Churches not immune to cyber attacks

Sony Entertainment, Anthem and Home Depot have all been targets of cyber hackers who compromised the personal data of millions of customers. But in a digital world, cyber experts know it is not just the big companies that are at risk.

Nonprofits, small businesses and churches, in fact, may be more vulnerable because they are less likely to understand the threats they face and how to plan for their protection.
Photo illustration gloved hand stealing purse through screen

"Most people don't realize how easy it can be," says Jim Nitterauer, a member of Gulf Breeze UMC in the Alabama-West Florida Conference. He is senior systems administrator for AppRiver, a security solutions company headquartered in Gulf Breeze, near Pensacola. "It's something you continually have to put in front of people."

One of the most recent church-related attacks happened at First Presbyterian Church in Birmingham, Alabama. Hackers infected the church's computer system with CryptoLocker, a ransomware that locks files. The hackers demanded payment to release the files. In that case, church officials managed to solve the problem without paying up, according to media reports.

Statistics on cyber breaches at churches alone are hard to find, but U.S. Homeland Security Department data show about 5,500 reported cyber incidents in 2006. In 2012, the number of incidents had climbed to nearly 49,000.

Some businesses and state governments have reported much higher numbers.

For some churches, the issue comes down to a lack of money to hire a full-time information technology staff member. But there are resources.

Earlier this year, the nonprofit TechSoup announced a first-time partnership with Bitdefender to provide donated antivirus and security software to churches and religious organizations. It is one of several donation programs that TechSoup administers.

"Our mission is to serve other nonprofits," says Dan Webb, vice president of technology solutions and services at TechSoup.

The company also helps nonprofits, charities and libraries in need of donated or discounted security software.

"It's not used software. They get the licenses," Webb says. "The bottom line is that through the generosity of all our donor partners, I think, it's beautiful the way it works."

Companies that support donation programs through TechSoup include Microsoft, Adobe, Cisco, Intuit and Symantec. Since 2013, several companies have expanded eligibility rules for their donation programs. TechSoup officials say more than $37 million in technology products and services were donated to churches and religious nonprofits last year.

Nitterauer says it takes a multilayered approach and constant vigilance to lock out hackers and to get rid of them when their viruses and malicious software slip through.

"The largest churches, the ones with the biggest budgets, more likely they are going to be targets," Nitterauer says.

Learning a church's bank password, for instance, could be a key to opening checking accounts that contain thousands of dollars in church donations, as well as credit card information. "They know it could be a cash cow for sure."

But no church should think it is safe. Money and credit card data aren't always what hackers are after, Nitterauer says.

For instance, personal emails between a pastor and church member can be hacked, potentially revealing confidential or sensitive information that can harm reputations.

Vulnerable points are spam emails that when clicked open infect the computer.

A lot of churches are installing WiFi, which Nitterauer says can open a door to hackers who can "piggyback" on the wireless connection and install malicious codes or breach a computer's protective firewall to dig out personal information. Or church staff members may let in a virus when they use the church computer to check personal email.

Hackers send unsolicited emails, known as phishing, in hope that the recipient will open them. Google searches also can lead inadvertently to infected websites that may have seemingly innocent names but are phony sites intended to harm the searcher's computer.

Often churches are using computers that are 10 or 15 years old and no longer receive automatic software updates. Microsoft's Windows XP version is an example. But updates can be critical, Nitterauer says.

"People should be doing that on a regular basis," he says.

One of the biggest mistakes is failing to set policy on what an employee can and cannot do on the computer while at work, Nitterauer says.

"(Pastors) are busy doing other things," he says. "They don't put a priority on protecting information."

The antivirus programs that come prepackaged with some computers provide only limited protection. Nitterauer says many businesses are hiring cyber security experts who do "penetration screening" to test the existing firewalls and protections.

When vulnerabilities are found, then extra security measures can be taken.

Cyber attacks aren't always done remotely. Sometimes people, perhaps in the guise of a repairman, visit an office or church.

Nitterauer says they count on employees not questioning them and then proceed to install malware or hidden cameras.

"People just naturally want to trust anybody,” he says. “They have to be more prudent in thinking through the process."

In a rapidly evolving cyber world, education and awareness are essential if churches want to secure sensitive data.

"My guess is they don't have any choice but to get savvy," Nitterauer says. "But I don't know if they are."

Nitterauer recommends for newsletters about various cyber security issues. For tips specifically for churches, click here.

-- Kathy Steele is a freelance writer based in Tampa.

Contact Us

The Florida Conference of The United Methodist Church

450 Martin Luther King, Jr. Avenue
Lakeland, FL 33815

(863) 688-5563 or toll free (800) 282-8011