A PC(USA) Stewardship Kaleidoscope workshop offers security tips for online financial transactions

Getting your church prepared to fight cybercrime

by Jonathan Haupt for the Presbyterian Foundation | Special to Presbyterian News Service

A Stewardship Kaleidoscope webinar focused on cybersecurity. (Stock image)

Globally, cybercrime costs its victims more than $1.5 trillion annually — and churches are among the institutions being targeted.

Robert Hawkey, director of IT Strategy and Transformation for the Board of Pensions of the Presbyterian Church, presented on cybersecurity considerations for churches during the Stewardship Kaleidoscope conference held Sept. 26-28 in Savannah, Georgia.

The presentation offered both contextualizing explanations of the range of threats to church membership data collected through stewardship and pragmatic recommendations to mitigating and addressing these threats.

Assessing the risk

In stewardship activities, congregants are entrusting their personal and financial data to their church as well as to any vendor processing data on behalf of that church. These transmissions and the data collected and stored in conjunction with them can be vulnerable to cybercrimes. Such data ranges from personal identifying information to citizenship status; ethnic, religious, or sexual orientation; health and wellness information; and financial data.

As online transactions have increased dramatically during the Covid pandemic, so have the opportunities for this data to be collected — and also to be compromised.

Hawkey stated that the responsibility to protect this data belongs to the church, and thus churches need to systematize communications with memberships about what data is collected, how it is secured or restricted, and the rights of users to opt out.

While cybercrimes can attack vulnerable hardware or software, Hawkey emphasized that “bad actors” (cybercriminals) are even more likely to target the weakest link of data security: people. In congregations in which membership and staff are older and possibly less tech-savvy, the risk becomes even higher that someone will be misled into divulging key data or leaving vital information accessible.

The second half of Hawkey’s presentation focused on offering concise recommendations for churches to consider when developing and implementing their cybersecurity plan. Throughout, Hawkey recommended working with security and insurance professionals to develop such programs, particularly when these efforts seem to be otherwise beyond the expertise of church leadership.

On providing WiFi

• Set up separate networks. Limit access to the network you manage finances on and protect it with a complex password. Have a separate private network for laypeople if needed. Have another network for your congregation to access.
• Use different passwords for each network. Public networks are a risk for any device that is linked to it. Do not have a network without a password, even the network set up for your congregation. Do not use default passwords or SSID (Service Set Identifier).
• Keep firmware up to date. This will help to minimize risk of a security vulnerability for those using network.
• Use WPA2 (Wireless Protected Access 2) Encryption on Wifi networks.
• Set up a web filtering capability, which will help block adware, spam, viruses, and spyware on network.

On collecting data

• Establish a privacy policy. Disclose the types of information you will collect from users and why. Describe the methods of collection and how users can limit the data they share, opt-out, or remove data.
• Establish a security statement. Articulate what you are doing to protect your congregant’s sensitive data and other information during transactions. This is a statement of commitment, not a specific list of technologies in use.
• Consider requiring the user’s consent to store their data and consider capturing preferences from them on how they wish to be communicated with.

On physical building security

• Keep doors and windows locked.
• Keep sensitive hardcopy records locked away. This can include filing cabinets with locks, safes and other secure facilities.
• Minimize access privileges to areas with sensitive information.
• Locking cables for assets that remain within the building.
• Do not write down passwords or sensitive data and leave out in open space.
• Do not leave devices out in plain sight. This includes in cars and in areas that people can access.
• For secure areas, educate about tailgating and piggybacking tactics to gain access.

On technology security

• Keep software, browsers, and operating systems up to date with security patches.
• Set-up a time-out for logins on sensitive applications.
• Have unique accounts and passcodes for every employee.
• Encrypt devices.
• Ensure websites are secure (HTTPS).
• Ensure there is Next Gen Anti-Virus on devices running church business.
• Leverage a VPN (Virtual Private Network).
• Leverage a firewall and/or web filtering.
• Have cloud-based data-back-ups.
• Use multi-factor authentication to church assets (at least two-factor)
• Work with a security advisor to evaluate your practices and vulnerabilities.

Hawkey concluded with a summation of key areas of focus for churches: “While there are a lot of threats out in the world, there are definitive actions that every organization, large or small, can take to protect themselves,” Hawkey said. “Assume it is not an ‘if’ but a ‘when’ that you will be a victim of a cyberattack.”

Take preventative measures to protect your congregants, your church, and yourself:

• Have cybersecurity insurance
• Have a response plan
• Train staff
• Find a security and insurance advisor.

Jonathan Haupt is the executive director of the nonprofit Pat Conroy Literary Center in Beaufort, South Carolina, the former director of the University of South Carolina Press, and coeditor of “Our Prince of Scribes: Writers Remember Pat Conroy,” winner of 17 book awards. Send comments on this article to robyn.sekula@presbyterianfoundation.org.