Protect Ministry Data and Computers

Safeguarding information can help deter theft, preserve privacy, and avoid lawsuits

Everything from mailing lists and donation records to Social Security information to banking information may be kept in a church database or filing cabinet. Unsecured, this data and protected personal information, could make your attendees, donors, and employees vulnerable to thieves—putting both your ministry and them at risk. Carefully protecting data and information not only makes business sense, but it also can reduce the likelihood of crippling data loss, embarrassing public disclosures, and lawsuits.


 Download our Cyber Security Checklist


Physical Security

Physical security is a vital aspect of data protection. The Federal Trade Commission offers these safety tips:

  • Store paper files and USB drives that contain sensitive information in a locked cabinet.
  • Allow access to electronic or paper records containing sensitive data only to those who need it.
  • Train employees and volunteers on how to protect the privacy, confidentiality, and security of personal information.
  • Remind employees and volunteers to put paper files in locked file cabinets, to log off laptops and devices, as well as to sign out of apps or platforms. And to never leave files or devices with sensitive data unattended.
  • Keep track of and secure any devices that collect sensitive information. Only keep files and data you need and know who has access to them.
  • Secure your building with locks and alarms.
  • Send and receive business mail from a secured mailbox or post office box.
  • Shred papers containing sensitive business information or personally identifiable information.

Network and Device Security

Data housed on devices, such as a laptop or tablet, are particularly vulnerable to theft—especially when they are connected to the Internet. One errant click can leave an entire congregation or staff open to identity theft. Because hackers go to great lengths to ensure that you can't easily shake them off, the best medicine is prevention. Here's what you can do:

  • Limit access with passwords. Use complex passwords (longer and unique) to limit employee and volunteer access to sensitive information. Train office workers to keep passwords private. Be sure to issue new passwords when an employee or volunteer stops working in the office and no longer needs to view ministry records.
  • Require multi-factor authentication. Use this to access areas of your network with sensitive information. This requires additional steps beyond logging in with a password — like a temporary code on a smartphone or a key that’s inserted into a computer.
  • Keep software up to date. Windows and Mac computers can be set to automatically apply security updates. Many of the individual programs and apps on your computer can also be set to automatically apply updates. Taking the time to enable the automatic settings now will ensure you don’t forget when you are busy later.
  • Install a dependable firewall. Both hardware and software firewalls are designed to prevent unauthorized access to a network.
  • Secure your wireless network. If your church uses Wi-Fi for staff members and you would like to offer Wi-Fi Internet access to the congregation or visitors, make sure to set up an additional and separate guest network that only has access to the Internet. Wi-Fi networks should always be password-protected. The password for the guest network can be shared each week via the church bulletin, slides, signs or other method. As with all passwords, they should be changed regularly. For more information, read Protect Computer Networks When Offering Free Wi-Fi.
  • Keep up with anti-virus software updates. Anti-virus software can prevent or reduce the impact of virus infections. Paid anti-virus software generally keeps itself up to date as long as you pay your subscription fee each year. Check periodically to ensure the license period hasn’t expired. Some free anti-virus software is available—check the licensing terms to make sure that the free use includes use in a church or nonprofit.
  • Fine-tune your browser settings. Adjust your browser to use a higher security setting. Most browsers can automatically check for security updates and install the newest version.
  • Scan devices weekly for malicious software. Most virus and spyware protection software can be programmed to do this automatically.
  • Preserve critical data. Back up business records daily, weekly, or monthly, depending on how often data is edited and your tolerance for risk of losing the data. Store backups in a secure, off-site location, such as a safe deposit box. This protects your ministry from losing records to computer breaches and other events, such as tornadoes, floods, or fires.
  • Know what you're installing. Ask yourself, “Do I know and trust the source of this software?” Reputable software publishers will either avoid including adware/spyware with their products or clearly tell you how to download the software without the “extras.”
  • Protect your website. It’s best to host your ministry website—and online giving platforms—with a trusted vendor that uses industry-standard security measures. Be sure to thoroughly screen the vendor and review any contract before signing it.
  • Erase data correctly. Use trusted software to erase data if you're planning to donate or discard devices such as computers, mobile devices, digital copiers, or drives. Just hitting “delete” may not actually remove the file from all locations on the computer.

