How to Prepare Your Church for Cybersecurity Threats

This article was originally published in Church Law & Tax on June 1, 2017. 

A cybersecurity expert shares tips on how your church can avoid getting hacked.

The word “disaster” usually conjures up images of physical destruction: trees knocked over by gale-force winds, homes submerged in flood waters, bullet holes through a door. But last month’s WannaCry virus attack that infected over 230,000 computers in 150 countries was a reminder that the threat of disaster is sitting right on our desktops and in the palm of our hands.

Organizations like churches face additional risks, as all the financial and personal data they have collected and stored could be vulnerable to hackers who are constantly looking for new ways to attack, steal, and expose such information. Protecting this data requires constant vigilance and attention to the growing and evolving field of cybersecurity.

For some expert insight into this particular type of disaster preparedness, I went to my friend John Weathersby, the founder and executive director of the Open Technology Center (OTC). OTC is a nonprofit technology research entity established through support from the Department of Homeland Security and the Department of Defense at Camp Shelby Joint Forces Training Center. OTC was established to facilitate research, development, evaluation, and transfer of open technology resources that support national defense and homeland security objectives. They help agencies and organizations in rural and underserved areas identify and adopt technologies and practices that have been developed and used by federal agencies, the military, and larger agencies around the nation. He shared with me what churches need to be doing now to secure their digital data and prepare for future cyberattacks.

What are the biggest cyberthreats churches might be overlooking?

Everything we do has a cybersecurity component because cyber touches every aspect of our personal and business lives today—even church leadership. We’re all connected through our phones, computers, financial transactions, health and business records. With a little prevention and common sense, you can protect your personal and business information from most of the risks out there today. It’s like hygiene: washing your hands and being mindful of your surroundings may not make you immune to sickness, but it reduces your exposure and risks. If you think you may be getting sick, you go see a doctor. Similar with electronic hygiene: you do what you can on a daily, regular basis, and if something doesn’t feel right, then you seek help from a professional.

How can a church prepare well? What would be the first steps a church should take?

Anyone who collects and manages other people’s personal information—including churches’ personal information—has a higher level of responsibility and must be more proactive in cybersecurity and defense. If a church maintains any type of electronic records regarding their members, we would strongly recommend they be aware of and implement common-sense cybersecurity measures to protect this information.

The most common-sense approach is referred to as the “3P” rule: policy, practice, and people. Here’s how church leaders can apply it to protect their congregations:

1) Policy. Have a cybersecurity policy. Be aware of what and how your church collects, manages, and protects information on your members. It doesn’t need to be a complicated process; in fact, the more simple the policy is, the more likely it is that it will be applied.

2) Practice. Make sure you follow the policy. There is no silver bullet when it comes to cybersecurity or physical security. We say, “Cybersecurity is a process, not a product.” This includes simple things like making sure that patches and security updates have been implemented. If you have filters, make sure they are turned on. If you have old equipment and software systems, consider upgrading—or at least be aware that those systems may be more vulnerable. Most importantly, don’t download or open files or emails that seem suspicious. That’s part of training: to help people be aware of what to look for or how to handle these situations. Simply being aware of threats and scams that are out there can save you a lot of trouble and headache.

3) People. Hire good people and use good people to work with your electronic records—and this might mean investing financially in people who can do the job well. Remember that you are collecting and sharing a lot of important information about your church, as well as information about those who attend it and contribute to it. You wouldn’t turn over your financial records or membership list to someone you didn’t think was competent just to try to save a few dollars, would you? Information is a valuable currency in the internet age, so you’ve got to protect it like you would traditionally protect financial records or other confidential information. That information regarding your membership is most likely what someone would be after if they tried to “hack” your system.

What does the recent WannaCry attack tell us about where we are in the cybersecurity field right now? How can these events inform and shape church responses to preparedness in this area?

The WannaCry cyberattack was, essentially, an extortion shakedown. The people behind the attack gained access through known vulnerabilities in older systems, relying on potential victims to not have conducted simple, practical steps of updating and maintaining their systems. Once inside, the attack spread through shared networks, again based on common mistakes and sloppy oversight. There is really no way to prevent or protect the entire “internet” from such attacks because you’d have to be right every time, and the perpetrator only has to be right once.

But you can protect yourself and your church by following the tips we’ve discussed. As with most crimes, the criminal seeks out the weak and vulnerable. Don’t be afraid, but be aware. Make sure you back up your information on a regular basis.

Be smart, and you’ll avoid most incidents like these. There is a much higher probability that a power surge, natural disaster, or human mistake will cause a system failure than a major hacking scheme.

Dr. Jamie D. Aten is a disaster psychologist and the founder and executive director of the Humanitarian Disaster Institute at Wheaton College in Illinois. His latest books include the Disaster Ministry Handbook and Spiritually Oriented Psychotherapy for Trauma. You can follow Jamie on Twitter at@drjamieaten or visit his website jamieaten.com.