Cyber exposures in the church

HELPING LEADERS BECOME

B E T T E R S T E WA R D S .

Cyber Exposures in the Church

Presented by: ChurchWest Insurance Services

2

CHURCH EXECUTIVE • C Y B E R E X P O S U R E S I N T H E C H U R C H

churchexecutive.com

Table of Contents CYBERSECURITY! WHAT IT IS — AND HOW TO IDENTIFY YOUR OWN CHURCH’S BIGGEST RISKS

4

Rarely does a day go by without a headline about data breaches. The victims we hear about include large financial institutions, international corporations, governmental agencies, Target, Home Depot, Sony, Citibank, NSA — the IRS and the list goes on. That’s nothing a church would need to worry about, right? I wish that were true. By Charlie Cutler PLUS: Ministry and campus cyber exposures that affect nearly every church — and what to do about them

PREVENTING CYBERATTACKS: 9 OF THE MOST AT-RISK MINISTRY AREAS — AND WHAT YOU CAN DO TO KEEP HACKERS OUT 6 How much do you know about cybersecurity and cyberliability? Is it enough to keep your church safe from massive data or financial loss? You should know that the risk of data breaches goes beyond Hillary’s server or Sony and Target’s credit card breaches. Cyberliability is becoming increasingly problematic for churches and non-profits. By Charlie Cutler

CYBER LIABILITY CHECKLIST & WALK-THRU

7

CONCERNED ABOUT A CYBER BREACH? THERE’S A PLAN FOR THAT

8

Last December, I was meeting with an executive pastor when we discussed the issue of cyberliability. At the time, I was hearing all kinds of warnings in the media and in the insurance industry about the threat of cyberliability — but I didn’t really buy all the hype. Long story short, I really didn’t see the need for buying cyberliability insurance … but the pastor challenged me. As his partner in ministry, he asked me to really get a good grasp on the topic. By Charlie Cutler

churchexecutive.com

C Y B E R E X P O S U R E S I N T H E C H U R C H • CHURCH EXECUTIVE

3

CYBER EXPOSURES IN THE CHURCH

Cybersecurity! What it is — and how to identify your own church’s biggest risks By Charlie Cutler Rarely does a day go by without a headline about data breaches. The victims we hear about include large financial institutions, international corporations, governmental agencies, Target, Home Depot, Sony, Citibank, NSA — the IRS and the list goes on. That’s nothing a church would need to worry about, right? I wish that were true.

I

n 2015, a sizable 3.4 percent of the 40,000 hacks made per day were against religious organizations, and 19.5 percent were against nonprofit organizations. Data breaches are becoming increasingly problematic. As you might already know, a data breach occurs when sensitive information — such as banking information or intellectual property — is stolen digitally, using a computer. In addition to financial information, personal information is also often the target of these thieves. Names, social security numbers, addresses and phone numbers are all targets once a network has been hacked.

4

CHURCH EXECUTIVE • C Y B E R E X P O S U R E S I N T H E C H U R C H

To put this in perspective, let’s take a look at an example of how a data breach could potentially affect your ministry. In 2013, a children’s Christian theater in Southern California was targeted by malicious individuals attempting to test stolen credit cards. It started out as a great story — the ministry was receiving unsolicited donations on its website. What a fantastic blessing! Many of the staff wondered who was behind this campaign that would help spread the Gospel through their faith-based theater. Unfortunately, it soon became apparent that this wasn’t a benevolent viral campaign. In fact, it was someone testing stolen credit card numbers. Simply put, the bad guys would make a small donation using a stolen credit card number. If the charge went through, they would use that stolen number to rack up charges elsewhere. When the ministry learned what had happened, they were disappointed that the 947 donations were fraudulent. But the real shock was when those 947 charges were reversed. The ministry was responsible for not one $30 reversal fee, but 947! The resulting $28,410 bill could have forced this 20-year-old ministry — which had touched so many lives — to close its doors. Fortunately, however, Cyber Liability was included in the ministry’s insurance policy. With just a few calls from the insurance company to the bank, the charges were reversed. In the above scenario, the Christian theater was only part of a broader scheme. Victims of a financial data breach were having their stolen credit cards used in a fraudulent manner on the Christian theater’s website. As a result, the theater was on the hook for the financial cost of the transactions, whereas the owners of the credit cards were likely covered by their bank’s fraud protection practices. churchexecutive.com

