How Churches and Nonprofits Can Secure Their IT (On a Budget)

Churches and nonprofits tend to think they're too small or too unimportant to be targets. That's exactly why they get hit. Cybercriminals know that nonprofits handle donor data, financial records, and personal information - often with minimal security in place.

The good news: you don't need an enterprise budget to protect your organization. Here's what actually matters, prioritized by impact and cost.

Why Nonprofits and Churches Are Targets

It's not personal. It's opportunistic. Here's what makes churches and nonprofits attractive to attackers:

• Donor databases - names, addresses, email addresses, and often credit card or bank account information. That's valuable data.
• Limited IT resources - no dedicated IT staff, outdated systems, and volunteer-managed technology.
• Trust-based culture - people in ministry and nonprofit work tend to be trusting. That makes social engineering and phishing more effective.
• Shared computers - multiple staff and volunteers using the same machines, often without individual accounts or access controls.
• Weak financial controls - many churches have one person managing finances with broad access and limited oversight.

In Orange County alone, we've seen churches lose tens of thousands of dollars to business email compromise - an attacker impersonating the pastor to request a wire transfer to a "new vendor." It happens more than anyone talks about.

The Essentials: What to Do First

If you do nothing else, do these three things:

1. Enable MFA on everything. Multi-factor authentication on your email, church management software, banking, and any admin accounts. This single step blocks the majority of account compromises. It's free. Do it today.

2. Use a password manager. Stop sharing passwords on sticky notes and spreadsheets. A team password manager like Bitwarden (free for small teams) lets you share credentials securely and generate strong, unique passwords for every account.

3. Back up your data. Your donor database, financial records, and documents should be backed up automatically to a separate location. Microsoft 365 with OneDrive gives you cloud backup built in. For local files, a simple cloud backup service costs $5-$10/month.

The Next Level: Budget-Friendly Security

Microsoft 365 for Nonprofits. Microsoft offers free and deeply discounted licenses for qualifying nonprofits. Microsoft 365 Business Basic is free for up to 300 users. Business Premium (with advanced security) is $5/user/month instead of $22. This gives you enterprise-grade email, cloud storage, and security tools at a fraction of the cost.

Google Workspace for Nonprofits. Similarly, Google offers free Workspace licenses for nonprofits through Google for Nonprofits. If your organization uses Gmail, this is worth looking into.

DNS filtering. Services like Cloudflare Gateway (free tier available) or Cisco Umbrella block access to known malicious websites at the network level. Configure it on your church's router and every device on the network is protected - even visitors on guest Wi-Fi.

Security awareness training. Free resources exist. KnowBe4 offers a free training module. Google's Phishing Quiz is excellent for staff meetings. The goal is simple: teach your team to pause before clicking.

Protecting Donor and Financial Data

Your donors trust you with their information. Honoring that trust means:

• PCI compliance for online giving - use a reputable giving platform (Tithe.ly, Pushpay, Planning Center Giving) that handles PCI compliance for you. Never store credit card numbers yourself.
• Separate financial access - the person who enters transactions shouldn't be the same person who approves them. Dual authorization for transfers over a threshold.
• Encrypted email for sensitive communications - when sharing financial reports or donor information, use encrypted email or a secure file sharing link - not regular email attachments.
• Regular access reviews - when a staff member or volunteer leaves, disable their accounts immediately. We see churches where former employees still have access months later.

Wi-Fi Security (Yes, It Matters)

Most churches have Wi-Fi for staff and guests. Here's the minimum:

• Separate networks - staff/admin on one network, guests on another. Guest Wi-Fi should NOT have access to your internal systems, printers, or file shares.
• WPA3 or WPA2-Enterprise - if your Wi-Fi password is "church123" and hasn't changed in three years, fix that.
• Content filtering on guest network - especially if kids use it. DNS filtering handles this easily.

The Volunteer Problem

Volunteers are the backbone of churches and nonprofits. They're also an IT security challenge:

• They use personal devices to access church systems
• They share login credentials because "it's easier"
• They may have access long after they've stopped volunteering
• They mean well but haven't been trained on security basics

The fix: individual accounts (not shared logins), limited access based on role, and a simple offboarding process when someone moves on. Managed IT services can automate most of this.

What This Costs

Here's a realistic budget for a 20-person church or nonprofit:

• Microsoft 365 Business Premium (nonprofit pricing): ~$100/month total
• Cloud backup: $10-$20/month
• DNS filtering: free-$50/month
• Password manager: free-$30/month
• Managed IT support: $1,500-$2,500/month (or less for basic support)

Total: roughly $1,600-$2,700/month for proper IT security. That's a fraction of what a single incident would cost - and a fraction of what your congregation trusts you to protect.

If even that feels like a stretch, start with the free stuff: MFA, password manager, and nonprofit-priced Microsoft 365. Those three steps alone put you ahead of 80% of similar organizations.