The U.S. Cybersecurity and Infrastructure Security Agency (CISA) in partnership with the Department of Homeland Security, the FBI, and others, offers this guide, “Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society,” that is helpful to parishes concerned about cybersecurity. The guide contains these basic best practices:

  1. Keep software updated on user devices and IT infrastructure, as these correct known flaws that bad actors otherwise might leverage to access systems.
  2. Implement phishing-resistant multi-factor authentication (MFA), which makes it more difficult for actors to compromise user accounts.
  3. Audit accounts and disable unused and unnecessary accounts.
  4. Disable user accounts and access to organizational resources for departing staff.
  5. Apply the Principle of Least Privilege by auditing accounts with extensive or high-impact permissions (admin access) and removing any unnecessary permissions to reduce the damage that an actor can inflict through a compromised account. Usage of admin user accounts should be regularly monitored to detect unauthorized and malicious activity.
  6. Exercise due diligence when selecting vendors, including cloud service providers (CSP) and managed service provider (MSPs). Use only reputable vendors.
  7. Review contractual relationships with all service providers, prioritizing providers of critical services first.
  8. Manage architecture risks by auditing and reviewing connections between various systems, particularly those exposed to the internet, such as cloud services, email servers and virtual private network (VPN) servers.
  9. Implement basic cybersecurity training for employees and other system users to cover concepts such as account phishing, email and web browsing security, and password security. Ensure training addresses the targeting of personal emails and devices, and how to protect personal email accounts and mobile devices from compromise.
  10. Develop and exercise incident response and recovery plans. Ensure plans cover at least the systems that are critical and important to the organization and include who to contact or report the incident to for assistance.

More reading, checklists, and information about Cybersecurity Insurance:

Cybersecurity: Protect Your Episcopal Institution – Church Pension Group
Resources for Faith-Based Communities – Cybersecurity and Infrastructure Agency
Resource Guide for Faith-Based Communities – Department of Homeland Security
Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society – Cybersecurity and Infrastructure Agency
Cybersecurity Must-Haves for Churches – Enabling Ministry
Best Practices for Avoiding Cyberliability Problems – Church Law & Tax
Cybersecurity Basics – Federal Trade Commission