Federal Government Issues Cybersecurity Guidance for Faith-Based and Other Civil Society Organizations

‹ Back to News

By Jean Tomasco, ECCT’s Human Resources Manager

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) in partnership with the Department of Homeland Security, the FBI, and others, recently released a guide, “Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society,” that may be helpful to parishes concerned about cybersecurity. “Civil society” is defined as including faith-based, nonprofit, and cultural organizations involved in defending human rights and advancing democracy, which are considered at high risk because they “are targeted by state-sponsored threat actors who seek to undermine democratic values and interests” and because such organizations often have low defense capacity against cyberthreats.

The guide provides recommended actions to reduce the risk of cyber intrusions. It suggests that organizations prioritize the following:

  1. Keep software updated on user devices and IT infrastructure, as these correct known flaws that bad actors otherwise might leverage to access systems.
  2. Implement phishing-resistant multifactor authentication (MFA), which makes it more difficult for actors to compromise user accounts.
  3. Audit accounts and disable unused and unnecessary accounts.
  4. Disable user accounts and access to organizational resources for departing staff.
  5. Apply the Principle of Least Privilege by auditing accounts with extensive or high-impact permissions (admin access) and removing any unnecessary permissions to reduce the damage that an actor can inflict through a compromised account. Usage of admin user accounts should be regularly monitored to detect unauthorized and malicious activity.
  6. Exercise due diligence when selecting vendors, including cloud service providers (CSP) and managed service provider (MSPs). Use only reputable vendors.
  7. Review contractual relationships with all service providers, prioritizing providers of critical services first.
  8. Manage architecture risks by auditing and reviewing connections between various systems, particularly those exposed to the internet, such as cloud services, email servers and virtual private network (VPN) servers.
  9. Implement basic cybersecurity training for employees and other system users to cover concepts such as account phishing, email and web browsing security, and password security. Ensure training addresses the targeting of personal emails and devices, and how to protect personal email accounts and mobile devices from compromise.
  10. Develop and exercise incident response and recovery plans. Ensure plans cover at least the systems that are critical and important to the organization and include who to contact or report the incident to for assistance.

The guide also provides recommendations for steps that individuals within such organizations can take to reduce the risk of cybercriminals gaining access to networks and personal devices.

While the guidance primarily focuses on politically motivated cyberattacks by state-sponsored actors, even parishes who do not feel they are at high risk for such attacks may nonetheless benefit from the recommendations for improving cybersecurity.

The guidance is available online here, and also has been posted on ECCT’s website under Administration/Human Resources/Articles re HR Topics. In addition, there is a sample cybersecurity policy in the Handbooks and Sample Policies folder. If you are interested in learning more, CISA has additional information on cybersecurity best practices at: https://www.cisa.gov/topics/cybersecurity-best-practices, and the Federal Trade Commission also has information on cybersecurity basics at: https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/basics.

You may also be interested in the following article from Church Law & Tax, a publication of Christianity Today, regarding Best Practices for Avoiding Cyberliability Problems, which covers steps churches can take to avoid data breaches and other mishaps.

DISCLAIMER: This material is for informational purposes only and not for the purpose of providing legal advice. You should always contact your attorney to determine if this information, and your interpretation of it, is appropriate to your particular situation.