A Simple Cybersecurity Checklist for Churches and Nonprofits

Nobody thinks they're going to get hacked until they do. And when it happens to a church or a nonprofit, it hits different. You're not just losing data — you're losing trust. Member information, donor records, financial data, personal prayer requests that people shared in confidence. That stuff matters in a way that goes beyond business.

I've worked with organizations that got hit and the aftermath is always the same. The breach itself takes a few hours to discover. The cleanup takes months. The trust takes years to rebuild — if it ever fully comes back.

The good news is that most attacks on small organizations aren't sophisticated. They're not being targeted by nation-state hackers. They're getting caught by the same basic traps that catch everyone. And basic traps have basic defenses.

Here's a straightforward checklist. Nothing fancy, nothing expensive. Just the stuff that actually prevents the problems I see over and over again.

Passwords and Access

This is where almost every breach starts. Someone uses the same password for their church email that they used for a shopping site that got compromised three years ago. The attackers don't even have to try hard.

Use a password manager. Not the browser's built-in one — a real password manager like Bitwarden (which has a free tier for small organizations). Every account gets a unique, random password. Nobody has to remember anything except one master password.

Turn on two-factor authentication everywhere. Email, banking, social media, your church management software, your website admin panel. Everywhere. This is the single most effective thing you can do. Even if someone steals a password, they can't get in without that second code.

Review who has access to what. I've seen churches where a volunteer who left three years ago still had admin access to the website, the email system, and the giving platform. Do an access audit every six months. When someone leaves, revoke their access that week — not when you get around to it.

Don't share login credentials. It's tempting, especially when you're a small team and everyone needs to get into the same accounts. But shared credentials mean you can never trace who did what, and when one person's phone gets compromised, everyone's accounts are exposed. Set up individual logins with appropriate permissions.

Email Safety

Email is still the number one way attackers get into organizations. And churches are particularly vulnerable because they run on trust. When someone sends an email that looks like it's from the pastor, people don't question it.

Learn to spot phishing emails. The red flags are: urgency ("act now or your account will be closed"), unusual requests ("please buy gift cards and send me the codes"), slightly off sender addresses (pastor.john@church-name.org vs pastor.john@church-narne.org — notice the "rn" instead of "m"), and links that don't go where they claim.

Verify unusual requests by phone. If you get an email from your pastor asking for something out of the ordinary — especially anything involving money — pick up the phone and call them. Not reply to the email. Call them at the number you already have. This one habit prevents the vast majority of business email compromise attacks.

Be careful with attachments. Don't open unexpected attachments, even from people you know. If someone's email gets hacked, the attacker often sends malicious files to everyone in their contacts. If you weren't expecting it, ask the sender about it before opening.

Data Protection

Churches and nonprofits handle sensitive data every day but often don't think of themselves as data custodians. You are. Member addresses, giving records, counseling notes, volunteer background checks — this is all information that people trusted you with.

Know what data you have and where it lives. Make a list. Member database, giving platform, email lists, spreadsheets on someone's personal laptop, notes in someone's phone. You can't protect what you don't know about.

Back up your data regularly. Use an automated backup that runs at least weekly. Keep backups in a separate location from your primary data. If ransomware encrypts your files, your backup is your lifeline. Test your backups — actually try restoring from them once a quarter to make sure they work.

Encrypt sensitive files. If you store sensitive information on laptops or external drives, make sure those devices are encrypted. On Windows, it's BitLocker. On Mac, it's FileVault. Turn it on. If a laptop gets stolen from someone's car, encryption is the difference between a lost device and a data breach.

Be thoughtful about what you collect. Don't collect data you don't need. If you don't need social security numbers, don't ask for them. The data you don't have can't be stolen.

Website Security

Your church or nonprofit website is your public face, and it's often running on software that hasn't been updated in months. Outdated websites are easy targets.

Keep everything updated. WordPress plugins, themes, the core software itself — update it all. Most website hacks exploit known vulnerabilities that were already patched. The fix is literally sitting there waiting to be installed.

Use HTTPS. If your website URL starts with "http" instead of "https," fix that today. Most hosting providers offer free SSL certificates. HTTPS encrypts the connection between your visitors and your site. Without it, anything someone types into a form on your site — including contact information and prayer requests — travels across the internet in plain text.

Limit admin accounts. Not everyone needs to be a website administrator. Give people the minimum level of access they need to do their job. Content editors don't need admin access. Volunteers posting event updates don't need access to the site settings.

Use strong, unique passwords for your hosting and domain accounts. These are the keys to your entire online presence. If someone gets into your hosting account, they control everything. Use long passwords, enable two-factor authentication, and keep these credentials somewhere safe.

Wi-Fi and Network

Church and office networks are often set up once and never touched again. That's a problem.

Separate your guest Wi-Fi from your office network. If visitors and members connect to the same network your staff uses for financial transactions and member data, a compromised device on the guest network could potentially access everything else. Most modern routers support creating a separate guest network — it takes about fifteen minutes to set up.

Change default passwords on network equipment. Routers, access points, and network switches ship with default passwords that are published on the internet. Change them.

Keep your router firmware updated. Your router is the gateway to everything on your network. If it has a known vulnerability, everything behind it is at risk. Check for firmware updates quarterly.

Incident Response

Even with good security practices, something might still go wrong. Having a basic plan means you won't be making critical decisions in a state of panic.

Know who to call. Identify in advance who you'll contact if something goes wrong. Your IT person (or the volunteer who handles tech), your bank (if financial accounts might be compromised), and potentially local law enforcement for serious breaches.

Know what to do first. If you suspect a breach, change passwords on affected accounts immediately. Disconnect compromised devices from your network. Don't delete anything — you may need it for investigation later.

Have a communication plan. If member data is compromised, you'll need to notify people. Think about how you'd do that before you need to. Being upfront and fast with communication preserves trust much better than trying to hide it.

Start Somewhere

This list might feel overwhelming. That's okay. You don't have to do everything at once. If you do nothing else, do these three things this week:

1. Turn on two-factor authentication on your email and banking.
2. Set up a password manager and start migrating your most important accounts.
3. Check who has admin access to your systems and remove anyone who shouldn't be there.

Those three things, done today, eliminate the majority of the risk most small organizations face. Everything else on this list can happen over the next few months.

Security isn't a destination. It's a habit. And like most habits, it starts with small, consistent steps.

SimpleNow AI helps churches, nonprofits, and small businesses implement practical technology solutions — including security practices that protect the people who trust you with their information.