After hearing news that cyber criminals recently stole nearly $800,000 from a church in North Carolina, many congregations are asking themselves an important question: Are we at risk too?
And the answer, in most cases, is “yes.”
“Churches are a very attractive target for hackers,” said Doug Finch, technology services manager for the Tennessee Baptist Mission Board. “Most churches do not have an IT department and typically have weak security and/or non-existent policies in place to protect the network.”
Finch and his team take a multi-faceted approach to cyber security at TBMB, and it is his hope that churches around the nation will soon begin to implement similar protection policies and procedures.
“The reality of the situation is that these cyber scams are a big business,” Finch explained. “And cyber criminals are no different from regular criminals in that they look for the easiest targets.”
Joe Lovell, TBMB chief financial officer, said he has dealt with cyber criminals on numerous occasions through the years, and has one main rule: “When dealing with large sums of money, I am a firm believer in waiting until you have ‘voice verification’ before any money changes hands. Reaching someone on the phone and getting confirmation that they did indeed send the email (with the payment request) is vital.”
Finch and Lovell both said being on “high alert” is one of the most important things a church can do. And though cyber security can be expensive and involved, it can save the church from headaches and heartaches in the long run, they agreed.
The church in North Carolina — Elkin Valley Baptist — was victimized by a fraudulent email, which ultimately resulted in the church being robbed of some $793,000 earmarked for a new worship center.
Church officials reported the case to local police, along with the State Bureau of Investigation and the FBI. The church also hired a cyber analyst to investigate how the breach occurred, along with an attorney who specializes in cyber crimes.
In their situation, like so many others, the criminals had done their homework. They sent an email to the church — which included an invoice — that appeared to come from Landmark Construction, the company the church is using for the building project. The church submitted payment, but discovered about a week later that Landmark never received the money.
Johnny Blevins, who has served as Elkin Valley’s senior pastor since 1996, said, “You just don’t think (this) can happen to you.”
Unfortunately, it can happen to almost anyone, Finch lamented.
Recent research revealed 70% of non-profit organizations have not carried out any vulnerability assessments on their IT infrastructure, he noted, which indicates a large number of churches would fall in the “high risk” category.
Finch said TBMB uses many safeguards — which churches can also use — to help prevent being victimized by cyber criminals.
The process starts with the “endpoints,” Finch said — the user’s computer — and focuses on the following:
Endpoint patch management. “We make sure that every single computer is kept as up-to-date as possible, at all times. Patches are updates for the software running on the computer.”
Endpoint security software. “We utilize a strong antivirus platform that has a detection and response component. This type of security will trigger when it encounters a cyber incident — like ransomware. It isolates the endpoint and then notifies IT of the infraction.”
Persistent cyber monitoring. “We monitor each network in real-time. We also monitor each endpoint in real-time. When a zero-day vulnerability is discovered, we are notified immediately that we have vulnerable units that require patching.”
Firewalls. “On the network side we utilize strong, stateful, redundant, firewalls at each network location point. These firewalls are updated constantly, and we utilize policies to block certain countries that are known regions for cyber terrorism.”
Cyber awareness training. “Probably the most powerful tool we have deployed is our [weekly] cyber awareness training. Each employee is required to complete this weekly training.”
Finch noted TBMB “surrounds itself with multiple layers of security technology” to help protect against attacks. However, he realizes not every church has the resources or funds to employ this type of security. In those cases, Finch suggested the following:
Endpoints are updated frequently. At least monthly is a baseline. Automatic updating is the best method.
Antivirus is a bare minimum. This is an area churches do not want to look for the cheapest software.
Changing admin passwords. Make sure you change any default admin passwords to something unique. Default passwords are easy targets for cyber criminals.
Muli-factor Authentication. If possible enable “Multi-factor Authentication,” at a minimum, on all email accounts.
‘This is a business’
Recent research revealed many troubling trends, the most telling of which might be that cyber attacks occur every 39 seconds. Making matters worse, cyber criminals and online scammers are becoming better at their “jobs” than ever before.
“The thing you have to remember is that the cyber criminals of today are not the same people popularized by Hollywood,” Finch noted. “This is a business — and a very lucrative one at that. This is likely not a single hacker trying to break into your system; rather an entire business of hackers either backed by organized crime or state-sponsored organizations.
“For them, learning your organization is no different than a business doing market research on a competitor.”
Church leaders at Elkin Valley informed the congregation of their situation during a special called meeting shortly after the crime took place.
“It’s kind of like a grief situation,” Blevins acknowledged. “You go through the shock, the sadness and the anger, and we’ve been through all of that. But as people of faith, we’ll trust God through this and keep moving.”
Elkin Valley’s new sanctuary was originally scheduled to be completed in time to hold services in May. Blevins said they plan to move forward with construction on a revised timeline as funds permit, adding he anticipated construction to resume in February.
As news of the incident spread beyond the church into the community people reached out wanting to help, Blevins said.
The church established a GoFundMe page for those interested in making a contribution to help replace the stolen funds, and has raised several thousand dollars. Officials with the Baptist State Convention of North Carolina said they planned to make a $10,000 donation directly to the church.
“It’s so sad to see somebody do (a crime like) this, but I still think God will prevail through it and see the church built somehow,” Blevins said.