Here are some other ways that ministries (just like yours) have been victims of cyber theft: A church’s online giving system was hacked, and someone gained access to their user names and passwords. The first day, $17,000 was taken. Each day after, approximately $3,000 more was stolen, until the thefts were discovered by the ministry. The grand total stolen was $181,709. A hacker was able to gain access to (and place malicious computer code on) a church’s shopping site. This allowed the hacker access to any new credit card information entered into the system. The church had to spend $15,000 to research the damage. In addition, it was required, by law, to offer its 1,800 customers professional ID protection. A church bookkeeper received a message on her screen that she had been the victim of a computer breach. As a result, she was locked out of the system. The message prompted her to call an unknown phone number to restore access to the computer. She allowed access to the hackers and immediately saw social security numbers show up on the screen. At that point, she knew something was wrong. Experts were hired to monitor credit for those affected. A church received a notice that its records were frozen and held for ransom. The church didn’t pay the ransom, lost access to the records (which were not physically backed up), and is now rebuilding all of its records from scratch. An Australian-Syriac Catholic Church had its website hijacked by ISIS / ISIL. The terror group posted graphic images and videos of shootings and beheadings. Hackers logged into the church’s network and stole students’ personal information. They then used the information to obtain credit cards, running up high balances by claiming to be the students. Cyber risk isn’t just the risk of theft — it also extends to intellectual property issues, violation of privacy issues, and your online ministry. If we picked a random ministry and started looking for risks, what would they be? Let’s start with your website and social media and what you should be doing to avoid risk on these platforms: • Follow the federal Children’s Online Privacy Protection Rule (COPPA). If you don’t, you’re putting your ministry’s children at risk — and that increases your risk. COPPA sets rules for operators of websites or online services that cater to children under 13 for collecting their personal information online. • Avoid using too much personal information when creating and using prayer and praise lists. • Avoid plagiarizing content from other blogs when you build your own content and literature. • S ecure your online giving processes using 128-Bit SSL (secure socket layer technology). • Avoid copyright infringement. Simply put, don’t copy and paste other people’s ideas and materials and present them as your own. • Stay away from using clip art or images that aren’t listed in the public domain. They often have usage rights that involve licensing them from the creators. • Steer clear of posting any songs on your website or podcasts that you haven’t licensed from their owners. • Talk to your team and youth ministry about cyber bullying. So many tragedies have resulted from cyber bullying. It’s a risk no organization can afford.

Reprinted with permission from hackmageddon.com / “2015 Cyber Attacks Statistics”

common for people to use unsecured Wi-Fi to download torrents of copyrighted material illegally, with no risk to themselves — only the owner of the network. • Use secure passwords for email and, if possible, two-step authentication. Learn to avoid email scams like phishing (example: an email that looks like it’s from Wal-Mart, but its origin is really a hacker in China). • Lock down your computer networks. Grant your computer users only the amount of access they need to do their jobs. Only your IT staff should have administrative privileges. • Monitor youth online services. As more and more ministries create online communities for fellowship, protections need to be put in place to shield youth from predators. • Protect volunteer background checks. These include personal information which, in the wrong hands, could be used to create fake credit profiles. If a breach were to occur, laws in virtually every state would require that your church pay for credit monitoring moving forward. • Lock up employee information. Employment files include even more information than your volunteers’ files. These are very enticing to online criminals. • Back up your computer’s financial records somewhere other than in the cloud. Print hard copies of financial records quarterly (or even more frequently) in the event you lose access to your computer systems. • Lock your extra hard drives in a place where they can’t be carried from the building. This is important in the event your church is a victim of a burglary. • Avoid dumping private records in the trash. There are people who will — if they can — “dumpster dive” and learn all your secrets. • Secure any medical information of your mission teams. Strict HIPPA laws prevent disclosure of medical records to any person, regardless of the reason. All these represent potential cyber theft and liability exposures for your church. Fortunately, you have a few options: #1: Unplug it all and shut the doors. #2: Count on your insurance company to respond. (In most instances, cyber liability isn’t included in church insurance policies.) #3: Be proactive in protecting your ministry. If you prefer option #3 (and you should!), keep an eye out for the next segment of this three-part series. We’ll discuss the steps your church should be taking to prevent cyber theft and cyber liability. Charlie Cutler is the Managing Partner of ChurchWest Insurance Services in Redlands, CA, an insurance agency that specializes in insuring churches. ChurchWest currently insures more than 3,000 faith-based organizations.

