CHURCH ONLINE - STAYING SAFE ONLINE
Strategies to protect your Church and your People
The COVID-19 pandemic has forced churches, ministries and businesses worldwide to adapt very quickly and develop new and creative ways of continuing their work.
Restrictions on large gatherings have seen churches close their doors and open up their ministry to a broader audience by moving to online platforms. Services are being streamed on Facebook Live, YouTube and podcasts.
Youth Groups and Life Groups are turning to platforms such as Zoom, WhatsApp, Microsoft Teams, Webex, Messenger and Facetime to stay in touch.
Church staff and employees of a wide range of ministries are navigating work from home arrangements in the effort to continue to keep staff employed and the wheels in motion.
With all these amazing technology innovations enabling us to maintain a small degree of “business as usual”, it is important to remember they do come with many risks.
Let us explore some of the potential risks and provide you with tips on how to protect your ministry and your people.
Working From Home
As churches and businesses alike have transitioned to working from home, many for the first time, a significant number of cyber risks have increased. Whilst the number of cyber criminals who are active online may not have necessarily increased, their activity certainly has. More and more targeted cyber crime is being detected. Cyber criminals are focusing their efforts on COVID-19 themed scams with significant success due to our natural desire for information on the issue.
Google alone has been blocking more than 100,000,000 phishing emails everyday through their Gmail platforms, many of which are Coronavirus related with hackers feeding on people’s curiosity, interest or fear about the outbreak tricking them into downloading malicious content.
Almost as soon as the Australian Government launched their COVIDSafe App hackers and scammers peppered phones and email accounts with fake MyGov messages purporting to have information about your COVID-19 test results, stimulus payment information or even simple videos on the restrictions and how to protect yourself from Coronavirus.
As such, we need to ensure that our volunteers and staff who may be working from home are aware of the potential risks and how you can minimise your risk of falling victim to a cyber-criminal.
Beware of scams
Most targeted attacks will be by way of what is known as a phishing email.
A phishing email is a fraudulent attempt to obtain sensitive information such as usernames, passwords or financial information by disguising itself as a trustworthy entity in an electronic communication.
Most phishing emails have some or all the following characteristics
- It may have an unfamiliar email address
- A generic salutation
- Spelling or grammar mistakes
- Imply a sense of urgency for the recipient to respond
- Contain hidden links
- Ask you to provide sensitive information
Phishing emails of this nature are a simple ploy to get you to click before your think. In many instances clicking on the link in an email such as this can result in information such as your username and password being accessed and sold on the dark web in less than 24 hours. This type of information is regularly sold for anywhere between $400 and $2000 on the dark web to hackers who will then delve even further into your personal information enabling them to steal identities or access financial information.
Other popular scams include the CEO email. This is an email that will appear to come from a senior manager or member of your team, again requesting some sort of urgent action – usually the transfer of funds to a prescribed bank account.
Tips to avoid becoming a victim
- Be skeptical of all email and SMS messages
- Be suspicious of attachments and links in emails
- Ask – “How else can I verify this?”
- Make a phone call directly to the business or sender of the email
- Google the website and log in directly
The Australian Government Scamwatch Website is run by the Australian Competition and Consumer Commission (ACCC) and is an excellent source of information about new and emerging cyber scams. You can subscribe to their news and alerts to keep informed of potential threats.
Passphrases
In recent times there has been a move to encourage people to move away from passwords in favour of a passphrase.
Statistics show that passwords are often weak and highly predictable.
It has been found that converting your passwords to passphrases significantly reduces the ability of a hacker to guess your passwords and access your information.
A passphrase is a short sentence of 8-16 characters used instead of a password. Make it long and make it whacky! These types of passphrases can be significantly more secure than a complex password.
The following table taken from https://www.cyber.gov.au highlights the difference a passphrase can make over a simple password.
You may wish to consider a Password Manager App which acts as an encrypted vault that allows you to create and track strong passwords or phrases.
General Cyber Security Tips for Working from Home
The following additional tips for working securely from home are recommended by the Australian Cyber Security Centre
- Use a secure VPN (Virtual Private Network). This allows you to create a secure connection to another network over the internet (for example your office server). VPN’s can be used to shield your browsing activity from prying eyes on public or untrustworthy wi-fi hotspots
- Use a trusted wi-fi service. Always avoid free public wi-fi systems. If it is so easy to log in, imagine how easy it is for hackers to gain access to your personal information whilst you are online.
- Make sure your equipment is secure. Don’t leave laptops or devices in vehicles or other public places. Loss or theft of devices containing sensitive information are one of the highest sources of data breaches.
- Avoid portable storage devices such as USB’s and flash drives. They are small, and therefore easy to lose. Again, this information in the wrong hands can be the source of a significant data breach.
- Use multifactor authentications when making financial transactions. This may be a combination of a PIN or secret question teamed with a secondary source of authentication such as a dongle provided by your bank which provides a unique code for a new transaction, or perhaps a SMS message with a pin that must be entered.
