Is this page still being used? If so, let Dan know. Otherwise, we’ll move it to the blog.
Due to more church staff working from home, cyberattacks are on the rise. Tune into our webinar, Cybersecurity and Your Church, to hear cybersecurity expert, Dan Grahn, address the security issues involved in having staff work from home and the increased cyberattacks happening as a result of COVID-19.
Tony Grahn: Hello. Thanks for joining our webinar. This is the COVID-19 church webinar series. My name is Tony Grahn. I am the owner of Capitol Insurance, based out of Indianapolis, Indiana. Since 1981, Capitol Insurance has had the privilege of insuring and providing safety resources for nearly 800 churches, schools, camps, and Christian schools and other faith-based nonprofits throughout Indiana, Ohio, and Michigan.
Today’s topic is on cybersecurity, but before I introduce to you our special guest, let me encourage those who did not attend our last webinar to go to our website, listen and forward it to all of your church staff, especially to your administrative pastors. That webinar took place on Thursday, March 19th, just eight days after the World Health Organization declared COVID-19 a global pandemic. I interviewed three executive pastors of three large churches in the Midwest who had all shared of their technologies and strategies and how they were already reaching out to their congregants and communities at large considering this pandemic outbreak.
Within days of the WHO announcement, everything started spiraling, from the NBA and other sporting venues canceling and postponing their season, to churches trying to decide whether they should meet that Sunday or not. Later that week, many governors from around the country made that decision much easier by mandating no public group assemblies of 250 people or more. Many of our large churches had already been doing live streaming for years, but for many others, they had not. This was a new technology for them. In addition to live streaming of services, most of our churches’ staff members are now working remotely. For years, our pastors and youth pastors have taken their laptops and other handheld devices into the public, meeting people at Starbucks and other WiFi hotspots.
But as this pandemic has taken place, so many people have been scrambling to work remotely from home that our IT church security staffs have been exhausted trying to not just get the staff out the door with the right equipment, but to also educate them on remote meeting tools such as Zoom and others. This has taken a great toll on them to the extent that cybersecurity has been pushed to the background somewhat. That sets up our platform for today’s cybersecurity webinar. Let me begin with a short prayer, and then we’ll jump right into things.
Father, thank you for this opportunity to share with others from around the country and church people who are concerned about the days ahead, but trying to do the best to make sure that their systems and infrastructure are secure. The last thing we want is Satan to get an advantage and take away our opportunities of ministry. I pray that there be some helpful insight here that each of the attendees can take back to their churches and to employ. I also ask that many of them would ask questions today and get some good answers and reach out to us for additional resources. But bless them as they seek wisdom and help as they, too, just like their pastors, have a very vital role in their church, their ministry. Bless them in their efforts and our time here today, as well as with our guest speaker that you’d give him clarity, wisdom, and be able to explain things in a good, logical way. Thank you. We pray in the name of Jesus. Amen.
One last announcement, please open your message feature in front of you there. Like you to feel free to type in any questions during our meeting. The more, the better. We’ll answer as many of them as we can. This webinar’s expected last only 20 to 25 minutes, so please get your questions started right away.
Our cybersecurity expert is Dan Grahn. In case you didn’t notice that last name, the same as mine, Dan is my son. So it is with great joy today that I get to have Dan here as a special guest. As a cybersecurity expert, Dan joins us today from his home office in Dayton, Ohio. He has a master’s from the University of Southern California. And as a PhD student at Wright State University where he also serves as an adjunct professor, Dan works with many federal government agencies. His primary area of research is applying AI, artificial intelligence, to cyber attacks. His work is primarily from the offensive position.
Well, Dan, welcome to our COVID-19 church webinar series. But before you share your slide presentation, let me ask you, what led your interest into artificial intelligence, which I guess the new term is now called machine learning?
