by Joe Bollig
KANSAS CITY, Kan. — It was a routine request, but something about it wasn’t quite right.
A few years ago, a request was sent by email to the person who does payroll for St. Michael the Archangel School in Leawood. The sender, claiming to be the principal, asked that their direct deposit account be changed.
But the principal didn’t make the request. A criminal sent the email.
“If it weren’t for our staff member being very familiar with our principal and seeing something was not right about the way the question was asked, that change would have been made,” said Rob Lisch, parish manager for St. Michael the Archangel Parish.
It’s called cybercrime — attempts to defraud, steal information, extort money, invade privacy, cause chaos and commit damage by using information technology.
Cybercrime is skyrocketing as Americans become ever more dependent on technology, according to the U.S. government’s Cybersecurity & Infrastructure Security Agency.
Here are the sobering statistics:
• One in three homes with computers are infected with malicious software.
• Sixty-five percent of Americans who went online received at least one online scam offer.
• Forty-seven percent of American adults had their personal information exposed by cybercriminals.
• Approximately 600,000 Facebook accounts are hacked daily.
• The number one cybercrime is the impostor scam, with one in five people reporting a financial loss.
One of the most common avenues for cybercrime is email “phishing,” a general and widely sent message seeking to scam whoever answers or thoughtlessly clicks on a dubious link, or “spear phishing,” which targets specific individuals, said Joel Ekis, an internet technology volunteer at St. Michael the Archangel Parish.
But any form of social media and means of electronic information can be used for cybercrime.
One such is a text message scam targeting several archdiocesan parishes over the past few years. Warnings about the scam regularly appear in parish bulletins.
One texting scam went something like this:
“Hi, [Name], I need a favor from you. Text me back as soon as you get my message. – Pastor [Name]. I need to get some gift/cards today for some women battling cancer in the hospital but I can’t do that at the moment because of my busy schedule. Can you possibly get it from any store around you now? Would have called you but currently having an important meeting.”
“This happened many times at St. Michael the Archangel and continues to do so,” said Lisch. “We had someone fall for that, and others almost did. Our priests would never email someone asking for help. If we need help, we’ll call you.”
Homebrew won’t do
It’s not unusual for a parish, school and lots of other entities to utilize in-house technology support, often from volunteers.
Joel Ekis, a consulting systems engineer for a national information technology provider, has been volunteering to do this for St. Michael the Archangel Parish since 1999.
“I do a lot of the architectural support [for the parish’s overall computing system],” he said. “I do all the design, implement the firewalls and the firewalls.”
Volunteers like Ekis can be helpful, but they aren’t enough.
“You absolutely cannot do it on your own,” said Ekis.
That’s why in June this year, St. Michael signed a contract with Erickson Solutions Group, a managed service provider in Overland Park, for internet technology support and cybersecurity.
“At Erickson Solutions Group, we act as the outsourced internet technology department for St. Michael’s and other Catholic parishes,” said Jeff Erickson, CEO of Erickson Solutions Group.
“That includes being their help desk for frontline support; being their on-site help for system deploys and rapid response; being their network management for monitoring of alerts, tripwires, backups and the cloud; and being their virtual CIO for planning on all things cyber.”
The key to good cybersecurity can be summed up in one word: layers.
No singular brand of product or family of products can guarantee cybersecurity.
“It’s all about layers, because any particular solution can be breached, and particular tool or software can have a vulnerability,” said Erickson.
“You want to have layer, upon layer, upon layer to make it much more difficult for the hackers to trick you or traverse your network or get your data. These layers can be software, hardware or best practices.”
“Smart” layers include technology, good policies and people who have been trained to follow them, he said. And because threats are constantly evolving, regular reviews are a must.
Sometimes, parishes don’t see themselves as having anything of value that a hacker might want, and consequently don’t invest the money to protect their data, said Erickson. This is a serious — and expensive — error.
“From financial information and parish membership to student and parent contacts, to simply being able to encrypt all the data and hold it for ransom, hackers see parishes as a business to target,” said Erickson.