Beware of Scams

Scammers are finding more ways to entice people into giving up personal and organization data. From sending emails pretending to be the pastor or other ministry leader asking for money to be wired immediately to sending emails demanding W-2 files be sent via PDF format, scammers are targeting nonprofit organizations. Take steps to protect your ministry:

  • Watch what you click. Though it can be time-consuming to read pop-up messages, it's important you know what you're doing before you click. Many fraudsters are counting on you to be in the habit of simply clicking on links or selecting “OK” or “Yes” on everything you see. When in doubt, avoid clicking the link. Instead, call the company or visit its website, using contact information you already know to be genuine. Do not enter usernames or passwords if you don’t know why you are being asked for them.
  • Never send personal information through email. Avoid sending personal information through email. Before submitting financial information on a website, look for the “lock” icon, often located in the browser’s address bar. This icon indicates that your information will be transmitted securely.
  • Monitor financial accounts. Review credit card and bank accounts online for unauthorized charges. Call your credit card company or bank immediately if you notice unauthorized charges.
  • Hire an expert. Find an established information technology (IT) support company that has a good reputation, stands behind its work, and comes highly recommended by other clients.
  • Report scams. Report suspicious activity to the Federal Trade Commission (FTC) via their website, ftc.gov. If you receive spam email that asks you to supply sensitive information, forward it to spam@uce.gov. Visit the FTC's website to learn other ways to avoid email scams and deal with deceptive spam.

How Do I Know If My Computer Is Affected?

Sometimes, data breaches are caused by software programs known as adware, spyware, or hijackers. How can you tell if you’ve been affected by these programs? Look for these warning signs:

  • New homepage or search page. The pages you're used to seeing when your browser first opens or when you search the Web have suddenly changed. Often these new pages pop up several ads and messages about viruses, and then offer a download to fix the problem for just $19.95.
  • New toolbars. Suddenly your browser software displays new toolbars across the top of the screen that you didn't put there.
  • Unwanted ads. Advertisements frequently and randomly pop up on your computer, even when you're not surfing the internet.
  • Browser troubles. Web browsing programs no longer work properly.
  • Freezes. Your computer “freezes up” or “crashes” more frequently.
  • Slowdowns. Overall, your computer performs much more slowly.

Prepare for the Worst

Even if you’ve done your due diligence, thieves may find their way into ministry data. Create procedures that describe how to handle a security breach, should one occur, to help limit negative effects. Here are a few ways to prepare:

  1. Seek help in advance. When you suspect that a breach occurred, it’s good to have an experienced, trustworthy IT professional on call to investigate. This professional also can lend advice on how to handle the situation.
  2. Review state laws. You may be required to notify the individuals who may have had their information stolen. The National Conference of State Legislatures provides a resource listing state security breach notification laws. A local attorney can explain how your state’s law applies to your ministry.
  3. Prepare a sample notification letter. If you have to notify people that their information may have been stolen, having a sample notification letter ready can help meet these requirements quickly. The Federal Trade Commission’s Bureau of Consumer Protection offers a helpful resource that gives guidance on how to respond to a data breach and identity theft. It also provides a sample notification letter.
  4. Review your ministry’s insurance policy. This will help you determine if it includes coverage for data theft. Most standard insurance policies do not include cyber liability coverage unless the customer specifically asks for it. Some insurers provide special stand-alone cyber liability policies.

If your ministry’s data is hacked, contact law enforcement immediately. This is especially critical if financial information has been compromised. Notify your insurance agent or insurance company’s claims department, as well.


Related Resources

The Deacon's Bench Online - Hidden Dangers

Updated December 2022

The information provided in this article is intended to be helpful, but it does not constitute legal advice and is not a substitute for the advice from a licensed attorney in your area. We strongly encourage you to regularly consult with a local attorney as part of your risk management program.