Email spoofs are getting better and better so if a request seems at all unusual, it probably pays to ask.
Since the break-in of Target’s network in 2014, data breaches are skyrocketing. And while most of us know not to accept a gift of money from a Nigerian prince’s widow by sharing our routing numbers, cyberscams have become way more sophisticated.
Many church technical directors are responsible for all of their church’s technology—including IT. Here are eight things you should know if you are in charge of the network:
1. Hackers tend to come in three varieties.
It helps to know why people hack, and there are usually three types:
- Hactivists – Cyber hackers who are interested in breaching systems to promote a social or political cause. Churches with high political profiles may be a target.
- Nation states – A high percentage of hackers are working for governments to steal IP, commit espionage, create chaos and embezzle money. These can be the most dangerous because of the scale, but chances are your network is not important to them.
- Organized crime – These hackers are focused on making money through fraud and theft. Organized crime doesn’t care what type of business you are in. They just seek out vulnerabilities and use bots to extort money. The automated and prolific nature of the attacks make this a big threat to everyone on a network.
2. Treat your network data the same way you would treat your finances.
Finances have built in protections. Why? Because we have developed systems over years from people trying to embezzle money. But the stealing of people’s information is new. Sure, companies are used to protecting intellectual property, but the high value of names, addresses, and other personal data that churches collect and store is a relatively new phenomenon.
Finances have well-developed systems for limited access, controls, supervision and audits. We are only just now developing these systems to protect data.
3. E-mail spoofing has become more targeted.
It is now common for hackers to spoof the e-mail address of a CEO or CFO impersonating them with a request to accounting, IT or administrative staff to request a change in permissions, to pay an invoice or to change a routing number. Staff identities are usually readily available on an organizations website.
The spoofs are getting better and better so if a request seems at all unusual, it probably pays to ask.
4. Coach your teams on good password hygiene.
What happens when you use the same password for everything? It gives a hacker access to all of your sites—the less secured to the highly secured. Using a password manager like LastPass makes it possible to have a unique password for each site and eliminates unsafe storage like spreadsheets. As hacking incidents rise, notice the trend away from passwords toward biometric indicators such as fingerprints, retinal scans or face shape scans.
5. The IoT is going to be a problem.
It doesn’t take a cyber-expert to figure out that a $10 camera doesn’t have a lot of security features. Ransomware attackers often strike through vulnerable devices from the Internet of Things (IoT). As our devices and appliances are increasingly given permissions on our computer network both at home and work, the points into the network multiply. And cyber criminals are looking for easy doorways that are not locked.
6. Go for the best backup you can afford.
Sure, you back up your data. But how often? This isn’t about just having a full working backup. This is about combating emerging attacks. Any organization that has been hit with ransomware will tell you this is crucial.
Malware can easily enter your system. Hopefully, you’ve coached everyone with a login not to open suspicious e-mails, but inevitably they get through. When it happens, you only get to keep whatever data is on your last backup.
7. Not everything is reported.
While major breaches are reported, most organizations keep them off radar because they are embarrassing. (You might find it hard to believe, but many, many churches fell for the scam in the early days of helping a widow transfer money because it was made as a religious appeal.)
Be sure to coach your staff to report it internally—quickly. Computer consultants report that they are surprised how many people wait to report when they’ve clicked something they realize they shouldn’t thinking the effect won’t be that bad or that it will resolve itself.
8. Most of the vulnerabilities exploited by malware are known issues.
One of the most effective ways to stay safe is to make sure that every computer on your network stays current with security patches—this often requires some effort on the part of your users to reboot and allow the updates to install.
While you probably have a strong anti-virus installed on each computer, you will likely need to remind people periodically why installing the updates is essential. Most malware doesn’t get in through new vulnerabilities. It takes advantage of older computers that people forget to update.
There is no way to completely secure your network. What you can do is plan for it, put some protections in place, and make sure you are in a position to recover well.
Oh, and you might make sure that your team knows not to try to purchase a bargain Rolex or send banking information to help the widow of a Nigerian prince.
