An overview of CISA’s new guidelines
By Antoinette King
Traditionally houses of worship (HoWs) are safe havens within the communities they serve. Many have open-door policies and welcome all who enter with no questions asked as a means to encourage people to seek refuge within their facilities and organizations. Unfortunately, this openness along with the political climate over the past several decades has also made houses of worship a target for violence and cyber-attacks.
These acts of targeted violence are a top priority for the Cybersecurity and Infrastructure Security Agency (CISA), a division of the Department of Homeland Security. As such, they recently released a security guide to Mitigating Attacks on Houses of Worship. This guide was created based on data from 10 years of targeted attacks on HoWs.
Faith-based organizations (FBOs) often do not have the resources for full-time security staffing. This, coupled with the fact that they do not have a high degree of focus on security has historically put them at serious risk for victimization. This does not have to be the way moving forward. FBO’s can take an active part in hardening their organization against targeted attacks.
Tactics and methods of attacks
Before we can discuss creating security programs for HoWs we need to understand the tactics and methods used to target them. Of the incidents analyzed, 22% of the perpetrators had a prior association with the target organization. Because of this, it’s important that leadership pay attention to how their congregation engages with their staff, volunteers, and members as a proactive measure to early detection.
In addition to prior associations, there were behavioral indicators prior to the incidents that were observed and not acted on. For example, in the cases studied for this guide, 57% of the perpetrators engaged in some kind of planning activity that revealed their intent to attack, and 19% of the perpetrators posted about the attack in online forums. In addition to these sorts of behaviors, it is important to recognize that 22% of the attacks took place during periods of increased attendance. Training staff and volunteers in recognizing red flags is key to helping to thwart these kinds of attacks.
In addition to being targeted by physical attackers, HoWs are increasingly being targeted by cyber criminals. Cyber Attacks analyzed in the CISA report included financial damages ranging from $680,000 to $1,750,000. In all of the cyber incidents reported, it was unclear who the perpetrators were. Attribution for cyber crimes is often difficult and costly to investigate. Cybersecurity incidents are not only costly, but could render your facility incapable of offering services until your network is restored.
Comprehensive security is a community effort
Creating a welcoming environment should also include creating a secure environment. There are several things HoWs can do to ensure the safety and security of their congregation. Here are some steps to follow to get started:
- Create a security committee – Forming a security committee comprised of staff and volunteers is an important first step to building a security program. Including members with diverse backgrounds and experience is important. Try to find members with law enforcement, military, psychology, security, and education backgrounds. Their input into policy and procedure will be invaluable.
- Use of technology – Deploying technology to support your security program when at all possible is a good idea. However, it’s important to note that any implementation of technology should be done by a professional with a strong background in the use of the technology you are deploying. Don’t spend good money on technology that isn’t set up properly.
- Use local law enforcement and first responders for support and training – Building relationships with local law enforcement and first responders before an incident occurs is very important for several reasons. First, it allows the department to become familiar with your organization and facility before an incident occurs, Secondly, it sends a message to the community that your organization prioritizes security.
Security Framework for Houses of Worship
CISA outlines a security framework specific to HoWs. As you begin to consider a security program for your organization, pose the following questions to your security committee:
- What are your threats and vulnerabilities?
- What is the likelihood of a given threat to occur?
- What are the consequences of the threats?
- What is your community’s tolerance for the consequences?
- What is your community’s attitude towards security practices?
- What personnel resources do you have to direct, manage, and oversee security operations?
- What is your budget to support security initiatives, both immediate and long-term?
As your committee considers these questions, you should be scheduling physical security and cybersecurity vulnerability assessments. When conducting these assessments, members of the security committee should be involved. Ideally, you should also be sure to use security professionals that specialize in the areas being assessed. Be sure to consider all facilities, including administration buildings, the worship facilities, and any daycares or schools that may be a part of the organization when conducting both the physical and cybersecurity assessments. Consider remote workers and any public-facing websites that stream services as part of your cybersecurity assessment. These assessments should include all processes that are critical to the organization.
Once the vulnerability assessments are completed, the organization can start to prioritize and address its unique security challenges. CISA recommends the following plans should be considered as part of your security program:
- Emergency Action Plan
- Active Shooter Plan
- Business Continuity Plan
- Incident Management Plan
- Short-term Recovery Plan
- Long-Term Recovery Plan
The security program cannot exist in a vacuum. Building community readiness and resilience will engage community members and improve the success of the program. This element of the program focuses on the value of human interaction. Training should be provided internally and also be offered to community members when possible. CISA recommends the following components to be included as part of your security program:
- Internal Training – FBI Run, Hide, Fight training for staff and volunteers.
- The power of hello – If possible, start a greeter program to include one or more greeters for all services and events. Having someone greeting the congregation can act as a deterrent.
- Security-centered event planning for larger events – Include security planning as part of your large event planning. Consider who the audience will be and what the purpose of the event is as you consider the security measures needed to be taken.
When implementing protective controls for your facility consider the defense in depth strategy. Create policies, practices, and behaviors that build layers of security throughout your facility. This should include methodologies like Crime Prevention Through Environmental Design (CPTED). This is when the facility is designed from the outside parking area and landscaping all the way to internal offices and public spaces with security in mind. If you are in need of funding to support the implementation of your security program, there are grants available through FEMA Grant Funding for not-for-profit organizations.
If your organization includes daycare services and/or a school there are additional safety considerations that should be addressed. Schools and daycare facilities should be assessed separately from the HoW facilities with prioritized consideration for the vulnerable individuals who primarily use the services. There are no-cost assessments, including that of CISA’s K-12 GUIDE AND ASSESSMENT TOOL, or the READINESS AND EMERGENCY MANAGEMENT FOR SCHOOLS (REMS) SITE ASSESS APP administered by the U.S. Department of Education. However, careful consideration should be given to hiring professionals to conduct these assessments if you do not have qualified individuals to conduct the assessments within your organization.
There should be a cybersecurity component to your overall security program as both physical security and cybersecurity go hand-in-hand. Some organizations will be more mature when it comes to the use of technology as compared to others, but it is safe to say that all organizations have some parts of their operations that rely on the Internet and related technology. The top cyber threats faced by most HoWs are financial exploitation, ransomware, and website defacement. Prioritizing cybersecurity awareness training around these topics and practicing good cyber hygiene will go a long way in mitigating cybersecurity threats to you organization.
Houses of Worship are targeted for many different types of attacks including violent attacks and cyber-attacks. Research shows that the number of attacks have significantly increased in the last decade and show no signs of slowing down. Understanding the types of threats and vulnerabilities your organization faces is key to developing a successful security program. Being prepared by building out a comprehensive holistic security program is a great way to mitigate the threats and risks your organization faces.
- With some concentrated effort, Houses of Worship can be both welcoming and secure.
- Security is not one-size-fits-all. Create a holistic multi-layered security program that suits your organization’s physical and cybersecurity needs.
- It takes a community. Establish a security and safety committee within your organization that is comprised of staff and volunteer worshipers to create policies, procedures, and emergency plans. Engage with local law enforcement and emergency responders regularly. You don’t want to exchange business cards during an incident.
- Security is an iterative process. Perform annual security and risk assessments to ensure that your program is relevant to the current threat landscape and your emergency plans are up to date.
Antoinette King, PSP has 21 years of experience in the security industry and founded Credo Cyber Consulting with the goal of providing a holistic perspective on security, bridging the gap between the physical and cybersecurity domains focusing on data privacy and protection.