Discover three forms of cyber attack that pose a threat of loss to churches.

Read common sense tips to lower your church’s risk of loss due to cyber attack.

Churches may seem to be an unlikely target of cyber attack, but the reality is you never know who or what is lurking in the cyber world. As our blog post last week highlights, nobody is immune from cyber attacks. Like any other business or institution, churches must fortify their electronic defenses to deter bad actors operating in the cyber world. While cyber crime won’t be eradicated, your church can immediately bulk up its defenses with common sense measures.

Consider the following three forms of cyber attack. By no means are they all-inclusive. The first two are examples. The third one actually occurred.

1. Data breach

The source may be external or internal. Most data breaches are the result of stolen or weak credentials. An external example might be a hacker attempts to guess employee usernames and passwords using software tools. Simple, short, and reused passwords are ripe targets for an external data breach. Once a hacker gains access to your church’s email and bank accounts and accounting records, the personal information of any subject within those records/accounts is exposed. For example, the account numbers of any members or visitors who made contributions via credit card and/or electronic payment would likely be compromised in a data breach.

Loss Control Tips:

• Require employee passwords be 16-digits or more in length, with a mix of symbols and uppercase and lowercase letters.
• Do not allow the use of obvious usernames and passwords, such as those using the church’s or employee’s name or initials, Bible passages, religious terms, etc.
• Require the use of different passwords for different applications.
• Random, lengthy usernames and passwords are more difficult to crack.
• Purchase comprehensive cyber insurance.

An internal example might be a malicious or disillusioned employee who has access to sensitive data.

Loss Control Tips:

• Conduct background information checks on all employees.
• Limit data access to only those who need access to perform their job duties.
• Change access codes whenever any employee leaves the employ of the church; no one who is not authorized to use church accounts should have access to them, now or later.
• Purchase comprehensive cyber insurance.

2. Ransomeware

Be aware that hackers exist who encrypt all of an entity’s files until a ransom is paid to unlock them. Frequent targets are places with money whose ongoing operations would suffer without access to their files. On the surface, larger churches that are financially healthy in day-to-day operations may be more at risk than churches in decline. However, there are a number of older churches, which are declining operationally, but have sizeable endowments and/or memorial funds. While any church may choose to defy paying a ransom, the possibility that your church could be disrupted by a ransom attack cannot be dismissed.

Loss Control Tips:

• Enact tips in 1. above.
• Install firewall to your computer system.
• Update software patches as soon as your provider makes them available.

3. Business email compromise (BEC)

In 2019, hackers gained access to email communications between a Cleveland-area church and its contractors engaged for a major renovation. The hackers impersonated employees of the large contractor and sent an email to the church with updated instructions for making future payments related to the renovation project. Someone unwittingly followed those instructions, which resulted in the transfer of more than $1,000,000. to accounts controlled by hackers. When the large contractor noticed installment payments were not received, as usual, the church was contacted, and an investigation ensued.

Loss Control Tips:

• Enact tips in 1. and 2. above.
• All entities, including churches, should have a protocol in place requiring authentic verification (either telephone call or face-to-face with known subject) of any changes in payment methods or accounts for any vendor, regardless of size.
• Never transmit or provide information or money to anyone or anywhere without first authenticating the source making the request.

Richey-Barrett Insurance is your Trusted Choice Independent Insurance Agent for church insurance. Our resources include access to recommended church loss control measures, inclusive of cyber loss control.