Written by Mark Evilsizor
From his column Tech
This year there have been many high-profile cybersecurity breaches in the news. The bad guys are adapting to current realities and finding vulnerabilities they can exploit to gain our trust and empty our pockets or our organizations’ coffers. Let’s spend some time reviewing the core practices of a layered defense that can reduce the risk of falling prey to computer crime.
Email Entry Point
Each staff person and volunteer who has access to an organization’s data or network is like a door into a building. The most common way for bad guys to enter one of these doors is via deceptive email, a tactic called “phishing.” The trending behavior is that once they gain access to a system, before deploying ransomware, they take a copy of our data. Even if backups are strong and we can reload the systems in a reasonable amount of time, they threaten to release data to the public unless we pay.
The essential rule of email safety is never click on any email link or attachment that we are not expecting, even if it appears to be from a trusted vendor or person. To help staff be conscious of this need, we should intentionally raise awareness by sending at least seasonal notices about the types of phishing going on (tax-related in spring, purchase and package delivery related in fall, secure document and fax pick up all the time). It’s good to occasionally send staff an image of an actual phishing email received in which we point out the red flags that led to detection. Often, these include disagreement between sender name and email address, misspellings, brand images that are slightly off, messages with topics that seem unlikely from a sender, or a link pointing to a different organization than the one sending the email. With heightened wariness, staff are more likely to slow down, scrutinize the elements, and not hastily open the door to malware as they rush through their daily glut of email.
If bad guys do gain access to a computer, a typical next step is to scan for unpatched vulnerabilities on the network to gain control of the entire system. The applicable layer of defense at this point is to have a strong patching practice. Once a month, Microsoft releases updates to Windows and related software. Train staff to notice when Windows needs to update and, at least once a month, update and restart to apply the latest patches. Several times this year, patches were released for newly publicized security vulnerabilities. Ideally, security vendors notify us, or the staff person charged with the responsibility for network security. It’s also a good idea for such persons to spend a few minutes each week checking a site like Krebbs On Security or similar tech news sites. Additionally, it’s important to be sure staff members update system software on their computers on a regular basis.
Multi-factor authentication (MFA), which we covered here, continues to gain acceptance as a strong layer of defense. In essence, when we log in with a new computer or browser, we must supply additional acknowledgement from our phone as well as provide a password. If bad guys steal our password, it is very difficult to access data with MFA enabled. Church organizations with website services like Microsoft or Google which offer MFA security, should certainly make use of it. If your organization enables staff to connect to the network from home or other locations, an MFA requirement can make the process much more secure, as well.
In response to the use of MFA, bad guys sometimes send an approval request to access our data in the form of a phishing email that indicates we need to grant access to pick up a secure file someone has sent. This is called “consent phishing.” The approval dialog is from a “service provider,” e.g., the Microsoft 365 example (see illustration on the right) is a consent form to grant access to a third party who may be someone trying to gain access and bypass MFA (and the name will not be Risky App). If you grant access, someone else can review your data and act in your name. Additionally, changing your password will not kick them out. I recommend reviewing this possibility with your Microsoft 365 expert as there are configuration changes that can be made to reduce the risk, and reviewing previous consent is warranted. Also, let staff know about such ploys so they don’t skip the details and click the enticing “Accept” button when presented with such requests.
With a church, school building, or house, a would-be thief creates problems by physically visiting the property to gain entry, steal things of value, or destroy the ability of an organization to fulfill its mission. In the online world, a miscreant can try every door and window to our organization from any place in the world, every day, and have little risk of being caught. Growing our security awareness and establishing a strong security posture are essential parts of fulfilling our mission and protecting our constituents’ data, resources, and trust.
Mark Evilsizor has worked in Information Technology for more than 20 years. He currently serves as head of IT for the Linda Hall Library in Kansas City, Mo. Opinions expressed are his own.