Almost every day, news headlines announce a data breach — the online theft of confidential information such as credit card and Social Security numbers from an organization. Retailers, including Home Depot and Target, have sustained millions of dollars in losses from cyberattacks. Financial institutions, government agencies, health care systems and colleges have all suffered similar crippling (and costly) intrusions.
While parishes may seem to be unlikely targets for hackers, Franz Fruehwald, chief information officer for the Archdiocese of Philadelphia, stresses the need for vigilance in cyberspace.
“The most important thing that you have is your parishioners and their data,” Fruehwald said. “People ask me, ‘What’s your most valuable asset? Is it this piece of equipment, or that piece?’ I say, ‘No, it’s our information and our data. That’s the most valuable thing we have.’”
Safeguarding parishioners’ data
To safeguard this asset, Fruehwald recommends that parishes shore up their cybersecurity defenses.
“For churches, cybersecurity is simply the practice of keeping your parish and parishioner data safe,” Fruehwald said.
“It’s about keeping personal data out of the hands of those who want to do ill by you,” said Lee Myers, chief technology officer for the archdiocese. “You want to keep your personal information, your intellectual property, any of that stuff free from those who either want to destroy it or use it for ill will.”
In fact, parishes can often be at significant risk for cyberattacks, due to varying levels of computer skills, equipment and financial resources.
“It runs the gamut,” Fruehwald said. “In some cases, the business manager is singlehandedly trying to handle the computer setup. Other parishes work on donated labor — someone in the parish steps forward and says, ‘Hey, I know something about IT.’ And then some parishes contract out their computer support.”
From the technology side, Myers pointed out that many parishes use donated equipment, and parish staff might not be able to keep up with installing the latest software security patches.
“Many times, these folks are trying to do something on the cheap,” Myers said, “and as equipment starts to age, you’re opening yourself up for trouble.”
Scams that prey on one’s goodness
Among the most persistent threats is ransomware, a malicious software that users can unwittingly download by clicking on a file attachment or web link. The software locks the infected computer’s files, and the user is instructed to pay a fee (usually in bitcoin, a digital currency) to regain access to the data.
“About nine months ago, one of our parish’s business managers called to tell me they’d been hit with cryptolocker,” said Fruehwald, referring to a type of ransomware that renders files unreadable by encrypting them.
Another danger is email spoofing, a tactic used by cybercriminals to mimic legitimate email addresses while requesting confidential information such as passwords and account numbers.
In spoofed emails, hackers often impersonate specific authority figures in an organization — for example, a financial officer or other top administrator — to pressure recipients into complying with their demands. This type of attack has duped victims into providing employee payroll information and even wire transfers to scammers.
Many of these threats rely on a security principle known as social engineering — that is, they succeed because of the victims’ innate willingness to satisfy requests for assistance.
“Hackers are playing on your ability to help, to not be the person who’s getting in the way,” said Myers. “So, whatever psychological advantage somebody thinks they can exploit, they’ll try it.”
Working in a service-oriented culture, parish staff can be particularly vulnerable to these scams.
“I recently had a pastor forward me an email a couple of months ago, a plea for financial assistance that was similar to standard scams, and the pastor said, ‘What do you think?’” Fruehwald said. “I told him, it’s a scam, it’s a fraud, don’t do it. But he is the type of person who says, ‘I want to help. What can I do to help?’ And I think most of our priests are going to be that way. Scammers recognize that’s who we are and what we do and what our mission is. You have to be on guard.”
Security in online giving
As part of their cybersecurity strategy, parishes should also exercise caution when setting up online giving options for their congregations.
“You need to offload that responsibility to somebody who makes it a priority to secure your information,” Myers said. “That’s a major level of trust in your organization, dealing with people’s money, and that’s something that you can’t break. That’s a game-ender right there.”
For that reason, most parishes opt for established online donation services, including those supplied by Our Sunday Visitor, J.S. Paluch Company and John Patrick Publishing. These solutions comply with standards set by the Payment Card Industry (PCI) Security Standards Council.
“With our system, as soon as you enter your information in your web browser, it’s tokenized,” said Patrick McGinley, vice president of John Patrick Publishing. “We send a token — your credit card number, converted into a string of alphanumeric characters — to our data center, which then authorizes the charge to your card. We don’t store data, so nobody on our site has access to your account information. The data is stored at a (third party) data center, which has security cameras, redundant backups, onsite personnel and biometric access controls.”
Cloud-based backups and other solutions
In addition to using PCI-compliant online giving solutions — and even without large technology budgets — parishes can take several basic steps to guard against cyberattacks.
“At a bare minimum, get an antivirus product,” said Myers. “That’s going to help protect you against a bunch of stuff. Have a firewall; make sure you turn that on. Turn off auto-run, so that if you put a USB drive in your computer, you’re not automatically launching what’s on the drive and giving hackers the opportunity to get in. At least scan it for viruses before you start clicking stuff on it.”
Parishes should also ensure their data is regularly backed up, and not simply on a portable device.
“Many parishes do backups, but it’s whatever they can put on an external drive,” said Fruehwald. “I know parishes where the business manager will pop a flash drive in their machine at the end of the day and call it a backup.”
Cloud-based, or online, software packages offer a more secure storage solution for parish data. Both ParishSOFT and Parish Data System, which are used throughout the archdiocese, are available in on-demand formats that include automated backup.
Parish staff and volunteers should also post with prudence to their social media accounts.
“Be careful what you post, that someone can’t come back and try to target you or social engineer you because of what you’ve put on that page,” Fruehwald said.
Since cyberthreats are constantly evolving, parish staff need to remain alert and to use common sense when working online.
“You’re only one click away from opening something you shouldn’t, and that’s just something you want to be vigilant of,” Myers said.
“Trust your instincts,” said Fruehwald. “If it doesn’t look right, if it doesn’t feel right, it probably isn’t. Think twice before you click anything.”