- Keep software and operating systems up to date. Employ the demote, delete, update and automate process
- Demote your account from administrator status (97% of malware can be prevented by not running as an Administrator on Windows) Only allow key personnel to have administrator status. Reduce all other users to standard user status – this will help reduce the risk of malicious apps like spyware or malware being able to infect your computers.
- Delete unnecessary software (software like Java and Flash can expose your computer to unnecessary risk. If you can do without them remove unused apps)
- Update software (ensure you are always running the most recent version of your software. Programs are regularly being patched to address security vulnerabilities)
- Automate software updates - set and forget – most software supports auto updating.
Train your employees
Well trained employees can be one of the most effective lines of defence when it comes to protecting your systems.
You can create a positive cyber security culture by training your staff and volunteers how to:
- Recognise potential cyber threats
- Take steps to avoid downloading malicious content
- Report suspicious behaviour and who to notify
Online Meeting/Conference Platforms
Almost overnight the use of multiuser meeting/conference platforms such as Zoom, Teams, Skype for Business and Webex have skyrocketed. They are all fantastic tools and have enabled us to remain connected in a socially distanced environment.
Church boards or charities can continue to hold their regular meetings and AGM’s.
Worship and ministry teams can still come together to practice, plan and prepare.
Youth groups and life groups can continue to meet.
However, not all platforms have been created equal and you should carefully consider the security protocols built into each platform.
You may be familiar with radio and television personality Hamish Blake’s “Zoom For One More” prank. People were encouraged to send their Zoom Conference login links enabling him to “zoom bomb” their meeting. Whilst this was purely for comedic purposes, it raised concern when Hamish accessed an Australian Defence Force meeting. Thus, highlighting the risk of other such copycats being able to exploit security flaws in environments that may be discussing particularly sensitive information.
Hackers have also been able to access meetings and upload pornographic content or hit groups with barrages of racist hate speech.
Some churches have been using these applications to enable youth life groups to meet– therefore matters of child safety must also be considered.
Tips to protect your online meetings
- Research the applications carefully and use a platform with strong security features
- Only allow access to your meeting by invitation. Provide a unique link and ensure that the administrator of the meeting can approve or deny access to third parties who are not on the invite list. Some platforms enable a host to “lock” a meeting once all participants are in attendance.
- Create a new link for each new meeting. Avoid participants having to key in link details – one incorrect keystroke could result in them being directed to someone else’s meeting “room”.
- Ensure meeting hosts can remove participants from meeting rooms if required.
Other Social Media Considerations
As the reliance on social media has increased, it is important to ensure that your church or ministry has reviewed and updated its Social Media Policy to adapt to the changes in our society.
Following are some helpful links provided by OurCommunity.com.au and Moores Solicitors:
https://communitydirectors.com.au/policies/social-media-policy?mc_cid=9af19cc3a2&mc_eid=04cdbfb1f1
Now is also a perfect time to ensure that your Child Safety Policies have been reviewed and updated.
Youth and video streaming services
As more youth groups utilise Zoom, Messenger or something similar to remain in contact during COVID-19 restrictions it is important that risk management processes are put in place to protect leaders and young people alike.
Following are some guidelines when using video streaming services:
Planning – ensure the message you are conveying is clear and not likely to be misconstrued by those participating
Participants – all participants should be directed to your church or youth groups official conferencing account.
Scheduled times – video conferences should only be conducted during the prescribed time
Establish clear guidelines – parents and participants should be made aware in advance of the requirement to maintain respectful language, appropriate dress code, respectful of other household members privacy during the meeting, and where possible participants should be in a public area of the home (avoid private bedrooms).
Senior leadership - should be made aware of what meetings are being run online
Two person rule – two adult leader should be present during any online activity
Leaders – as would apply in a normal youth group arrangement, leaders should never host a group entirely of the opposite gender
Private messages – leaders should not engage in any private conversations or messaging with young people. For older youth, these may be appropriate but should always be recorded, and never deleted.
Prayer points or sensitive information – encourage personal information such as this to be sent in a more public forum perhaps by way of group chat which includes two leaders.
No one-on-one video conferences or chatting
Report inappropriate behaviour – ensure that leaders, parents and participants know who to speak to about inappropriate behaviour or content.
The eSafety Commissioner has several helpful resources for parents and leaders on protecting young people online.
https://www.esafety.gov.au/key-issues/how-to/social-media-online-chat
There is no doubt that this time of disruption to our normal experience of church, it will ultimately allow many churches and ministries reflect on how they may choose to utilise technology to leverage their mission going forward. This period is the perfect time to review our online presence and how we can use these tools to our benefit, but at the same time take positive steps to ensure that our ministries and our people are protected from the many negative aspects that come with the use of this type of technology.
If this article has raised any questions for you, or you would like to speak to one of our team about how ACS Financial can assist you further with risk management advice or insurance and protection products to protect your church or ministry please contact us on 1800 646 777.
DISCLAIMER: The information on this website reflect some of the commercial aspects and potential risks/obligations for your Church, School or Organisation. The information is given as a guide only and does not represent a definitive list or legal view in any way shape or form. You are advised to seek your own professional advice on all your individual needs. ACS Financial Pty Ltd (ACN 062 448 122) (AFSL 247388).