Dan Grahn: Yes, so artificial intelligence has been around for about a hundred years, and it’s machine learning. As a subcomponent of it is simply about helping machines learn how to learn. So it’s taking data that’s in the real world and helping machines make sense of them in a way that even we as humans can’t do. So I specifically apply that to offense of cybersecurity, and the way that that works is I’m essentially building machine learning systems that are able to discover vulnerabilities inside of computer systems.
In case all of you are not aware, there has been an uptick in cybercrime activity in the past several months since the start of the coronavirus pandemic. In particular we’ve seen phishing information go out purporting to be from the World Health Organization as well as from the federal government saying, “Hey, here is money that you can receive. We need this information in order for you to receive it.” As rudimentary as these techniques seem, they work. In fact, last year, cybercrime accounted for almost $2 trillion in losses around the world, which is a staggeringly large number but one that we’re probably familiar with given the recent bill that has passed.
Now we’re seeing attacks rise for four primary reasons, on slide three. First, organizations are making a really hasty transition to remote work. So you have a lot of companies and churches, ministries that are used to working on-site, small offices, and suddenly they’re working from home, and they might not have the infrastructure and tools set up to do that. Secondly, people are unfortunately in vulnerable emotional states. Whenever people have fear, whenever people have heightened emotions, they are vulnerable to be taken advantage of. In addition, not just for work but for our lives, our social lives, for our recreational lives, we’re using online services more than ever. And finally, non tech-savvy people are being forced to use technology as we all have grandparents who suddenly understand what Zoom is. So those four primary reasons why attacks are on the rise.
Now, when we talk about cybersecurity, we generally cluster the attacks into the types of actors which are perpetrating them. So we have four different actors. We have a script kiddies, which are people with low technical sophistication, mainly just playing around. Hacktivists, they typically have a political, social, religious, economic cause that they want to advocate for. You can think here of the hacking collective Anonymous. There’s organized crime, which is essentially if the mafia or the mob transitioned into cybercrime, and they’re just doing it for profit. And finally you have advanced persistent threats. Those are nation, state, actors, or actors with billions of dollars in resources, just absolutely limitless funds. And while we have seen some advanced persistent threats or APTs begin making use of the coronavirus pandemic for their attacks, specifically one called Mythic Leper, which is believed to operate out of Pakistan. The primary place for we’re seeing a rise in cyber attacks is organized crime. So these are again groups that have lots of resources dedicated to getting money out of people via cyber attacks.
Now, in order to combat those attacks, there are three types of controls. There’s physical controls, there are technical controls and administrative. The physical controls are things that you do in your environment to keep you safe, to keep your property safe. The technical controls are the things that we might think of as more cybersecurity, the antivirus that we install, the technologies and services that we use to protect our electronic devices. And then finally, the administrative controls are the policies that we put in place to help make sure that people are following good practices.
Some examples of physical controls that we can implement while working from home, first, keep your work in your home. I know a lot of people probably aren’t working at coffee shops today, so it’s unlikely that our work interior will be in, say, a vehicle. But if you happen to be working from a shed, an outbuilding, go ahead and bring it in at night. It’s a little bit safer than having it in an outbuilding. Put away your work at the end of every day. That’s not just good for your mental health, it just keeps things out of the line of sight if someone is looking in the windows, and of course lock your doors. Although, I don’t expect home robberies to be on the rise in this time when most people are at home, it’s always good practices to have proper physical controls even in your house.
Now we also have a host of administrative controls that you can apply, and really, I think these are some of the most effective that you can do right now. On slide eight, the first thing that you can do is send out your employees your working from home policy, teleworking policy, whatever you call it. If you don’t have one, you should get one right now, and that policy is going to go ahead and outline what your employees should and shouldn’t do from home, what devices they can use, what sort of things they can store on their local machines, how they should connect to your church’s resources, all of these different things should be in that policy. And even if everyone’s already signed it, even if it’s out on a shared drive, just get it into their inboxes, get it in front of them so that they can read it and be refreshed on what’s in there.
