Parish cybersecurity at risk, but there's hope, say experts

PHILADELPHIA (OSV News) — Cybersecurity at Catholic parishes is less robust than it could be, but several free and low-cost resources — along with a healthy dose of common sense — can bolster technology defenses, experts told OSV News.

“When it comes to cybersecurity, there are both the technology and the human dimensions of the challenge — both of which are in need of improvement at a typical parish,” said Matthew Warner, founder of the Flocknote church communications platform.

In fact, said Warner, parishes “often don’t really even know the risks they are already taking.”

Churches and other nonprofits, like most organizations, are susceptible to cyberattacks, particularly the business email compromise (BEC), described by the FBI as “one of the most financially damaging online crimes.”

In the BEC, scammers pose as legitimate persons, such as a pastor or a parish vendor, and send emails requesting the recipient to perform a financial transaction — typically, purchasing gift cards or arranging wire transfers — while rerouting the funds to their accounts.

The FBI’s Internet Crime Complaint Center received BEC loss claims totaling more than $2.4 billion in 2021. The BEC threat has recently expanded to include text messages, according to research by cybersecurity firm Agari (now part of Fortra).

Other kinds of cyberattacks, such as phishing, trick victims into divulging sensitive information (passwords, credit card numbers and other account credentials) or downloading malicious code onto a device. Scammers rely on “spoofing” to make minute changes to the email addresses, sender names, phone numbers and website addresses they use to deceive victims.

Such schemes succeed primarily by exploiting basic human reactions, said Erich Kron, a security awareness advocate for the cybersecurity awareness training firm KnowBe4.

“One of the key things I try to help people understand is that these attacks — whether through text, voicemail, phone call or email — always rely on emotions,” Kron told OSV News. “(Scammers) want to get people in an emotional state where they miss things that should otherwise be obvious. There is a psychology behind this stuff that makes these tactics really, really effective.”

That tactic, known as social engineering, “knows no boundaries,” said Theresa Payton, CEO and chief adviser of the cybersecurity firm Fortalice.

Cyber criminals “conduct campaigns that hit all age groups,” said Payton, a cybersecurity author and speaker who under President George W. Bush was the White House’s first female chief information officer.

Those working in faith-based and service entities can be particularly susceptible, since “they’re good people with good hearts, who really want to help out,” said Koch. “Attackers know and take advantage of that.”

Lack of full-time IT staff also leaves parishes vulnerable, as does the patchwork approach to devices and software most parishes tend to rely on, said Warner.

“Unfortunately, it’s common to find every ministry at a parish each using their own separate, one-off tools to operate,” he said. “Not only is the pastor often unaware of all the various tools each ministry leader may be using — from Excel spreadsheets on their own private computers, to Venmo or other individual payment apps, to various social media accounts, personal and official, to event registration tools, in addition to whatever software the diocese or parish may require.”

As a result, many parishes end up “not in compliance” with safe environment, security and diocesan policies, Warner said.

Even the protocols themselves can unintentionally hinder parishes, he added.

“The policies have been put in place for various reasons, but they have not at the same time empowered parishes to be able to comply with them, without severely restricting the important work of the parish,” Warner said. “So it leaves ministry leaders stuck finding unofficial workarounds just to do their jobs effectively, but that also may be opening up the parish and diocese to additional risk.”

Yet amid such hurdles, parishes need not despair of cybersecurity protection, said experts.

“For starters, think about tapping into the local resources you have at your FBI field office,” said Payton. “The FBI will actually offer free cybersecurity briefings to teach your parish staff and volunteers.”

The Federal Trade Commission provides guidance through its OnGuard Online initiative, and free training also is available through Curricula.com, she said.

“Keep your systems patched as much as possible, and don’t reuse passwords,” said Koch, who also recommended implementing multifactor authentication, which requires several credentials to access an account.

Warner urged parishes to “use up to date modern software tools,” particularly cloud-based solutions, which are “far more likely to be secure from modern cybersecurity threats.”

User adoption is key, Warner added.

“Make sure whatever software you use is really great at solving practical ministry problems first, and that ministry leaders love using them. Otherwise, it won’t matter what other security threats it addresses, because it won’t actually get used in real life anyway,” he said. “Teach your leaders and volunteers some basic cybersecurity practices.”

When scammers pressure, rely on your instincts, said Koch.

“Take a deep breath and step back,” he said. “Look at the situation critically, and ask yourself, ‘Does this really make sense?'”