Next, let’s look at your campus • Secure your wireless networks. An open network can be used from outside of your building, and anyone can use it for any purpose. It’s churchexecutive.com

C Y B E R E X P O S U R E S I N T H E C H U R C H • CHURCH EXECUTIVE

5

CYBER CYBEREXPOSURES EXPOSURES IN INTHE THECHURCH CHURCH

Preventing cyberattacks 9 of the most at-risk ministry areas — and what you can do to keep hackers out By Charlie Cutler How much do you know about cybersecurity and cyberliability? Is it enough to keep your church safe from massive data or financial loss? If you missed part 1 of our three-part Church Executive series on cybersecurity and cyberliability (July / August 2016), you should know that the risk of data breaches goes beyond Hillary’s server or Sony and Target’s credit card breaches. Cyberliability is becoming increasingly problematic for churches and non-profits. A data breach occurs when sensitive information is stolen digitally using a computer. According to Hackmageddon.com, in 2015, a sizable 3.4 percent of the 40,000 hacks made per day were against religious organizations, and nearly 20 percent were against non-profit organizations. Areas of ministry risk (and what you can do) Step 1 of the battle against cyberattacks is to know which areas of ministry are most at-risk, as well as some techniques you can use to prevent hackers and thieves from gaining access to your church’s financials and other data. #1: Passwords: Jesus123? John316? Did you know that some of the most commonly hacked passwords include words using “God,” “angel” and “Jesus”? [ fortune.com/2016/05/18/linkedin-breach-passwords-most-common ] It is imperative that your church implement a password policy that encourages staff to use tough-to-crack codes that brute force attacks won’t be able to easily guess. (Hackers use software that tries to guess your passwords over and over again.) One technique that I like is to take the first letter of each word in a favorite verse, with the chapter and verse at the end. For example: ‘iAyWsThAhWmYpS356’ is Psalms 3:5-6: ‘in all your ways submit to him and he will make your paths straight 356.’ Additionally, make sure employees never leave their passwords on their calendars or desks (not even under blotters). #2: ‘Phishing’ and ‘whaling’: This isn’t a reference to being ‘Fishers of Men’ or Jonah! Phishing involves requesting secured data from an individual while masquerading as a trusted party. Whaling is the same concept, but targeted toward high-value persons, such as pastors or financial department staff. #3: IT support: Ministries count on volunteers in so many ways, but IT Support shouldn’t be one of them. If you outsource IT, find someone who understands ministry and church software. If you have an IT person, get them involved in ‘The Church IT Network’ [churchitnetwork.com], a group of ministry IT professionals which connects to support each other in their ministry roles. 6

