How Do I SPAM Thee…

Written by Nick B. Nicholaou on . Posted in Articles, Uncategorized

© 2017 by Nick B. Nicholaou, all rights reserved
President, Ministry Business Services, Inc.
Reprinted from MinistryTech Magazine

SPAM email can be dangerous and painful to the recipient and to any data they have access to. Whether it’s ransomware, phishing, pushing of malware, or impersonation, a strategy is needed to protect ourselves. I’ll address these different types of SPAM, and how each should be strategically managed.

SPAM Comes in Many Flavors
In addition to what many think is a tasty lunchmeat, SPAM also refers to unsolicited email, and those emails are usually intended to do the recipient harm. Sometimes the pain is small, but often it is big and costly. The most costly to an organization are usually ransomware and business email compromise; the most costly to an individual are usually phishing scams.

Here are some categories of email SPAM and how to respond to them:

  • Business Email Compromise (BEC), a.k.a. Impersonation Emails
    • Form: These SPAM emails used to only target businesses working with foreign suppliers and businesses who use financial wire transfer methodology. But in the last year we have seen many occurrences hit churches and ministries using checks! The form of the attack, as it affects churches and ministries, is usually an email supposedly from a pastor or executive in the organization directing the recipient to immediately transfer funds or cut a check. These attacks are usually well researched (we are welcoming and friendly environments, and we give them all of our staff structure and names on our websites!), and can feel legitimate.
    • What To Do: Never comply with the request. Always, require a live voice confirmation of the request in person or via live telephone call.
  • Ransomware
    • Form: Ransomware is malware installed on your computer that usually gets introduced through a SPAM email, compromised website, or even through a bot (internet program) that looks for Remote Desktop Protocol vulnerabilities. Once infected with the ransomware malware, data is encrypted and held for ransom.
    • What To Do: One of the best defenses against ransomware is to keep multiple days (we prefer a full month) of full data backups so your system can be ‘reset’ if an infection gets through your defenses. In addition to ensuring good backups:
      1. Never click on a link or graphic in an email you weren’t expecting. Even if it came from someone you know, do not click any links. If you think the email and its links may be legitimate and want to click them– before clicking on them– hover your mouse pointer over the link without clicking. Doing so should show the destination of the link. I recently did this on an email I received from Microsoft that looked legitimate, but the link would have taken me to a very different location than what I expected. Best rule: if you’re not sure that it’s okay to click, do not click!
      2. Make certain your computer has a good anti-malware program running on it. That’s true whether you’re using a Windows or a MacOS computer. The solution my firm recommends is www.thirtyseven4.com… doing so will help prevent you from accessing most compromised websites.
  • Phishing
    • Form: Phishing has a few forms, almost all of which happen through email SPAM. Phishing is the attempt to get the recipient to provide personal information about themselves that could be used to accomplish some form of identity theft. Phishing is sometimes referred to as clone phishing (a previously legitimate email that has been recreated with malware embedded or in links and re-sent to the same list of recipients as the original), whaling (phishing attacks aimed at executives and high-profile targets), and spear phishing (attacks targeting specific individuals that may even contain information about them discovered through websites, social media, and other sources.
    • What To Do: Never respond to a request for personally identifying information in an email without first confirming the source. I even take this a step further if I get a phone call from my bank about possible fraudulent activity in my credit card account! In the call they ask for my password to prove I am who they intended to reach. I decline their request and tell the caller they need to tell me my password to prove they are who they say they are since they initiated the call! They’re not allowed to tell me, of course, so that’s when I disconnect and call the number on my credit card– that way I know I’m talking to my bank.

These are a few SPAM categories. It is imperative that every organization use a high-quality SPAM filter on its email server to eliminate most of the SPAM from being delivered to email account holders. There are a lot of SPAM filter solutions available; our favorite is from Barracuda. They are the gold standard and best-of-breed in that industry.

Just an fyi… we host SPAM filtering for churches and ministries nationwide using a Barracuda SPAM Filter 600. We process more than 90,000 emails daily, and it blocks about 80%. That means about 80% of the email pointed toward your email inbox is unwanted! And some of it is dangerous!

