Website (and company) still in development

en
en

Security Basics for Churches

Basic Cybersecurity information for churches

Chris

7/24/20254 min read

white church
white church

TL;DR: To protect your church from cyberattacks, simple steps like setting strong passwords, enabling multi-factor authentication, and keeping software updated can significantly reduce the risk of hackers exploiting vulnerabilities in their emails and systems

Every so often I drive my motorcycle to church. When I do, it means that I have to spend a couple minutes taking off my gear at the beginning and then putting it back on at the end. During these two minutes or so, I find that a lot of people like to come up to me and talk to me about random things. Sometimes about motorcycles, sometimes about how they liked the music, things like that. Recently, as I was taking my Tech 7s off and putting my regular sneakers on, one of the pastors (I go to a larger church) came up to me and started telling me about a cyber security problem that had that week.

The had recently discovered that the financial manager's email had been compromised and the attacker had sent out emails with a bad link. The attacker figured out that the finance manager's account had a weak password and was able to log in with it. They were able to get the issue resolved and it doesn't seem like there was much impact from it, but it served as a bit of a wake up for the church to start taking it's cyber security more seriously.

I use this as a recent example to show that churches are under threat from hackers on a daily basis. A lot of small time hackers will see religious organizations are an easy target as they typically are ran by folks who don't always have a lot of technical know-how. Nothing wrong with this, I'd rather our pastor be fluent in the bible than in C++. But because of this there can be a lack of knowledge of cyber security threats.

My goal in this article is to inform churches on some basic ways to mitigate cybersecurity threats. These will all be simple, easy to do, and have a relatively small impact on your day to day life. I am also assuming that your church is using enterprise level emails, such as Microsoft outlook.

Passwords

One of the most simple and best things that can be done is to set a password policy. Every major organization (that knows what they are doing) will require passwords to meet a certain criteria. Start the process of signing up for an account on google or amazon for an example. The US Government's Cybersecurity and Infrastructure Security Agency (CISA) recommends the following(1):

  • Long—at least 16 characters long (even longer is better).

  • Random—like a string of mixed-case letters, numbers and symbols (the strongest!) or a passphrase of 4 –7 random words.

  • Unique—used for one and only one account.

This should be able to be implemented through whatever email host your church uses. In the above example, had the church been using stronger password rules from the start it would have been harder for the attacker to access the compromised account.

Multi-factor Authentication (MFA)

MFA, more commonly known as 2-factor authentication (2FA), means using multiple codes to access an account. Typically it's done using a password and then an expiring code sent to your phone. A lot of people aren't big fans of MFA, however the security benefits are undeniable. By enforcing two methods of authentication you can prevent someone who knows your password from accessing your account. This should be able to be set up by your email provider.

Updating Software

The word "zero-day attack" has been used in plenty of movies before. In Fast 8 the bad lady hacker tells her cronies to "launch the zero-day attacks" and starts making cars drive themselves after the bad guys. This is not what a zero-day attack is but I thought that scene was really funny.

A zero-day attack in reality is when a piece of software has a weak point in it's security that the company didn't notice at launch. Companies are always on the lookout for these and will attempt to fix them through software updates.

Hence, making sure all the software you are using is up to date is important. If you have vulnerable software it can easily be exploited and you could have an intruder enter your systems. It's like putting a padlock on a fence. If the padlock company told you that padlock could be broken easily and they were going to send you a new one, you would take them up on the offer. It's the same with security patches.

You also want to move off of software that's past it's end of life. Windows XP was retired in 2014, but there were still people using it into the 2020s. I specifically remember my dentist using it until about a year ago. Retired software introduces risks to your computer network. Windows XP, for example, has many different security issues that are not going to be fixed. Windows 10 is being retired in fall of this year, so it it important to migrate to either Windows 11 or a different operating system to avoid potential security risks.

References

(1) https://www.cisa.gov/secure-our-world/require-strong-passwords

Note: CISA has a lot of good resources on it's website. It's a great reference point.

Faithfully protecting churches from cyber threats.

© 2025. All rights reserved.