Cybersecurity for giving season

As charitable giving ramps up, churches and other nonprofits should assess and strengthen their security measures.

Identifying potential threats such as phishing, ransomware and other malicious emails can be tricky, especially as the techniques used by bad actors get more sophisticated. (Photo: ALM Media archives)

During the holidays, many Americans aren’t just thinking about the gifts they’ll wrap and share with their loved ones. They’re thinking about the gifts they’ll make in the form of donations.

Unfortunately, wherever people are giving, there are thieves ready to take.

In the first 10 months of 2019, 140 attacks on the public, state and local governments, and health care providers were reported, according to CNN. These threats are ever-present, and religious organizations may be vulnerable. Donors make nearly half (49%) of all church giving transactions with a credit card, creating increased cybersecurity risks for all involved.

Religious organizations and their members may not be thinking about the threats they face. In a recent study by Church Mutual, only 11% of today’s worshipers said that they fear a cybersecurity breach at their place of worship. It’s up to these organizations to take the lead and be proactive about protecting themselves, their employees and their members.

Now is the time for your clients to strengthen their cybersecurity for the giving season and beyond. As a starting point, the following are several key questions to ask in a conversation about security risks and practices.

What are your vulnerabilities?

Organizations need to be proactive about understanding cybersecurity and following best practices to protect their members as well as their own data and financial security.

To that end, Church Mutual has a data and cybersecurity self-assessment that serves as a tool to help identify current risks and offers insights on what to address.

Do you have a plan? What does your policy cover?

Preparation is key to prevention. Once organizations understand the potential issues and attacks they could face, they can create an effective data security and response plan. It’s advisable to consult with a security expert or engage a managed service provider to ensure that all bases are covered in the risk assessment and planning processes.

It’s also important that organizations review their insurance coverage through a cybersecurity lens. Once they understand what is covered — or not covered — in the event of a data breach, they can update their policy as needed.

Education is a crucial element of any data security plan. Everyone who uses an organization’s networks and systems — leaders, staff, members and donors — should know how to use them safely and securely.

An internet use and access policy is the best place to start, whether an organization needs to create one from scratch or simply review and update the existing policy. An annual update ensures that the policy meets the organization’s needs as it changes and grows, and reflects our evolving digital world. Even more importantly, the policy should be shared widely with staff and volunteers, with yearly training and regular updates on any recent revisions.

Are you safeguarding your networks and systems?

Protecting WiFi networks is vitally important, especially when organizations allow their members to use them. While specific steps may vary, here are a few they should consider.

Permissions to access all systems, devices and data should be laid out clearly in the internet use and access policy. Staffers and volunteers should not all have the same level of access, and the most sensitive and critical data should be protected with stringent restrictions.

To avoid confusion and missteps, organizations should create authority levels for individual access. These authority levels should have clear criteria comprised of the individual’s role within the organization, their responsibilities and their pertinent background information obtained through background checks.

Are your people educated and equipped to do their part?

People can be fierce cybersecurity defenders, or they can be vulnerabilities. Organizations need to provide employees and volunteers with cybersecurity training when they start and as needed throughout the year.

Hopefully, people already have some of the cybersecurity skills they need to help protect the organization because they are taking similar precautions in their personal lives. For example, they need to create strong passwords and use multi-factor authentication. They also need to ensure all devices they use have active, updated anti-virus and malware detection software.

Other skills can be more difficult or may vary from one organization to another. Identifying potential threats such as phishing, ransomware and other malicious emails can be tricky, especially as the techniques used by bad actors get more sophisticated. And, the preferred methods of handling and protecting sensitive information may be different at a religious organization than at other workplaces or organizations.

That’s why it’s important to conduct regular training sessions for employees and volunteers. These trainings keep everyone in the loop and on the same page. It also creates an opportunity for the organization to share its unique risks and challenges — and how to minimize them.

Cybersecurity is a complex topic that confuses and intimidates many people. And, our digital world changes so rapidly that it’s not easy to keep up. However, when religious organizations take preventive steps early and often, they can create a safe, secure environment for giving season and beyond.

Craig Huss is assistant vice president and chief information security officer at Church Mutual, the Wisconsin-based provider of insurance services for religious institutions and other compatible markets. For more information, send email to riskconsulting@churchmutual.com.

See also:

Recommended Stories