CHURCH EXECUTIVE • C Y B E R E X P O S U R E S I N T H E C H U R C H

#4: Software and the Web: Sometimes your risk is hiding in plain sight. It might be inside that free, indie (independently developed) software package your pastor downloaded to his computer. Or even worse, did you know that just visiting a website could put your staff at risk? Malware, malvertising, drive-by downloads and rogue security software haunt the Internet. Malicious code hides within seemingly benign free software, antivirus programs, and even advertisements on web pages. Installing the programs or clicking on the ads can infect your system with code that allows hackers to gain access to your system and mine it for login credentials to your banking and credit card companies. To help prevent these risks, update software regularly, use a firewall, and have an IT professional who is familiar with church software maintain your systems and devices. #5: Church Wi-Fi: Many churches have fallen victim to ‘evil twin attacks’ — where someone sets up a Wi-Fi network that sounds like one the church would have. It allows the attacker to collect information that is transmitted over the network. Also, ask your IT team about protecting your ministry with SSLprotected apps and VPNs. #6: Children: We have a duty to protect children in so many ways. One of them is to make sure there is no personally identifiable information about them on your website or in any social media. Posting a bulletin? No pictures or names of children should be included. If you are collecting their data, make sure that you are in compliance with the Children’s Online Privacy Protection Act. #7: Protect volunteer and employee info: Personnel records include personal information which, in the wrong hands, could be used to create fake credit profiles. If a breach were to occur, laws in virtually every state would require that your church pay for ongoing credit monitoring for every stolen record. #8: Back-up: Back up your computer’s financial records somewhere other than in the cloud. Print hard copies of financial records quarterly (or more frequently) in the event you lose access to your computer systems. Lock your extra hard drives in a place where they can’t be carried from the building. This is important in the event your church is a victim of a burglary. Avoid dumping private records in the trash. There are people who will (legally) “dumpster dive” and (illegally) learn all your secrets. #9: People: Your greatest weakness is the people in ministry. The first step is to educate your staff on what they need to do to help prevent cyberattacks. Train your staff on how to spot these attacks; you’ll find resources at www.churchcyberliability.com. In the next issue, we’ll further discuss how you can mitigate these risks to your church. Charlie Cutler is the Managing Partner of ChurchWest Insurance Services in Redlands, CA www.churchwest.com, an insurance agency that specializes in insuring churches. ChurchWest currently insures more than 3,000 faith-based organizations.

churchexecutive.com

Cyber liability checklist & walk-thru Churches large and small need to prepare for the possibility of their systems being hacked by malicious individuals. Most churches think, Hackers aren’t interested in us; we aren’t a business or a bank. But rest assured — hackers are targeting churches, even as you read this. You might ask, Why are hackers are targeting institutions like churches? One of the reasons is because big business has already been targeted, and they’ve secured their systems in the aftermath. Companies like Target, Walmart — and even digital companies like LinkedIn — have begun to secure their systems as a result of being hacked. Hackers are like water: They’ll follow the path of least resistance, looking for easy targets. Hackers want your ministry’s money and its data to finance and continue their crime sprees.

So, what can you do? Even if your church only has one computer or one electronic tithing processing solution, you can benefit from this checklist. This checklist was developed to help your ministry find the biggest and easiest holes to plug. Many solutions on this list can be implemented with little or no help from your IT person.

Area of Concern: Action: Are you using unique usernames and passwords?

Unique usernames and passwords are the first line of defense against hackers. • Use uppercase and lowercase along with numbers and symbols. • Do not reuse passwords on multiple machines or on different websites. • Use at least eight characters in your passwords. • Change your passwords every six months. • F or websites that feature it, use two-factor authentication.

Have you locked down administrative access to your ministry’s computers?

Only your IT admin and staff should have administrative rights on your ministry’s computer systems. This helps protect your systems from unauthorized individuals.

Do you have a list of approved ministry software?

Your staff should only be able to install software from the approved software list. Adopting this rule helps secure data and prevents installation of malicious software or computer code.

Did you install anti-virus programs, as well as email spam and website filters?

Installing anti-virus software and spam filters will help with the heavy lifting of filtering out most malicious emails and software. Educate your staff on how to spot the tricks used by hackers to avoid the rest.

Are you upgrading your ministry’s computer operating systems in a timely fashion?

Outdated operating systems (OS), such as Windows Vista or XP, can be a security risk for your ministry. Update your systems to the latest OS to take advantage of the latest security updates and protect against new cyber threats. Also be sure to run updates from the Windows Update tool or Mac App Store to make sure you have installed critical updates that fix recently discovered zero-day system vulnerabilities.

Have you been backing up your ministry’s data?

Prevent loss of important data due to theft or physical damage. Back up your data to a cloud service, like Dropbox, in addition to traditional backup mediums like DVD-RWs. Lock away all physical backups in a safe.

Did you encrypt your ministry’s mobile devices?

Make sure you use encryption on your phones, tablets and laptops, as well as set system passwords for all devices.