Also, if you have a regular cybersecurity awareness training, go ahead and update it right now. Ask everybody to take it again even if they took it last month or two months ago, just so that’s fresh in their minds. And if you don’t have one, go ahead and search for cybersecurity awareness training just in whatever search engine you use. There’s a lot of free or low-cost options available, and that is something that can immediately improve your cybersecurity.
Finally, and this is I would say the most important thing is you need to establish the points of contact for your church, for your organization. So if someone has a problem while they’re working from home and they need to gain access to some resource or have some troubleshooting question, they need to know who to contact, who is the the IT person who’s going to handle all of those. And at the same time, you want everyone to know who may be contacting them. So if there is a problem with their home device, with the way in which they’re using a system, who is authorized to contact them to ask questions and how will they contact them? So basically whenever you have that communication about something like electronics, computer systems, confidential information, financial information, you want to make sure that you really know who you’re talking to before you give out any information.
Tony Grahn: Excellent. Excellent. Dan, let me ask you a quick question. I’m sorry, jump in here first of all, and then we’ll get back with a question. For those who are just joined, I see we’ve had some people join in since Dan started. We are talking with cybersecurity expert, Dan Grahn. Dan is a PhD student at Wright State University. His undergrad, has a master’s from the University of Southern California in artificial intelligence. So he obviously is an expert in this area. But for those who just joined, please jump in on the chat feature and ask any questions. We’ll try to get to as many of those as possible.
One individual has asked if we can make this available for hearing impaired. I would encourage you to … Probably by tomorrow you should get email with a copy of this webinar or a response from us. You’ll have an email to respond to, and from that, feel free to reach out, and we’d be glad to send you a written transcript if possible. I think we’ll be able to make that available and get that to you at that time. You can also reach us at hereforyou@capitolins.com. Go ahead Dan, I’ll jump in, in couple of minutes with some questions for you.
Dan Grahn: Sure. So that’s kind of an overview of the physical and administrative controls that you can apply. Now the technical controls on slide nine, these are the ones that we more typically think of when we’re talking about cybersecurity. So hopefully you guys already have been in contact with your IT firm and working with them on how to set up secure work environments.
A couple of recommendations. First, a VPN, this is something that will allow you to prevent others from basically snooping on your connections. What it does is it encrypts all the communication between the devices that people are logged in at in their homes with your church network so that none of that communication across that connection can be seen. Also, turn on multi-factor authentication absolutely everywhere it’s possible because even if one account might not have very sensitive information, it might have information that could be useful to log in to another account. It might have information that’s non-public and could be leveraged in some way for another attack. Multi-factor authentication is where you get that text message that has a code or it pops up in an app. It’s a little bit annoying, but it’s really much, much more secure than any technology that we have. Finally … Go ahead?
Tony Grahn: No, that was good point. I was going to ask you to describe or explain that. A lot of us have heard of that, but not everyone realizes how that functions, a special app or something that gives you a code that you can add in. So go ahead. I’m sorry.
Dan Grahn: Yeah. The most common example is if you are working with your bank frequently, they’ll make them send you a text and make sure that you can actually confirm the code that the bank sends you. And if your bank isn’t sending you those texts, go in and turn on multi-factor authentication
Final technical control. Don’t try to build your own solutions. Don’t try to work around things. Use well-known trusted solutions. Companies like Google, Microsoft Zoom have been spending vast resources on cybersecurity, and as long as you’re leveraging those tools appropriately, then the cybersecurity is really on them. There’s caveats to that, but, you know, don’t try to set up your own fileshare, ask your IT department to do that at the very least.
Now I know a lot of church organizations don’t have devices that they’re providing to everybody as they transition to working from home. And so they’re basically asked to work with whatever devices they have home, whether that’s a laptop or a desktop computer. Now that’s something called bring-your-own-device, BYOD and it does come with some risks. So if you fall into this category of allowing people to bring your own device, send out some extra information to them, let them know things that they can do to secure those devices and further secure the information on them. This would be things like enabling disk encryption. This makes sure that someone who gets ahold of the physical hard drive can’t read the contents of it. Mandate that they install an antivirus software, doesn’t really matter which one it is, just get a common one that you say, “This is the one we’re all going to use,” and work with that.
