October is CyberSecurity Awareness month, and there has arguably never been more incentive to care as the threat landscape is extreme. We all face these threats seemingly on daily basis. Failure to recognize and avoid a thread could put your church in a bad position that results in severe financial loss, or in a worst case scenario – out of business.
In this article, we’ll take a look at the threats and then some security best practices that will help to defend against them.
The Threats – The threat landscape is constantly evolving, but these are some of the big ones:
Ransomware – Probably the biggest threat that individuals and organizations face is ransomware. Imagine a scenario where you show up at your church to find that all of your computers are encrypted with ransomware and unusable…AND your backups are also encrypted. This is a real scenario that many companies and organizations face every day. And some companies are forced to go out of business.
Phishing – Phishing messages are everywhere, and they don’t always come in email. They can come through text messages, phone calls, social media, and pretty much any other medium where text and links can be sent. Phishing messages are meant to trick users into providing sensitive information (such as username/password, credit card number, social security number) or clicking a link and downloading malicious software.
Viruses/Malware – This is the classic threat that hasn’t gone away. New viruses and malware comes out daily with the goal of infecting your computer. Some log and steal keystrokes that you type. Some attempt to look for sensitive information on your computer. Others are more of a nuisance.
This list just scratches the surface, but you get the point. There are a lot of threats out there, and they change over time.
Why Should You Care? So I’ve shown you threats, but what damage can they cause?
While phishing messages can be used in a variety of schemes – imagine this scenario: You receive an email that looks like it’s from your bank. It even has graphics similar to your bank. It says they need you to login to verify your church’s address. You want to help so you click this message, enter your username/password and click Login and nothing appears to happen. The attacker has effectively stolen your credentials and could log in as you to your online banking! This is disastrous and caused simply by clicking the link in an email and entering your username/password. The attacker could potentially drain your bank account if you don’t realize what happened and change your password!
And this is just one scenario. I could come up with dozens more! The threats I mentioned above only scratch the surface. Many of them are used together for even more devastating consequences!
But, the good news is, there are defenses against these.
Tips to Protect Yourself
1) Make sure your computer and devices have the latest operating system updates installed. These generally are released monthly, and you can generally configure computers to automatically download and apply them.
Note: Operating Systems such as Windows XP and Windows 7 cannot be updated any more and extremely vulnerable. Please move off of those if you are still running them!
2) Run an antivirus program with updated definitions.
3) Keep applications and programs on your computer updated. From Microsoft Office to your accounting software, manufacturers generally release updates for their programs.
4) Use 2-factor authentication, especially for important sites such as online banking. 2-factor authentication adds another step to logging onto sites. The first step is generally a username/password. The second step can be your phone with an app or a text message. This is significant because if an attacker steals your password, they still can’t login as you without that second factor. Many sites ranging from email to shopping sites are adding 2-factor capabilities. It is well worth taking advantage of!
5) Use strong passwords. Use strong passwords on all devices and websites that you visit. In addition, set passwords or the equivalent on mobile devices that you use. These can easily be lost or stolen and with no password an attacker may be able to pick it up and access your email and other apps.
6) Learn to spot phishing and scams/Don’t click suspicious links. Junk email filters can only protect you so far. Plus, phishing can be delivered via text message, phone call, social media, etc. Many of these applications don’t have filters. Sometimes the only way to avoid being a victim is to be able to recognize it and not fall for it.
7) Guard sensitive information online – Attackers often target sensitive information such as your username/password, social security number, and credit card number. You wouldn’t just hand your credit card number over to a stranger on the street. Take the same precautions online! Identity theft can be very difficult to recover from and once you provide this information to a malicious site, you can’t take it back. Be extremely cautious when entering this online.
8) Use a firewall – Firewalls are designed to keep malicious connections out of your computer or network. Many operating systems and routers come with built-in firewalls that just need enabled.
9) Backup important files! – Backups are key! In the ransomware scenario I mentioned in the start- How would you recover if all of your computers were infected with ransomware and you had no backups? Also, what if your backups were on one of the computers or connected to it? They might be encrypted too. Therefore, keeping an extra copy of offline backups can be wise.
10) Don’t store sensitive information on your devices, but if you must, encrypt it with a strong password. The best way to make sure sensitive information isn’t compromised is to not have any, but if you have legitimate retention requirements and must store sensitive information, make sure it is encrypted with a strong password. The opposite would be storing it in a Word file which is plaintext and an attacker would have immediate access to read it if stolen. Encryption adds an extra layer of protection. There are many programs out there that you can to do this and likely you already have some on your computer capable of doing it.
In closing, the threats to IT infrastructure are very real. And as a church you probably don’t have a full-time IT staff. While, I wish there was one defense that stopped this all, there isn’t. The best way to defend is to layer security and the tips that I provided above should provide a solid foundation in securing your environment. As there are many different IT configurations, you should also consider having a qualified IT professional come in to assess your overall environment to make recommendations for security. That may be a small price to pay compared to the potential losses you’d face should you fall victim to an attack.