Implemented Solution Yes/No:

Notes:

For more resources on cyber risk and liability, along with solutions, visit www.churchcyberliability.com. churchexecutive.com

C Y B E R E X P O S U R E S I N T H E C H U R C H • CHURCH EXECUTIVE

7

CYBER CYBEREXPOSURES EXPOSURES IN INTHE THECHURCH CHURCH

Concerned about a cyber breach? There’s a plan for that By Charlie Cutler don’t handle that much financial data. In the event of a breach, the laws require you to respond. And, your response isn’t something you can leave up to volunteers, your computer geek or the church administrator. It isn’t something that can be handled on a work day. Although, by law, how you respond varies by state, the experts that need to be called in to assist your ministry are some of the C’mon, what real exposures does a church have? top computer experts in a very specialized field. Their fees will prove this — It’s the ‘big guys’ getting hacked, not the typical church on the corner. and it will likely break the church’s budget. Every nickel that comes through the church is a sacrificial gift. Why should we Cyberliability insurance pays these costs, hires the experts you need, go out and spend more money on insurance when budgets are already strained? and guides you through the process. But, don’t go out and buy the same cyberliability insurance policy that a financial institution or a for-profit Long story short, I really organization needs; you’ll want didn’t see the need for buying something that will help cover the cyberliability insurance … but costs to hire the experts for you. Yes, the pastor challenged me. As his In one case, a church’s HR director clicked on a link there is a chance attorneys might partner in ministry, he asked sue you for damages — but the that gave a hacker access to all her employee data. me to really get a good grasp on insurance that every church needs the topic. It cost $15,000 just to investigate the extent of the covers the cost to respond, research So, I committed that 2016 and repair the damage to your damage … [and] repairs and response will run would be the year that I would computer systems. get a better understanding of the According to the recent Cost of another $25,000, at least. risks, how churches can protect Data Breach Study by IBM Security themselves through training, and [http://www-03.ibm.com/security/ what church cyber insurance is data-breach/], there are more than all about. I sat through conferences on cyberliability, subscribed to cyber 91 million security events every year. The likelihood that your ministry is theft alerts, read all the emails and blogs on the topic, and even traveled to next, isn’t too far-fetched. Lloyds of London (the birthplace of insurance) to really understand what A cyber breach is more likely than a terrorist attack … but most churches churches need. have security teams. It’s also more likely than a D&O lawsuit — but your When the editors at Church Executive asked me to write these three church probably has D&O coverage. articles, I thought: Here’s my chance to shout from the mountaintops and be a We are seeing more than one church cyber breach every month. In one church cyberliability ‘evangelist’! case, a church’s HR director clicked on a link that gave a hacker access to What it all comes down to is this … all her employee data. It cost $15,000 simply to investigate the extent of the damage — and that’s just the beginning. Repairs and response will run The threat is real — but not in the way you might think another $25,000, at least. In the event that your church suffers a breach, you probably aren’t going The biggest thing I’m learning about cyberliability is that it’s a to get hit with a major lawsuit from the congregants. This is what happens growing problem. You’ll need to keep up on the topic, train your ministry to the ‘big guys.’ There are attorneys out there who are setting up class teams on how to prevent it from happening, and have an insurance action lawsuits following a breach. Who wins in these situations? Most partner who will help you should it happen at your church. A good likely, the attorneys. place to start — with free resources for training your employees — is So, what is going to happen to your church? www.churchcyberliability.com. • You will be distracted from your ministry. (And yes, since I started writing this, I have found a virus on • You will spend hundreds of hours and thousands of dollars — that my computer.) should be spent on ministry! — doing damage control, conducting a forensic investigation, notifying everyone about what happened, paying Charlie Cutler is the Managing Partner of ChurchWest Insurance Services in Redlands, CA www.churchwest.com, an insurance agency for credit checks, and figuring out what went wrong.

Last December, I was meeting with an executive pastor when we discussed the issue of cyberliability. At the time, I was hearing all kinds of warnings in the media and in the insurance industry about the threat of cyberliability — but I didn’t really buy all the hype.

Responding to a cyber breach It doesn’t matter if you’ve outsourced financial processing or if you 8

CHURCH EXECUTIVE • C Y B E R E X P O S U R E S I N T H E C H U R C H

that specializes in insuring churches. ChurchWest currently insures more than 3,000 faith-based organizations.

churchexecutive.com