And most importantly, run system updates. These are really important, especially now. There’s been times in the past like this August where a vulnerability was announced, I think it was a week after Microsoft had patched the vulnerability. So there was only a week or so’s time for people to get that fix in place, and all of a sudden people were updating Windows all over the world because of this new vulnerability. So those are kind of the bring-your-own-device caveats, and that sums up the controls that you can put in place as an organization.
Now I do want to kind of highlight three of the top attacks that we’re seeing on the rise because of this coronavirus pandemic. The first is ransomware. This is where you’re going to see either for a hard drive being encrypted or some form of computer’s service or system having access denied by a hacker until you paid them. They were basically taking your system hostage and asking for a ransom, hence the name. Right now we’re seeing hospitals being attacked with this at quite an alarming rates. Unfortunately, because hospitals need to have their computer systems up and running now more than ever, they are frequently paying these out, and this can be tens or hundreds of thousands of dollars.
Tony Grahn: Dan, let me jump in. On the ransomware, one of our church clients, I won’t mention names today, of course, but one of our church clients, last year, had a case where the pastoral staff and administrative staff came in, turned on their computers, all looked at each other pointing fingers asking, “Do you have what I have on my computer?” And it all had the same message and said, “Remit one Bitcoin, and we’ll release your file server.” I always thought of that as an extortion exposure. In insurance terms, we call it extortion coverage, but actually, I guess it’s ransomware. So what would be the difference between ransom and extortion in your terminology? Or [crosstalk 00:20:18]?
Dan Grahn: I would say that extortion is typically something like you will do this or I will have do something bad to you, so, pay me this protection money or I’m going to kneecap you. Whereas this ransom is more, I have something of yours and I will only give it back once this ransom is paid.
Tony Grahn: I got it. Thank you.
Dan Grahn: Yeah. Now the second attack, and I would say this is one of the most concerning, is social engineering. This has been on the rise even before the pandemic because our technical controls are getting better. In social engineering, you’re going to see people leveraging social relationships in order to commit some form of cyber attacks. So these are relationships such as reciprocity. You know, I do something for you, you do something for me, and appeal to authority. So someone says, “Hey, I’m the office manager and I need this information right now.” These types of relationships, and they’re going to try to get information out of you, get you to do something.
I know there was an example from Indianapolis, there was a church, had a courier walk in on a Sunday morning in a uniform, say, “I’m here for donations,” they gave it to them and walks out the door with something like $150,000. Now that’s not a cyber attack, but it’s an example of social engineering. On the more cyber side, you may see an email saying, “Hey, I’m from an IT firm. Can you give me a call or let me know who your office contact is? We have some free resources that we want to offer you,” and they can start using these social relationships and the context of the pandemic saying, “Hey, we have free resources for churches that are affected,” in order to get a response from you. So right now people are particularly prone to look for resource, and this could be an opportunity for attackers.
Tony Grahn: Let me, excuse me Dan. I’m thinking some of our clients have had different types of cyber attacks, and clerics, we hear about that because of having insurance in place for many of them. And that is the social engineering seems to be a huge one of concern to them. And there’s hardly a church I’ve talked to, at least the medium to large-sized churches with the staff members to where they don’t, even smaller churches, pastors, and they’ll get these emails. One of our church clients, an email went around to all of their staff members, and it was a large church, so you can imagine how this went over, but they all got emails saying, “Hey, please …” And it was from their lead pastor, right? So the lead pastor asked, the hacker asked, “Please purchase a $300 gift card, and then send it to this link. We’re going to bless brother so-and-so,” or one of their missionaries. And fortunately only one person did it. But I assume that’s a, yeah, social engineering type claim and one that you had maybe described or thought through.
