Cyber Security: How To Protect Your Church Or Charity’s Data From Cyber-Attacks, Theft and Damage

Introduction

So, why is cyber security relevant to churches and charities? A cyber-attack can happen to any organisation, no matter its size or type.

But churches and charities are especially vulnerable because they often have weaker cyber security measures in place and do not prioritise investment in robust cyber security.

Studies show that hacker attacks on computers with internet access occurs every 39 seconds, that is on average 2,244 times a day!

Research also showed that 70% of non-profit organisations had not carried out any vulnerability tests of their computer systems to understand their potential risk of attack.

Furthermore, only 20% had policies in place to address cyber-attacks and 59% did not offer regular cyber security training to their staff.

The good news is that there are some simple and affordable steps that churches and charities can take to protect their systems and data from cyber-attacks.

This article takes you through what cyber security is, why it is important in churches and charities, and explains the essential cyber security controls that you should put in place to protect your church and charity from cyber-attacks.

Table Stewards uses a light-hearted scene setting approach to introduce its topics, but if you would prefer to dive straight into any part of the article, please click the relevant link in the table of contents above.

Scene Setting

The Learning & Development Committee members are here again for their pre-meeting with Coach Emmanuel before the masterclass.

Brother Badtrus: Wow! wow! wow!  I have just received an email with a tax refund, although I can’t remember putting in a claim using my church-assigned email address.  But anyway, if they owe me, I am up for collecting my dues!

Sister Mary: Someone is excited.  How much is this refund?

Brother Badtrus: Good question.  The email says to get my bank account details ready and then click the link to find out.  Let me get my wallet.

Brother Sam: Wait a minute!  How do you know this is really from the revenue department?  There are many scams out there!

Sister Jane: Would a scam offer you money back?  I thought they only take money from you.  Also this was sent to the church-assigned email address, not his personal email, so that should be fine, shouldn’t it?

Elder Sam: Well, if you put in your bank account details and personal information the scammer can assume your identity.

Coach Emmanuel: The risk is not just identity theft, but as the church email address was used, if you click on the link, you could activate malware that enters the church computer systems and network.  Let me see the email.

Hmm!  If you click on the sender, you can see that it is from someone’s personal email and not from the revenue department.  This is a form of cyber-attack called phishing. 

You must all be aware of such cyber-attacks and know how to spot and handle them, as part of a robust cyber security strategy.  To the masterclass we go!

What is Cyber Security?

With the ever-increasing reliance on technology and the internet, data held by individuals and organisations is more vulnerable than ever to attack.

Cyber security refers to the means, processes and technologies that an organisation deploys to safeguard their computer systems, networks and confidential data from cyber-attacks and unauthorised access.

Cyber-attacks are attempts to deliberately damage, steal, leak, modify or block access to data on computers, devices, networks by gaining unauthorised access.

These attacks can come in many forms, such as viruses, malware, phishing scams, and denial of service attacks.

The goal of cyber security is to protect your data from these attacks.

This includes both preventing attacks from happening in the first place, detecting potential attacks, and being able to recover from attacks if they do occur.

The Importance of Cyber Security in Churches and Charities

Churches and charities are increasingly becoming targets for cyber-attacks.

This is because they typically have large amounts of sensitive data, such as financial information and personal data, that can be exploited by criminals.

Additionally, churches and charities can be attractive targets because they often have less robust cyber security measures in place than larger organisations.

This can leave them vulnerable to attacks that could potentially compromise sensitive data or disrupt operations.

As churches and charities typically rely heavily on giving from the public and members, systems and data breaches through cyber-attacks, could severely damage their reputation and deter people from giving in the future.

Successful cyber-attacks can bring an organisation to its knees and cripple its services.  This is not an option for churches and charities whose vital services towards humanity are relied on by many beneficiaries.

Most cyber-attacks are random and attack many organisations and systems at the same time.  A survey of 500 charities showed that 26% of them experienced cyber-attacks in 2020. 

Separately, 37% of UK-based charities surveyed by Ecclesiastical in October 2021 said that they had experienced loss of data as a result of cyber-attacks, with 31% fined for data breaches.

Even where there is no obvious immediate damage, you cannot rule out future damage, for example through malware that has accessed the systems and may be undetected for months.

Ultimately, cyber security is important for all organisations, but especially for churches and charities who may not have the resources to recover from a successful attack.

