FRANKLIN — After hearing news that cyber criminals recently stole almost $800,000 from a church in North Carolina, many congregations are asking themselves an important question: Are we at risk, too?
And the answer, in most cases, is “yes.”
“Churches are a very attractive target for hackers,” said Doug Finch, technology services manager for the Tennessee Baptist Mission Board. “Most churches do not have an IT department and typically have weak security and/or non-existent policies in place to protect the network.”
Finch and his team take a multi-faceted approach to cyber security at the TBMB, and it is his hope that churches in Tennessee — and around the nation — will soon begin to implement similar protection policies and procedures.
“The reality of the situation is that these cyber scams are a big business,” said Finch. “And cyber criminals are no different from regular criminals in that they look for the easiest targets.”
Joe Lovell, chief financial officer for the Tennessee Baptist Mission Board, said he has dealt with cyber criminals on numerous occasions through the years, and has one main rule that he prioritizes above all others.
Lovell
“When dealing with large sums of money, I am a firm believer in waiting until you have ‘voice verification’ before any money changes hands,” said Lovell. “Reaching someone on the phone, and getting confirmation that they did indeed send the e-mail (with the payment request) is vital.”
Finch and Lovell each said that being on “high alert” is one of the most important things that a church can do. And even though cyber security can be expensive and involved, it can save the church from headaches and heartaches in the long run, they said.
The church in North Carolina — Elkin Valley Baptist Church — was victimized by a fraudulent e-mail, which ultimately resulted in the church being robbed of about $793,000 that had been earmarked for a new worship center.
Church officials reported the case to the local police, along with the State Bureau of Investigation and the FBI. The church also hired a cyber analyst to investigate how the breach occurred, along with an attorney who specializes in cyber crimes.
In their situation, like so many others, the cyber criminals had done their homework. They sent an e-mail to the church — which included an invoice — that appeared to come from Landmark Construction, the company that the church is using for the building project. The church submitted a payment, but found out about a week later that Landmark Construction never received the money.
Johnny Blevins, who has served as Elkin Valley’s senior pastor since 1996, told Baptist Press: “You just don’t think (this type thing) can happen to you.”
Unfortunately, Finch said, it can happen to almost anyone.
Recent research has revealed that 70 percent of non-profit organizations have not carried out any vulnerability assessments on their IT infrastructure, Finch said, and that indicates that a large number of churches would fall in the “high risk” category.
Finch
Finch said there are many safeguards that the TBMB uses, and that churches can also use, to help prevent being victimized by cyber criminals.
He said the process starts with the “endpoints” — the user’s computer — and focuses on the following areas:
• Endpoint patch management. “We make sure that every single computer is kept as up-to-date as possible, at all times. Patches are updates for the software running on the computer,” said Finch.
• Endpoint security software. “We utilize a strong antivirus platform that has a detection and response component. This type of security will trigger when it encounters a cyber incident — like ransomware. It isolates the endpoint and then notifies IT of the infraction,” he said.
• Persistent cyber monitoring. “We monitor each network in real-time. We also monitor each endpoint in real-time. When a zero-day vulnerability is discovered, we are notified immediately that we have vulnerable units that require patching,” said Finch.
• Firewalls. “On the network side, we utilize strong stateful, redundant, firewalls at each network location point. These firewalls are updated constantly, and we utilize policies to block certain countries that are known regions for cyber terrorism,” he said.
• Cyber awareness training. “Probably the most powerful tool we have deployed is our cyber awareness training that we do weekly,” said Finch. “Each employee is required to complete this weekly training.”
Finch noted that the TBMB “surrounds itself with multiple layers of security technology” to help protect against attacks. However, he realizes that not every church has the resources or funds to employ this type of security. In those cases, Finch suggests the following:
• Endpoints are updated frequently. At least monthly is a baseline. Automatic updating is the best method.
• Antivirus is a bare minimum. This is an area that churches do not want to look for the cheapest software.
• Changing admin passwords. Make sure you change any default admin passwords to something unique. Default passwords are easy targets for cyber criminals.
• Muli-factor Authentication. If possible, enable “Muli-factor Authentication” on all email accounts at a minimum.
Recent research has revealed many troubling trends, the most telling of which might be this: Cyber attacks occur every 39 seconds. Making matters worse, cyber criminals and online scammers are becoming better at their “jobs” than ever before.
“The thing you have to remember is that the cyber criminals of today are not the same people popularized by Hollywood,” said Finch. “This is a business — and a very lucrative one at that. This is likely not a single hacker trying to break into your system; rather an entire business of hackers either backed by organized crime or state-sponsored organizations. For them, learning your organization is no different than a business doing market research on a competitor.”
Church leaders at Elkin Valley informed the congregation of their situation during a special called meeting shortly after the crime took place. “It’s kind of like a grief situation,” Blevins said. “You go through the shock, the sadness and the anger, and we’ve been through all of that. But as people of faith, we’ll trust God through this and keep moving.”
Elkin Valley’s new sanctuary was originally scheduled to be completed in time to hold services this May. Blevins said the church plans to move forward with construction on a revised timeline as funds permit. He said he anticipates construction to resume in February.
As news of the incident has slowly spread beyond the church and into the community, Blevins said individuals reached out wanting to help.
The church has established a GoFundMe page for those interested in making a contribution to help replace the stolen funds, and has raised several thousand dollars. Officials with the Baptist State Convention of North Carolina said they planned to make a $10,000 donation directly to the church.
“It’s so sad to see somebody do (a crime like) this, but I still think God will prevail through it and see the church built somehow,” Blevins said. B&R Editor’s note: This story includes reporting by Baptist Press. The full story from BP can be read HERE.