Dan Grahn: Yeah. That’s leveraging both social engineering and phishing. And there is some overlap in a lot of these categories. Unfortunately, churches are particularly vulnerable to this authority and preyed upon. Recommendations for your church to not be a victim of social engineering, make sure that people who are answering phones know not to give public information, who to direct [inaudible] requests to. So if you do have people, “Hey, I offer you free resources. I have questions, I have funds I want to donate.” Make sure you have one person who’s going to handle them and can filter maybe legitimate requests versus illegitimate.
In addition, if I could make a recommendation, I would say even to go so far as on a Sunday morning to say, “We will only ask for donations through this source,” so that your congregation isn’t susceptible to getting emails to saying, “Hey, this is an email from [inaudible] donate at this link.” Tell them to always go to the website to donate. You want to keep them safe as well.
And then the final attack is phishing, this is something we’re all familiar with. It’s the email that says, “Hey, click this link for free medicine, for safety resources for the coronavirus.” These are getting more and more targeted now that we have this common social emergency that we’re living under, so they can be as specific as, “You have been in contact with someone who has been infected with coronavirus. Download this form and take it to your health department.” And when you go to download that form, it actually installs [inaudible 00:25:34]. Very hard to discern what’s real and what’s fake.
When in doubt, err on the side of caution and really make sure that before you’re downloading anything onto your computer, before you’re clicking on links that you’re seeing, do these domains that they’re coming from look legitimate? Is it something like cdc.gov or the World Health Organization? And these are the actual links, not the email, or is it something more out there like coronavirusstatus-dot-[inaudible 00:26:07], or coronavirusmap.com, or coronavirus.app? Those three are examples of [inaudible] that have been shut down in the past couple days just because of these type of phishing attempts. I would say those are really the three main attacks. Go ahead.
Tony Grahn: Yeah, Dan. So tell me, and understand, people, I don’t work in this area, this field, I’m a property casualty specialist, not the cyber like Dan is, but what’s the difference between phishing and spear phishing?
Dan Grahn: Sure. So phishing is a kind of casting out a net. It’s going to go to lots and lots and lots of people, and you’re just trying to catch anything that comes in. A spear phishing is where you’re getting more targeted. You’re going to an individual or to a group of individuals. What we all might be familiar with, an example of [inaudible] phishing was the DNC hack before the 2016 election. That was the spear phishing of John Podesta. He reset his password in a malicious link and led to months of everyone setting their hair on fire on the [crosstalk 00:27:18].
So these are very serious attacks that can have serious ramifications, and it’s not just the information or the money that may be stolen from your church. It could be the information. So if attackers can get access to email lists, to records of communication. They can leverage this to actually get money out with people. The can say, “Hey, I know that this individual from the church has this particular need, because I can see it in the emails.” So I’m going to pretend to be the pastor and I’m going to send out an email to the congregation saying, “In our congregation with this particular need,” and it’s just a malicious donation.
Tony Grahn: Nice. Nice. Someone had just asked a question here, and if you just joined or join late, please jump in the chat feature here and post some questions. Someone just asked a question. I think you actually might’ve talked, actually I got two questions you might’ve already talked about, but let me go ahead and read the first one. What makes churches more or less vulnerable than other organizations?
Dan Grahn: I would say that churches are unfortunately more vulnerable than other organizations because there has been a bit of a lackadaisical approach to cybersecurity among churches. You might have people who say, “Hey, we just got a website a couple years ago. We don’t collect donations online. We barely have to worry about cybersecurity.” If someone is able to get access to your website, they can put a malicious donation link in there. If someone’s able to get access to your email, they can send out those malicious attacks. There’s so many different ways. So if you have any sort of electronic precedence, if you are storing any information on a computer, this is something that you need to be worried about.