Ensuring good cyber security is therefore critical to protect your data and prevent your church or charity from becoming a victim of a cyber-attack.

Types of Cyber-attacks

In our increasingly connected world, it’s important to be aware of the different types of cyber-attacks that can happen. Here are three of the most common:

Malware attacks: This type of attack involves malicious software being installed on a victim’s device without their knowledge.

Once installed, the malware can be used to steal sensitive data, render data inaccessible or eavesdrop on communications.

Ransomware is a form of malware that is becoming more prevalent, and makes systems and data inaccessible until the victim makes a ransom payment to the hacker.

Phishing attacks: Phishing is a type of social engineering attack in which attackers try to trick victims into giving them confidential information.

This is often done by sending an email that appears to be from a legitimate source, such as a supplier, bank or government agency.

Phishing emails typically contain attachments such as invoices or links to websites, that can activate malware when clicked or opened, and also harvest confidential data.

Denial-of-service attacks: A denial-of-service attack (DoS attack) is an attempt to make a computer or network resource unavailable to users.

Financial or personal gain has been the top motive for cyber-attacks in 96% of organisations.

Fundamental Cyber Security Controls

The digital age is driven by data. A cyber-attack can cripple an organisation, and even lead to severe financial loss and reputation damage.

That’s why it’s so important to have robust cyber security controls in place to mitigate these risks.

There are many different aspects to consider when it comes to cyber security, but there are some fundamental controls that should always be in place.

Cyber security controls can be grouped under the main internal control types of preventive, detective and corrective controls.

Cyber Security: Preventive Controls

While no system is ever 100% secure, there are a number of preventive controls that your church or charity can put in place to reduce the risk of becoming a victim of a successful cyber-attack:

Cyber Security Policies

First and foremost your church or charity should have comprehensive cyber security policies in place.

There are 4 key paths used to invade IT systems.

These are user access logins (credentials); phishing (tricking individuals to obtain confidential information or introduce malware); exploiting vulnerabilities; and Botnets (hacker taking control of your computer without your knowledge, as part of a private network of computers used for cyber-attacks).

Your cyber security arrangements should include plans to block all four paths.

A cyber security policy should be developed for employees and volunteers outlining acceptable use of your church or charity systems and data, password and access controls, identifying and handling phishing, training, as well as procedures for reporting and responding to incidents.

See the useful resources section of this article for a link to a sample template you can adapt.

A cyber security policy for the IT infrastructure of your church or charity should also be developed and applied in IT operations.

This should include policies on identifying and protecting the systems from vulnerability exploitation; access controls, securing systems and data including use of firewalls, anti-virus software, data encryption, penetration testing and creating back-ups.

It should also include criteria for assessing new IT services before acquisition, protection from denial of service attacks, keeping abreast of potential threats and responding to incidents.

Access Controls

To protect your sensitive data you need to ensure that only those who are authorised can access it.

The access should be limited to what each person needs to perform their roles.

Effective access controls are designed to ensure that only authorised users can access sensitive data and systems.

Access control can be implemented through user authentication and authorisation mechanisms, such as strong passwords that are never reused, biometrics, and two-factor authentication.

Education and Training

Church and charity employees and volunteers may have access to sensitive data such as financial information, givers and donor lists, and personal information.

A data breach can cause reputational damage, financial loss, and legal liabilities.

Cyber criminals are constantly evolving their methods, so it is important for employees and volunteers to be up-to-date with the latest threats and how to protect against them.

Educate your staff on the importance of cyber security and proper online safety protocols.

They should be familiar with your cyber security policy and procedures for dealing with cyber-attacks and data breaches.

Training in email security and social engineering such as phishing attacks, is very important as studies show that over 75% of malware is received via email.

This is where individuals receive emails that appear to be from legitimate sources requiring them to click a link in the email or open an attachment, which then transfers malicious software or provides access to confidential data.

See the useful resources section of this article for links to free online cyber security training as a starting point.

Malware Protective Measures

There are a few simple steps you can take to protect your church or charity from malware attacks.

You should ensure that all of your software is up-to-date and that you have installed reputable security software.

This means installing all the latest security patches as soon as they become available.

Additionally, make sure your anti-virus software is up to date and running properly.

Implement firewalls.  Firewalls act as a barrier between your internal network and the Internet. They can help to block malicious traffic and protect against external threats.

