In today's digital age, cybersecurity challenges are no longer limited to businesses and government organizations; they have now extended to religious institutions, including church parishes. As churches become more reliant on technology for communication, donations, and data management, they become vulnerable to cyber threats. In this post, we aim to shed light on the increasing cybersecurity challenges facing church parishes and the importance of addressing these challenges to protect their congregation, data, and resources. We will delve into the advisories and recommendations provided by the Cybersecurity and Infrastructure Security Agency (CISA) and discuss the unexpected costs a cybersecurity breach can impose on a small parish.
The attacks on Houses of Faith can be multiple, but some common examples are ransomware and data breaches. Phishing is also worth noting as it is often how cyber criminals gain access to a network. Phishing is also used for direct financial fraud, such as gift card scams and funds transfer misdirection.
Ransomware is the threat we hear about most. It involves the encryption of all data on a network or system. It is easy for a parish to assume they can work without their data while it is recovered. Still, technology has found its way into many aspects of parish life. Live streams can be interrupted or canceled. Shared calendars can be comp
romised, and even access to accounting systems can be lost.
Increasingly as backups have gotten better, attackers have moved to Data Breaches. In a data breach case, sensitive data is stolen by cyber-criminals, and extortion is used to ensure payment. As ransomware has become less effective, this has also been combined with it as a second fashion to ensure users pay.
Phishing is often the attack vector used to gain initial access. On top of being used to gain access to a system for Ransomware or Data Breaches, it can be utilized independently. Scams involving attackers posing as church officials or vendors have redirected donations and payments from parishes. These are sometimes covered by insurance, but in many cases, the burden is on the parish for these costs.
The Cybersecurity and Infrastructure Security Agency (CISA) releases security guidance for general businesses. CISA, in its role, has published a large amount of advice that applies to all
organizations and some specifics for Faith-Based Organizations.
The first resource is CISA's Cyber Essentials at https://www.cisa.gov/resources-tools/resources/cyber-essentials. It provides a starter kit to prepare you for your general cybersecurity journey. Once complete, one should review the multi-factor page at https://www.cisa.gov/MFA. This is an excellent resource to explain to staff and leaders why Multi-Factor is needed.
On the Faith-Based side, the CISA Guide to Mitigating Attacks on Houses of Worship located at https://www.cisa.gov/resources-tools/resources/mitigating-attacks-Houses-worship-security-guide contains a wealth of information from both a physical security as well as a cyber security perspective.
Unfortunately, many organizations fail to secure their networks properly or have good cybersecurity hygiene. The cost of breaches due to poor security is high and unexpected.
The ransom payment is the most direct cost in a ransomware or extortion case. Ransoms vary wildly from case to case, but most cyber-crime organizations aim for these payments to be approximately 3% of the annual revenue of the organization hit (Source: https://www.netapp.com/blog/ransomware-cost/).
However, this cost is only part of the equation. The same source above estimates that the price of ransom itself is only approximately 15% of the total cost. Additional costs are lost revenue or donations and any fees to recover, such as attorneys and equipment replacement.
Reputational damage can be a significant concern for parishes after an attack. Congregants expect churches to maintain high trustworthiness and confidentiality, especially concerning personal or financial information. The loss of trust following a cybersecurity incident can lead to confidence in the organization eroding. This loss of trust can, in turn, lead to a decline in attendance and participation. This can directly impact donation income, with parishioners being reluctant to contribute financially due to concerns about the safety of their information. This loss of income can be devastating for small parishes.
Many organizations feel insurance will cover these costs, only to find out they are uninsured or under-insured when an incident happens. Even in cases where the entity is insured, coverage will often not cover the entire cost of an incident and cannot help with reputational damage.
These costs are impossible to budget for and make cybersecurity attacks a grave concern for all places of worship but particularly challenging for small parishes.
So what can a House of Worship do to ensure they are safe?
- Train all staff and volunteers on cybersecurity awareness. Using resources such as the CISA guide, ensure all engaged participants understand security and that they must do their part. In their Data Breach Investigations Report, Verizon calls out that 82% of all attacks involve a human element (source: https://www.verizon.com/business/resources/reports/dbir/). Educating your staff and volunteers on proper cybersecurity practices can help cut that number down dramatically.
- Develop a comprehensive cybersecurity plan. Much like physical security and other disaster plans, an organization should have a documented set of policies and procedures they follow before and after a cybersecurity incident. This includes general policies such as acceptable use and funds transfer and a detailed and practiced incident response plan.
- Ensure you have good backups of all data, including cloud data. This should include offline backups that are not reachable from the main network. This will aid in recovery if a ransomware incident occurs.
- Review your insurance coverage. Ensure you have coverage in place for all risks you maintain. We recommend working with your insurance broker to determine whether you are covered.
In conclusion, church parishes must recognize the importance of cybersecurity and take proactive measures to safeguard their congregation's data, resources, and trust. By implementing best practices, following CISA advisories, and dedicating time and effort to cybersecurity education and planning, parishes can significantly reduce the risk of cyber threats. We urge all church parishes to prioritize cybersecurity efforts and allocate the necessary resources to protect their digital assets and, ultimately, their communities. Be proactive, stay informed, and work together to build a safer, more secure digital environment for your parish.
If your parish wants to improve its cybersecurity posture and needs help, we're here for you.
Find out how we can help today!