And so that lackadaisical approach that we’ve seen from a lot of churches combined with the fact that churches form around trust, we’re geared to trust the people in our local bodies and we want to. So we don’t often question whether what they’re saying is true, and it’s hard to say that you need to have policies in place to do things like verify that transfer should go through or to verify that an email should be sent out or that the email that you got from a pastor is legitimate. Unfortunately, it’s just the world that we’re living in where all these things do have to be verified, and there has to be not a level of distrust, but a level of verification that might not exist if you’re actually just talking face-to-face. Check the devices on your WiFi, make sure people are locking their screens when they’re left unattended. That’s just good practice everywhere. I can’t tell you how many screens I’ve walked by where I could have just stolen information just by typing in a few keystrokes.
Dan Grahn: And finally, encouraging the use of password managers if [inaudible] reuse passwords because [inaudible] remember passwords. So something like LastPass, Keepsafe, these are things that you want to be using to make sure that passwords are sufficiently complex and unique to each service.
Tony Grahn: Okay, great. Thank you so much. Great job. We have another question before we wrap us up. Trying to keep within our time limit, and this comes from a, I’ll just mention a first name, it’s Pastor Adam from a small church with just three employees. And he asks, should churches pay ransomware demands? If not, how should the insured handle a ransomware incident?
Dan Grahn: So I’d say call your IT people right away. Call insurance too. Hopefully, you have cybersecurity coverage, this is something that should really be just baseline in policies now. So if it’s not in your insurance, get it. I know our [inaudible] you’d really have time. I would say no, don’t pay the ransomware out of the box. You really have to consider that. Just like the US has a policy, we don’t negotiate with terrorists, we also have a policy, we don’t pay ransomware.
So local governments may do it. Local hospitals may, but you really have to consider whether you trust the individual who, will they actually release that information? You don’t know. You could just be giving them money and still lose access, so call your IT, call your insurance, and then weigh the options.
Tony Grahn: Yes. Thank you. I have one last question here that’s come in. I’ll go ahead and give this to you Dan. Then we’ll go ahead and wrap this up. The question here comes from someone from a church, and he mentions, how can churches and business owners ensure that their employees are running system updates?
Dan Grahn: So if your devices are connected to a domain, if they’re on the same, under the control of your IT department, that’s something that they should be handling. If you’re asking them to use their own devices, that’s something that you’re really going to have to talk with the individual users about. There are some controls you may say like in order to use your own device you have to apply these certain policies and connect to our domain and give our IT control over your device, but that’s really something that you would want to go through your IT firm for.
Tony Grahn: Great, great. Well, that wraps up our time. Sorry for the technical difficulties today. As Dan mentioned, there are a lot of people on Zoom and all the other venues trying to take up internet space and time, so we had some connection issues there. But once again, Dan Grahn, cyber expert is also available for a Q&A offline. If you want to reach out to Capitol, you go to our website, capitalins.com or go to hereforyou@capitolins.com. You’ll get a link of this webinar afterwards or as email of this webinar later with a link to it, and you can use that email as well with information to reach out to us. We can get those questions to Dan and connect the two of you. But Dan, once again, thanks for your time and thanks for all you attendees. We appreciate it, and do go to capitolins.com, you’ll find a lot of COVID-19 resources, the webinars we’ve done, blog articles and several things with the health organizations and CDC, et cetera, valuable resources.
Another thing right now, let me end with this quickly because your pastors and lead pastors of your churches are already on top of this, but there is a lot of discussion on the current and recent SBA loans whether or not they apply to churches and other non-for-profits. There was a large webinar done yesterday of 2,000 people participating, and we have a link to that as well. We can forward you, I don’t want to go on record making promises of things, but it looks like there is a possibility of that for those of you who have lost or fear you will lose business income as a result of this pandemic, the virus. Most insurance policies exclude loss of business income, extra expense for viruses. It’s just too hard to underwrite for and to charge an inappropriate premium for. So for that reason, if the government steps in and helps, that might be a venue to help you. But as always, Capitol will always be there for you. Thanks again for attending guys. Have a good week.
Dan Grahn: And talk to your IT department.
Tony Grahn: There you go, thank you.