IT Girl
Phillip Martin Illustration. Used by Permission under Creative Commons License.
Maybe the computer guardian in your congregation is the pastor. Maybe it’s the church secretary, the stalwart of every congregation. Or maybe your United Methodist congregation is large enough to have someone on staff whose sole job is to keep up with the church’s computers, including their security.
Whether the guardian is a pastor, a church administrator, a tech-savvy teen or an outside firm, church computers are now as vulnerable to cyberattacks as every other computer on the planet. The May attack of the “WannaCry” ransomware held hostage dozens of nonprofit organizations, including the British national health care system. During the week of June 26, a virus similar to “WannaCry,” known as “Petya" and “NotPetya,” crippled computers at multinational firms, banks in Ukraine, and the biggest oil company in Russia.
Since the “WannaCry” attack in May, United Methodist Insight has been researching the vulnerability of church computers through inquiries with United Methodist agencies, professional church administrators, a tech vendor to non-profits and an academic expert. In each case, the warning was the same: No congregation can afford to be complacent about computer security, even small-membership churches with part-time staff. Any computer can be compromised, putting millions of pieces of sensitive data at risk.
The picture isn’t entirely gloomy, but church cybersecurity will take some work. Let’s start with the effects of “WannaCry.”
Two agencies, Wespath Benefits and Investments and the General Council on Finance and Administration, handle most of the financially sensitive information for the global United Methodist denomination. Neither agency reported being harmed by “WannaCry.”
Wespath, which handles millions in pension funds for United Methodist clergy and lay workers, offered a detailed response to Insight’s inquiry. Eileen M. Kane, Managing Director of Information and Project Services for Wespath, reassured thousands of United Methodist clients that their information is secure.
Pension and benefits data are safe
“Wespath has not been impacted by the widespread WannaCry ransomware that impacted many across the globe,” Ms. Kane said in a formal statement. “To our knowledge, Wespath’s vendor partners have not been affected by WannaCry.
“Security of our systems, customer accounts, and personal data, and overall services is of the utmost importance to Wespath. We are continually evaluating and implementing additional controls in this time of seemingly never-ending cybersecurity threats. But the challenge is constantly growing and changing. More sophisticated cyber-attacks and ransomware are likely to continue. We must continue to strengthen our defenses and work as partners with others in the denomination to protect the critical systems and data that support the services we are entrusted to carry out.”
Wespath provided guidelines for annual conferences and congregations on how to increase their security against increasing cyberattacks (see accompanying list).
At the local church level, Insight invited members of the Professional Administrators of the United Methodist Connection (PAUMCS) to participate in an online straw poll of computer safety practices (see accompanying article). Two sets of statistics stood out:
- Church computers are protected by passwords, but the passwords are rarely changed, contrary to cybersecurity recommendations.
- Most churches rely on someone other than staff or volunteers – often a local vendor or professional service – to install and maintain their computers.
While most survey respondents said they hadn’t been victimized by malicious software, known as “malware,” those had been attacked described expensive and frustrating efforts to recover. One respondent said the church tried to have the malware removed professionally, but ended up buying all new equipment when the virus proved too stubborn to eradicate.
Elissa Redmiles, a Ph.D. student in computer science at the University of Maryland, wrote shortly after the WannaCry virus erupted that the single greatest vulnerability for any computer is users’ failure to update software regularly.
Flaw was fixed, but few updated
“The security flaw that allowed the [WannaCry] attack to occur was fixed by Microsoft in March,” Ms. Redmiles wrote on The Conversation. “But only people who keep their computers updated were protected. Details of the flaw were revealed to the public in April by the Shadow Brokers, a group of hackers who said they had stolen the information from the U. S. National Security Agency.
“Attackers got into computers through that weakness and encrypted users’ data, demanding a ransom from anyone who wanted the data made usable again. But they didn’t win the race to exploit the flaw as much as people and computer companies collectively lost it.”
Experts are divided over whether an organization should pay ransom if infected with "ransomware." On one hand, computer users may pay to have their computers unlocked by hackers, but instead, the hackers simply take their money and leave the computer so encrypted that even "Star Trek's" android Mr. Data couldn't get into it. For a church, the loss of revenue to pay a ransom without getting its computers back could be catastrophic. Conversely, some cybersecurity experts insist that infected organizations should never pay ransom to hackers, preferring instead to rid computers of ransomware with counter-programming.
Cybersecurity suggestions
So what’s a church to do to protect the financial and personal data collected on its members? In addition to the guidelines from Wespath (see accompanying illustration), here are suggestions compiled from Elissa Redmiles, and Jim Lynch of Tech Soup, a computer hardware and software buying collective for non-profits.
- Update software regularly. “Updating is a pain,” acknowledged Ms. Redmiles in her article. She wrote that updating interrupts workflow, can interfere with the operation of existing software and often requires restarting the computer. Plus, software companies don’t always stress how important a security update can be, which is what happened with WannaCry. To offset these drawbacks, experts emphasize making a regular appointment to update software.
- Back up “mission critical” data and systems. Mr. Lynch advocates backing up software and data files to another hard drive or to “the cloud,” AKA data collection sites on the Internet such as Box, Tech Soup, and others. Fortunately, offline storage media like additional hard drives have come down so much in cost they can almost be bought from the church’s petty cash fund. Again, the key is to build time into the workweek to make the backup, and to be scrupulous about it.
- Change passwords regularly. At a minimum, experts recommend changing passwords once a quarter, or even once a month if the computer is heavily used for Internet access. Cyberattacks usually come via the Internet, but churches are also vulnerable to real-world dangers from thieves, vandals, embezzlers and such. (Churches are, after all, hospitals for sinners).
- Install security software and keep it updated. There are many programs available to help protect church computers against cyberattacks. Some may be pricey, depending how on many computers a church has, but it’s worth the investment to keep data from being held hostage or church members’ financial information from being hijacked.
- Practice “safe email.” Most cyberattacks come via email attachments. Be wary of all unexpected email, especially if the offer targets some specific need of the church, which hackers can identify by using "bots," or automated programs, to search websites for certain words. Never open an email from an unknown address.
- Enable the “see file extensions” option on PCs. Extensions tell whether a file contains “executable” programming. Watch out for files with extensions such as EXE (Execute), VBS (Visual Basic, a programming language) and SCR (Script, another programming language). These are the most dangerous types of files because they can install themselves if opened by an unwary user. “To be able to see file extensions, enable them in Windows Settings. I like the Laptop.com directions on how to do this in Windows 10,” writes Mr. Lynch.
- Have an emergency plan in case of cyberattack. Don’t make the church secretary carry all the burden of defending against malware. Create a "rapid response team" of tech-savvy church members and give it the authority to do what needs to be done to get rid of malware (subject of course to financial constraints). Once malware is detected, turn off the computer and disconnect it from the Internet and the church’s internal network to limit the virus’ spread.
It’s a sad fact of life these days, but cyber security is now as much an issue for churches as it is for any big corporation or government. United Methodist agencies and annual conferences are on the alert, but local congregations have a way to go to protect their computers. Jim Lynch of Tech Soup writes that “new WannaCry ransomware variants [such as the June 26 “Petya” version] are expected to appear going forward for some time. And new malware of other types will also come calling to attack our IT systems. This will be the case no matter how small our offices are.”
Cynthia B. Astle serves as Editor of United Methodist Insight, which she founded in 2011.