“Also, hackers love to get access to a 365 or Google environment which appears trusted to many so they can launch attacks on others. The consequence of lackluster security and IT strategy can be a huge loss of trust, financial loss, disruption of classes and even larger costs to catch back up on security once they fall behind.”
The weakest link
Where’s the weakest link in a parish’s cybersecurity?
“The vulnerabilities usually lie with the human,” said Lisch. “If humans are aware and have proper training, it eliminates opportunities for computer systems to be vulnerable.”
One example is carelessness with passwords.
“You have classic, no-brainer type of issues as in: ‘Let’s not have passwords on Post-it notes stuck to the pegboard or front of the monitor,” said Nathan Maxwell, a solution architect for Communication Concepts based in Leavenworth. “That’s not rocket science but it’s still a thing.”
Email compromise is a big thing right now. Parishes, schools and businesses of all kinds interact with all kinds of vendors, which present rich and many opportunities for cybercriminals to fool people into paying fake bills or redirecting payments.
“Criminals are willing to settle for smaller paydays,” said Maxwell, who provides IT consulting to the Archdiocese of Kansas City in Kansas. “Just because you’re a smaller organization doesn’t mean your bank accounts are safe.”
Maxwell offered these suggestions.
First, stop reusing passwords and be careful about password and predictable email patterns.
Second, use multifactor authentication for logins. This is an authentication method that requires two or more verification factors to gain access. In addition to a password, the user might be required to enter a code sent to their email, answer a question or scan a fingerprint.
Third, use the policy of “least privilege.” This means limiting access to specific people. Don’t give administrative access to everyone. Have named accounts.
Fourth, have clean “offboarding” to departing or terminated staff. Make sure they don’t have access after they leave.
Fifth, keep your systems updated.
Lisch and Erickson said emails should be read carefully. Is the phrasing strange? Are the titles wrong? Is the request unusual? Is the sender unfamiliar? Is there something off about the sender’s email address? Are you certain the links are safe?
If there are any doubts, don’t just hit “return,” but use an “out of band communication method.” That means an alternate way of follow-up, like making a phone call, and not with the phone number in the email.
“Smart security involves staying alert, watching for suspect links and files, using strong passwords, using up-to-date antivirus software, backups and patches, and raising the alert when you suspect trouble,” said Erickson.
Small parish security
Smaller parishes face greater challenges when it comes to cybersecurity.
They often lack full-time professional staff and depend on part-time staff that may not have cybersecurity training. They have small to nonexistent budgets for cybersecurity and pastors who are too busy running the parish to devote much time to security.
“The smaller parishes must, for financial reasons, prioritize,” said Erickson. “That prioritization can lead to gaps, often due to a lack of knowledge on the risks of leaving a particular area unprotected.”
Father Michael Guastello has taken basic precautions at his three parishes. Additionally, his parishes have limited technology use.
“Each of the computers in our office and my laptop all have antivirus and antimalware software,” said Father Guastello, pastor of St. Joseph Parish in Wathena, St. Charles Parish in Troy and St. Benedict Parish in Bendena.
“We also have a firewall in our internet. We have Wi-Fi at St. Joseph’s, but you need a password to use it. We don’t allow guests to use the password, only staff. We don’t have enough traffic to use [Wi-Fi] like a larger parish.”
Two of his parishes do not have internet connectivity. His parish assistants work from their homes.
He scrutinizes emails and calls companies to check invoices about which he has questions.
“We recently brought a woman on staff who’s pretty internet savvy,” he said. “She’s done internet and tech support for the local library branch. She’s looking over our technology and recommended updating our phone system. She’s a parishioner, and we’re really lucky to have her.”
Small parishes can begin by asking the experts.
“Having discussions with managed service providers like us is a great way to obtain some free advice,” said Erickson. “Also, [I’d recommend] approaching this as a journey where you add a couple of layers, then a couple more, and so on. It’s a good way to get started.”