Using a solid SPAM filter won’t stop all SPAM from getting to users’ email inboxes, but doing so will stop almost all of it. That reduces the likelihood that someone will click on something they shouldn’t. But the best protection will only come from repeated training to all team members. I recommend reminding the team of the danger on a monthly basis during all-staff meetings. And if you know a story in which an organization was hurt as a result of SPAM, tell the story! Doing so will help those who don’t take threats and threat-mitigation seriously to re-consider.

Helpful Computer Hacks

Written by Nick B. Nicholaou on . Posted in Articles, Uncategorized

© 2017 by Nick B. Nicholaou, all rights reserved
President, Ministry Business Services, Inc.
Reprinted from MinistryTech Magazine

I grew up in an age when a ‘hack’ was someone who was incompetent. In those days there were no personal computers or mobile devices. Now everyone has access to multiple computers and various mobile devices. And wouldn’t you know it– ‘hack’ has a new meaning! Today a hack can be a clever way to get things done well.

Following are some hacks that can really help improve your efficiency on a computer!

Hacks for Computer Users
The following hacks are especially helpful for computer users.

Keyboard shortcuts. In today’s world of Windows and Mac operating systems we have become dependent on pointing devices. Granted, those devices are very helpful. But before these current operating systems, we used keyboard combinations to do some of what we now do with a mouse or track pad. Those keyboard shortcuts are still available to use, and they can save time! Here are six I still use often:

Function

Windows

Mac

Print

Ctrl + p

⌘ + p

Copy

Ctrl + c

⌘ + c

Cut

Ctrl + x

⌘ + x

Paste

Ctrl + v

⌘ + v

Italics

Ctrl + i

⌘ + i

Bold

Ctrl + b

⌘ + b

Multiple Monitors/ Displays. For those who’ve always used one monitor or display, having two or may three seem excessive. But the increase in productivity with two or three is surprising! I always recommend at least two now; the cost is minimal and the benefits are significant! My desk is configured with three: the one on my left always has Outlook running on it, the one in the middle is where I do most of my work, and the one on my right is for research references (browser, database, etc). I also find it helpful when opening large spreadsheets to stretch them across my middle and right displays!

Recurring Tasks. We all have them: recurring deadlines that are due every Wednesday, once a month, quarterly, etc. I use Outlook’s task functionality to set the reminders I need to help me hit my deadlines. This is one of the most helpful and least used tools available. I also use Outlook tasks to remind me to do things I’ve promised to do, helping me avoid them falling through the cracks of my active schedule.

Managing Email. Email consumes a larger part of our days than most of us want. I have three email hacks that help me stay focused and efficient, even though my average daily email count is well over 100.

  • Inbox. I keep my Inbox as empty as possible so I don’t waste time reading the same emails over and over. When an email comes in I either respond and then delete the original (a copy of the original is in my response!), put a flag (due date) of when I want to respond by and drag it to a subfolder based on the type of email it is (personal, business, etc), or delete it if it’s one I don’t care about (like an ad).
  • Sent Items. Once I send an email I delete it unless I need a reminder that I’m waiting for a response or it was a topic that could have legal ramifications (if it was, I make a PDF copy and store it).
  • Trash. I empty my trash at the end of every day. In the rare case that I need to find something I deleted, I log into our email server via browser (using Outlook Web Access), search deleted files, and restore it.

Automatic Backup. I always feel bad for someone who says a hard drive crashed and they lost all of their files, including photos that were irreplaceable. Losing important files is painful. There are many cloud services available to consumers that will automatically back up files to their cloud servers. There are also utilities in the Windows and Mac operating systems that will automatically back up files to an external drive.

Hacks for IT Professionals
The following hacks are especially helpful for IT professionals.

System setup checklists. As IT pros, we often set up new systems. If the process isn’t automated, I recommend creating a checklist to help achieve standardization. In addition to improving setup consistency, checklists save time because you don’t need to review your work to determine what you’ve already done after an interruption.

Professional Relationships. It’s so helpful to build friendships with people you can turn to when a challenge comes up that stumps you! Those ‘lifeline’ calls can save so much time! The best professional organization I’ve found for those in church and ministry IT is The Church IT Network (http://churchitnetwork.com). They have a low-cost annual gathering in the Fall, and low-cost regional gatherings in the Spring.

Monthly Backup Test. Set a task in Outlook to test your backup monthly. A good test is to restore a file or folder structure and then open the file(s) to verify the backups you’re relying on are good.

Those are some hacks that can really help!

Should Churches Continue to Reimburse Cell Phone Fees?

