Cyber security
27 September 2019
Methodist Insurance
Risk management
What are cyber risks and what can your church do to protect themselves?
Today we live in a digital society. From email to social media, smart phones to wearable tech; we interact with the digital world on a daily basis to carry out day to day activities.
The explosion in technology and internet use has also seen a significant rise in those looking to exploit the technology for financial gain, or to cause damage and interruption to systems and services.
The National Crime Agency (NCA) recently reported that cyber-crime continues to increase in scale and complexity, affecting essential services, businesses and private individuals alike. It costs the UK billions of pounds, causes untold damage, and threatens national security1. At Methodist Insurance we want to alleviate your concerns about cyber-security and help protect both yourself and your church against an attack.
What are cyber risks?
Cyber-criminals are highly organised and are finding a myriad of new and more sophisticated techniques to access data and information for the purpose of financial gain and to commit fraud. Some of the most common methods include:
- Ransomware – where an attempt is made to extort money from you by preventing access to your computer system or files until a ransom is paid, most of which is delivered via malicious emails
- Phishing – the fraudulent practice of sending emails purporting to be from reputable organisations in order to induce individuals to reveal personal information, such as passwords and financial information
- Spear Phishing – the practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information
- Smishing – this works like phishing and is carried out using text messaging
- Vishing – this again works like phishing and is carried out using voice technology, i.e. phone or voicemail.
A cyber-security breach could damage your church in many other ways, ranging from disruption and data loss, damage through loss of intellectual property, denial of access to websites and services, physical loss or damage through viruses and reputational impact through damaged brand image.
What can your church do to protect themselves?
Some churches may feel vulnerable to cyber threats, as they have little knowledge around the correct and safe procedures to protect their finances. There are a number of measures you can take to prevent a cyber-attack and implementing the right security measures can significantly reduce the risk of a successful attack on your church.
- Educate/train staff – all staff should be wary of unsolicited emails, particularly those that ask for a prompt response. Educate your staff on what types of information are sensitive or confidential and highlight their responsibilities in protecting it. A large proportion of computer viruses attempt to gain access via email through malicious attachments and links. Make sure employees know what to look for and only open from trusted sources. Think about creating an internet policy to provide guidance and share it with new volunteers when they join.
- Malware protection – make sure you use appropriate firewall, anti-virus and anti-spyware software and keep virus/spyware definitions up-to-date. This allows the software to recognise and protect against the latest threats to your network.
- Safeguard data – ensure appropriate access controls are in place to protect and secure data. Use encryption to protect sensitive or confidential information stored on portable devices. Reduce your exposure by cutting back on the volume of data you collect and store only what is necessary
- Password protection – ensure your mobiles, laptops and computers have strong passwords and try to change them on a regular basis. Apply a combination of upper and lower case letters, numbers or symbols and never share your passwords.
- Destroy before disposal – don’t just delete files or reformat hard drives, as data can still be restored. Instead use software designed to permanently wipe the hard drive or storage device. Ensure you do this for all equipment not just computers; did you know many photocopiers scan documents and store a copy on the device’s hard drive.
- Update procedures – make sure that your procedures comply with any applicable laws or legislation. Also, make sure that they align with any applicable industry required standards such as those that may be required by the Payment Card Industry (PCI) Data Security Standard.
- Avoid phishing attacks – restrict staff user rights and provide training to help make your staff aware of obvious signs of phishing.