measures in place. If there isn’t any- one in the congregation who could fulfill this role, consider hiring an IT professional to check the congrega- tion’s computer system and train any system users. The costs of doing this training could be shared with another congregation.
Types of Risk
Currently, there are three main types of cyberthreat that are most likely to affect congregations:
Phishing Scams
Sending an email to someone falsely claiming to be a legitimate company or organization in an attempt to scam that person is known as “phishing.” It is an attempt to persuade people to disclose personal information, like usernames, passwords or credit card information. Often, the emails contain a link or attachment that, if clicked on, will open the door to hackers to infect your computer with malware.
These emails take many forms, some of which are not easy to identify as scams because they are designed or created to look like emails from reputable companies or they include personal details that the scammer has somehow found online.
Some common phishing scams include emails that claim to be from Canada Revenue Agency (CRA) or various banking institutions. Another
common scam is the prepaid gift cards scam. This is usually an email purporting to come from someone you know, such as your boss, co- worker, friend or family member, asking you to purchase gift cards— most commonly from Google Play, Amazon or Walmart—and then in- structing you to scratch and send the codes to the fraudster by email.
Malware
Malware is malicious software in- stalled without a user’s knowledge, typically when a user clicks on a link in a phishing email or visits an infected website. The malware seeks to invade, damage or disable com- puter systems or networks. It can also invade other devices that are connected to the Internet (e.g., tab- lets and mobile devices).
Malicious software functions by stealing, encrypting or deleting data, altering or hijacking computer func- tions, and/or spying on your com- puter activity without your knowledge or permission.
It is often used to extract money from the computer user. Sometimes, this happens sneakily in incidents where the malware enables cyber- criminals to steal passwords or sen- sitive information that will allow them to gain access to your financial ac- counts. Other times, it is not sneaky at all; ransomware will announce itself with a message directly to the computer user that informs them that their data has been stolen and that they must pay a certain amount to get it back.
Technical Vulnerabilities
A software vulnerability is a glitch, flaw or weakness present in the software or operating system. Vul- nerabilities in the software that your computer or device is using can al- low cybercriminals to access your system.
These can exist in any software, including reputable software. Many software vulnerabilities are only dis- covered after the software has been used by lots of people. When a vul- nerability is discovered, the software developer will often release a correc- tion in the form of an update. If an update is available and you do not in- stall it, you are leaving a hole in your software that cybercriminals can use to access your system.
Mitigating the Risk
What can congregations do to mitigate the risk? Cyberthreats are changing regularly so there is no way to ensure that you are 100% pro- tected, but there are several ways to mitigate the risk of cyberattacks.
Email Best Practices
Do not open any suspicious emails. Instead, delete it. If it is claiming to be from someone you know but still seems suspicious, contact the per- son or organization to ask if they sent it before opening. As well, never give out banking information, passwords or other personal information over email.
Be suspicious of every link in an email. Don’t click on the link in an email unless you were expecting it, even if it is from someone you know.
Instead, directly contact the person, company or organization that the email is purporting to come from and ask if they sent you the email.
Always be wary of emails from financial institutions, Internet service providers and other organizations asking you to provide personal infor- mation. If in doubt, call the company directly and ask them to verify the email.
Don’t reply directly to a suspicious email that appears to come from someone you know to verify its au- thenticity, as the “from” email address might be different from the “reply” email address. Instead, you should create a new email using the email address you have for the person.
Password Best Practices
Change your password regularly and create unique passwords that use a combination of words, numbers, symbols, and both upper- and lower- case letters.
Never use the same password for multiple websites. Each of your passwords should be unique.
Never use automatic login features that save your username and pass- word on the websites you are visit- ing, and always log out of websites and apps when you are done using them.
Consider using a secure password manager. Reputable password man- agers, such as LastPass, allow you to save your passwords in one place, meaning that you can make long and complicated passwords with- out worrying that you won’t be able to remember them. This software will assist you in choosing strong passwords and then encrypt the passwords and store them online in a safe, cloud-based storage system. Be sure to do your research before choosing a password manager. Read the reviews and pay careful attention to the security features of the soft- ware.
Security Software Best Practices
A firewall acts as a barrier between your computer and any threat from outside your system. Ensure that the firewall on your computer is turned on and keep it updated. If you do not have a firewall on your computer, in- stall a reputable one.
Also install reputable anti-virus and anti-spyware software and keep it updated. The software will likely run regular scans on its own; just be sure to check that it is working prop- erly and scanning at regular intervals.
It is also important to install an Ad blocker extension on your web browser. While many ads on web-