Written by Nick B. Nicholaou on . Posted in Articles, Uncategorized

© 2017 by Nick B. Nicholaou, all rights reserved
President, Ministry Business Services, Inc.
Reprinted from MinistryTech Magazine

Churches reimburse some staff members for their cell phone and internet costs. In the early days of those technologies, doing so made sense. Has the way we communicate changed so much that it’s time to reconsider? What are the issues?

Historical Perspective
I got my first cell phone in 1987, and was one of only 1 million in the U.S. who had one. But it was worth the cost (often $750+ monthly for one line!) to be available to our clients as I travelled across the USA. Five years later that number had grown to 11 million, and in 2000 passed 100 million! By 2010 there were more cellphones (and smartphones) in use than there were people in the U.S., and by 2015 half of all U.S. households no longer had a landline connecting their home to the telephone system network (we removed our landlines in 2007).[1]

Why does that matter? In the earlier years of cellular phones they were very costly to buy and use, and were perceived as additional phone lines. As great tools enabling a burgeoning mobile workforce, churches wanted their staff to have cellphones to facilitate better communications between themselves, their teams, and their congregations. Because they were an added phone to the home phone, many church team members couldn’t afford to have one.

The same is true for internet connections at team members’ homes. In the 1990s and early 2000s they were considered optional. Reimbursing staff for the expense of being connected made sense for many team roles.

So churches developed a number of ways to underwrite the cost for these services for their staff via reimbursements, allowances, and more. The IRS finally helped by simplifying the tax treatment of cellphones provided to employees in 2011 following the Small Business Jobs Act of 2010.[2]

Should Reimbursements & Allowances Continue?
There may be circumstances where those are appropriate, but for most the answer going forward should be no. Those communications services are no longer considered additional methods in the U.S., but are now integral to our communication fabric.

At a gathering of megachurch church business administrators and managers (CBAs) I recently attended, one of the CBAs asked, “When staff leave the church, they don’t want to turn in their cellphone or terminate their service! If they will pay for it themselves after they leave our staff, why do we pay for their service and phones while they are on staff?” Good question!

Today nearly all working adults in the U.S. have a cell phone (or more accurately, a smartphone), and most households have broadband internet service. So why should the church reimburse the cost of these services? It no longer needs to.

Transitions are Sensitive
Simply deciding to no longer reimburse for these services could be problematic. I suggest the following:

  • Set a policy that reimbursements for cell phones and internet service will no longer be made to church staff. This policy would apply to all new hires.
  • To ‘grandfather’ those who have been receiving assistance for these services, add the amount they have been receiving to their base pay; a sort of one-time adjustment to their pay. This allows you to eliminate assistance going forward without hurting any team members that depend on it. It also simplifies the payroll process– a win-win!

Transitioning in this way will remove the discussion for any new team members, and continue meeting the needs of existing team members.

People no longer need assistance with their cellular or internet service. It’s part of the standard way we communicate today in America. It’s okay to end the practice of evaluating who to assist, how much to assist, and then account for those decisions in budgets and in the payroll process. Handled in this way, no one will get hurt in the process, and no one will suffer because of the policy.

[1] These statistics are from CTIA.org, an association representing all sectors of the U.S. wireless communications industry.

[2] See https://www.irs.gov/irb/2011-38_IRB#NOT-2011-72 for details.

Don’t Become a Cybercrime Victim

Written by Nick B. Nicholaou on . Posted in Articles, Uncategorized

© 2017 by Nick B. Nicholaou, all rights reserved
Ministry Business Services, Inc. President
Reprinted from inSIGHT

The most current stats published by the FBI (2015 via ic3.gov) show they received nearly 290,000 cybercrime complaints that year, with an associated loss of $1.1 billion! At the time of this writing a new ransomware called WannaCry (aka WannaCrypt) is infecting computers worldwide. Are you and your data safe? What do you need to do– and not do– to be safe?

Age Groups Affected
The two age groups most impacted by cybercrime are ages 20-39, and ages 40-59, and both of those groups are about evenly split. Together they account for 80% of cybercrime victims in the U.S. Thatmakes sense when you figure that those under 20 (4% of victims) don’t have much to spend online, and of those over 60 (16% of victims), only a portion of those are heavy computer users. So, what the stats seem to say is that if you use a computer, you are equally at risk no matter what your age is.