Device Protection

Your mobile devices in particular need to be properly secured to prevent them from being access points for cyber-attacks.

You should ensure that critical security updates are immediately applied.

Location tracking should be enabled to track lost or stolen items.  Also enable the ability to erase data or disable the device if lost or stolen.

The use of strong passwords can also not be over-emphasised.

Cyber Security: Detective Controls

There are a number of controls that can be put in place to detect cyber-attacks, including:

Monitoring Network Traffic for Unusual Activity

As the number of cyber-attacks increase, it is more important than ever for organisations to monitor their network traffic for unusual activity.

By monitoring data flows, you can detect and stop malicious activity before it causes damage.

There are a number of ways to monitor network traffic.

A firewall helps detect and block suspicious IP addresses from accessing your network.

You can also monitor traffic using intrusion detection and prevention systems which can detect and block malicious traffic.

If your church or charity utilises IT service providers to manage your systems and networks, you should ensure that your contract includes both preventive and detective controls over cyber-attacks.

Scanning systems and networks for vulnerabilities

One of the ways to scan for vulnerabilities is to use a vulnerability scanner, which is a software program that can identify weaknesses in your system.

Again, if your IT services are managed externally, ensure that your contract includes scanning for, and addressing, vulnerabilities.

You can also hire professionals to perform an assessment of your network.

Whichever method you choose, it is important to make sure that your scan covers all of your systems and networks.

This includes any devices that are connected to the internet, as well as any cloud-based services that you use.

Cyber Security: Corrective Controls

Preventive and detective controls help provide defence against cyber-attacks.

But in the unfortunate event of a cyber-attack , the right corrective controls are essential to mitigating the damage caused by the attack.  The most effective are:

Regular Data Backup and Offline or Cloud Storage

Backing up data should be a critical part of your church or charity’s cyber security strategy.

By storing data backups offline or in the cloud, you can ensure that your church or charity has a copy of its data even if your primary systems are compromised.

This can help minimise the impact of a successful cyber-attack and help you recover more quickly.

Your church or charity to should create a backup plan that outlines how often data should be backed up and where it should be stored.

You should also consider using multiple storage locations to further protect the data.

Your IT services contract, where you use IT service providers, should include requirements for regular data backup and recovery services.

Incident Response Plan

A comprehensive incident response plan is essential to ensure that your church and charity can quickly and effectively respond to any incidents that occur.

An incident response plan forms part of your business continuity arrangements.

Read our article on creating a business continuity plan for your church or charity.

Useful Resources

This article covers the essential controls that all churches and charities must put in place as a foundation for good cyber security.

Maintaining cyber security awareness is vital as the cyber threat landscape continues to evolve and cyber-attack techniques get more sophisticated.

This section provides links to various useful resources that your church or charity can reference to support your cyber security strategy and awareness.

• National Cyber Security Centre (NCSC) https://www.ncsc.gov.uk. The NCSC website provides advice and guidance and a range of resources, including an online training course, which is free to access. Organisations can also sign up for the Early Warning service and get informed of cyber-attacks that may affect their networks.

• Workable provides a good Cyber Security Policy template for employees, that can be adapted to your organisation here: https://resources.workable.com/cyber-security-policy

• For non-profits in the United States, the Department of Homeland Security offers a free Cyber Security Evaluation Tool https://www.cisa.gov/stopransomware/cyber-security-evaluation-tool-csetr that can be used to identify weaknesses in an organisation’s cyber defences.

• The National Cybersecurity Alliance in the USA also has a number of useful resources to help organisations strengthen their cyber security.

• NCSC’s Cyber Aware campaign provides advice on how individuals can stay secure online. You can share this with your employees and volunteers.

Conclusion

Churches and charities should be aware of the potential for cyber-attacks and take steps to protect their data through robust cyber security.

By implementing fundamental cyber security controls to prevent cyber-attacks, detect potential attacks, and minimise the impact and effectively recover when attacks occur, churches and charities can reduce their risk of becoming victims of cyber-attacks.

Read our other articles on:

• How to create a business continuity plan for your church or charity;
• why churches need good internal controls,
• why risk management is necessary in churches and charities ,
• 6 Steps to risk management in churches and charities
• How to prevent internal control failure in churches and charities
• Online giving platforms – how to manage risks to data and finances