How Do Cybercrime Infections Happen?
Most cybercrime happens one of two ways:

  1. Via Email. An email appears in your inbox that has a link, graphics, or a form to complete, or may appear to be from someone you know (known as spear phishing).
  2. Via Infected Websites. Websites, even those that are legitimate, can be infected with malware easily if their hosts are not keeping up with security patches and strategies. Criminals can buy inexpensive ‘crimekits’ that look for and infect vulnerable websites. We’ve even seen that happen to church and ministry websites!

How to Protect Yourself and Your Data
Let’s address this in the two categories of email and websites.

  1. Via Email. There are a number of things you can do and are best not to do to help in this area:
    • Make certain your email is scanned by a capable SPAM filter to help minimize the number of dangerous emails that get to your inbox. I say minimize because some will still get through even the best SPAM filter; those are often referred to as zero hour emails. Zero hour emails are newly introduced methods and strategies that have not yet been identified as a pattern of dangerous email.

      Our firm prefers Barracuda SPAM filters. We even tested Microsoft’s O365 SPAM filtering solution, and found that it let many more unwanted emails through than the Barracuda– especially­ from other O365 email accounts.

    • The FBI warns as follows:
      • Do not click links in emails. I modify their warning, that you can click only if you first hover your mouse over the link, which will show you where it wants to take you. If you’re not certain the destination is safe; do not click the link.
      • Never reply to senders you don’t know. This gets tricky, though, because the sender can be spoofed, as in spear phishing. If you want to reply to someone– even someone you know, look at the email address in the ‘To’ field when you’re composing your response to be certain that address is what you expected to see there before clicking ‘Send’.
      • Do not fill out forms in emails.
      • Do not open attachments in unsolicited email.
      • Be skeptical of those representing themselves as surviving victims or friends in need.
    • I add one more item to the FBI’s list. Immediately delete SPAM emails, and empty your deleted items daily.
  1. Via Infected Websites. I recommend two methods of protection in this area:
    • Use a good firewall to protect your entire system from dangerous content transmitted from websites. The better firewalls let you filter content, but for this discussion, the focus is on protecting your systems from malware. Typically there is a subscription from the firewall provider that must be kept current to protect you from newer methods and strategies.

      The firewalls my firm recommends are SonicWALL firewalls running their Total Secure subscription package. We find those to be the sweet spot of features, protection, and cost for churches and ministries.

      If you’re a consumer vs an organization, check with your Internet Service Provider (ISP) and confirm with them that they have all of the protections turned on in the modem or router they provided.

    • Use a capable anti-malware solution on your computers– whether Windows or Mac (yes, Macs get infected too, regardless of what many say). The solution my firm likes most is Thirtyseven4.com; it is capable and reasonably priced.

Finally, keep a history of total data backups to help you recover from an infection that somehow slips through. There are no total guarantees of protection, and having a history of backups available (we prefer a full month of daily backups to cover an infection that has an incubation period and doesn’t ‘go live’ and get noticed for awhile), you should be able to recover from any infection that happens.

What About WannaCry Ransomware?
WannaCry takes advantage of a Windows vulnerability that Microsoft patched months before the outbreak occurred for all their supported operating and network operating systems. That said, it is important to keep your systems and apps up to date regarding patches; many of the updates are security-related.

It appears WannaCry is gaining access to files from people responding to a spear phishing attack. Be cautious with the emails in your inbox!

If you are running an unsupported Microsoft operating system, like XP, Windows 8.x, or Server 2003, Microsoft recently released a patch you can manually download and apply to shore up the vulnerability WannaCry exploits. Here’s a link directly to Microsoft for help:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/.

Don’t become a victim of cybercrime! These are easy-to-implement strategies and disciplines that you, your staff, and your family can adopt. And there will likely come a time when you’ll be glad you did.

What’s Your Backup Plan?

Written by Nick B. Nicholaou on . Posted in Articles, Uncategorized

© 2017 by Nick B. Nicholaou, all rights reserved
President, Ministry Business Services, Inc.
Reprinted from MinistryTech Magazine

Many believe the highest priority of IT (Information Technology) is disaster recovery preparedness; the ability to recover after a major data loss. Or after ransomware. We often call that a backup plan, because it all starts with good backups. So, what’s your backup plan?

Is Data Really at Risk?
Simply said, YES! Churches and ministries are not immune from data loss, and organizations deal with recovering from data loss at some level all the time. Consider these threats:

  • Data is stored on hard drives or flash storage somewhere, and like any man-made device, those can– and do– fail.
  • People accidently delete data.
  • Data is vulnerable to ransomware (virus-like malware that encrypts and locks data so it cannot be used again until a ransom is paid).
  • The buildings where your data is stored is vulnerable to man-made and natural disasters.

Apply to those an appropriate vulnerability-multiplier because we have an enemy that is interested in doing whatever it can to inhibit our progress in fulfilling the mission to which the Lord has called us.

Here’s What We Recommend, and Why
A good backup plan has the following components:

  • Backups are comprehensive, and happen automatically. Backups should encompass everything needed to recover from a disaster quickly. And they should not need to be manually triggered, but should happen automatically. Like, every workday night.
  • Backups are tested on a schedule. When backups are made, they should immediately be tested by the backup software to ensure they are accurate backups. But that’s not enough! The backups should also be tested– perhaps monthly– to be certain what we think we can rely on really can be relied on. I recommend choosing a data folder at random each month and restoring it, then checking to see if the files that were restored can be opened. We have seen problems that keep the restored files from being usable; the only way to be certain is to test your backups before you need them.
  • Backups have an off-site component. It is possible to lose an entire building to a disaster. For that reason, it is wise to have a recent backup stored with enough geographical separation to protect your organization from a larger disaster.

Here’s what we recommend:

  • Our favorite backup software to run at a server level is Veeam. For those using virtual server technology, Veeam can restore entire servers very quickly. Veeam can also do file-level restores and email-level restores for email servers.
  • We prefer backing up to tape rather than to other types of devices. Using LTO5 or LTO6 technology, it’s possible to backup very large servers quickly and efficiently. Some recommend online backup solutions and external hard drives, but they have challenges that cause us to think they’re not the best choice:
    • Online backup solutions are good for consumers, but not for full server backups. We know of three megachurches who tested their online backup solution provider’s offer to send the entire backup on a drive, and each of the three was not pleased with the results.
    • External hard drives have a lot of moving parts, and thus fail easily.
    • Tape is still the preferred choice of corporate America because it’s simple and reliable.
  • If a church or ministry is large enough to have a SAN (Storage Area Network), we encourage it to seek another church or ministry of similar size that is willing to exchange SAN replication.
  • Backup the entire data server each work night, and take one tape off-site weekly.

Going a Step Further
I like to take that strategy a step further when possible. If you have a Mac on your network with enough storage capacity, have your network synchronize its data to a folder on the Mac; we like Owncloud to accomplish this, but there are other tools available too. Then, using the Mac’s Time Machine app that is part of the operating system, backup the Mac to a large external hard drive. This will allow you to store versions of files going back as far as your external drive has the capacity to maintain.

My wife is a CA, and she shares office space with us. Most of her client projects are annual. Using this strategy, if she tries to open a spreadsheet that has become corrupt, we can restore a version going back more than a year from the last time she did work on behalf of that client!

Some call natural and man-made disasters resume-generating events for IT professionals who were not doing their due diligence in the backup/disaster recovery department. As personally tragic as that could be, imagine how tragic it would be for a church or ministry called to share the gospel and disciple believers– the most important calling on Earth!– if their data loss meant having to start from scratch! Disaster recovery is worth the effort and expense. So… what’s your backup plan? And do you test it?


Sidebar

Christians look forward to the day when we are with God in Heaven. That means there will come a day when we are not on Earth to take care of the network and data at our church or ministry. Have you made provisions for whoever succeeds you?

Documentation is Key
Use an app like Visio or Lucidchart to create a simple network diagram that includes key IP addresses, server service tags or serial numbers, and what services run on each server. Document any “unique” details of your network to keep the users and mission of your church or ministry moving forward once you’ve left.

Back Yourself Up!
Another great way to ensure a positive succession is to have a relationship with an IT vendor that can continue the IT vision for your organization in your absence. A terrific side-benefit is that you can take your much-needed vacation without getting interrupted because your vendor has your back!

Spending just a few hours creating documentation and searching for an IT vendor you can trust will go a long way towards your team blessing you on your heavenward journey (or earthly vacation). And because it’s good management, or stewardship, you will hear “Well done” at the end of the road.