Cybersecurity Challenges and Their Impact on Church Parishes

Nov 30, 2023 2:35:57 PM | Article Cybersecurity Challenges and Their Impact on Church Parishes

In today's digital age, church parishes face increasing cybersecurity challenges that extend beyond businesses and government organizations. Cyber threats, such as ransomware, data breaches, and phishing, have caused significant harm to houses of faith, leading to financial losses and reputational damage. This post highlights the importance of addressing these challenges and discusses the advisories and recommendations provided by the Cybersecurity and Infrastructure Security Agency (CISA). By following CISA's guidance, implementing best practices, and understanding the potential consequences of a breach, parishes can mitigate risks and maintain trust with their congregation. Prioritizing cybersecurity efforts and allocating necessary resources are essential for the well-being and sustainability of church parishes.

In today's digital age, cybersecurity challenges are no longer limited to businesses and government organizations; they have now extended to religious institutions, including church parishes. As churches become more reliant on technology for communication, donations, and data management, they become vulnerable to cyber threats. In this post, we aim to shed light on the increasing cybersecurity challenges facing church parishes and the importance of addressing these challenges to protect their congregation, data, and resources. We will delve into the advisories and recommendations provided by the Cybersecurity and Infrastructure Security Agency (CISA) and discuss the unexpected costs a cybersecurity breach can impose on a small parish.

Recently, several higher-profile attacks have occurred on Churches and other Houses of Faith. In late 2022, The Church of Jesus Christ of Latter-day Saints was breached, releasing information on employees and church members ( However, other breaches have occurred. In 2019, Cyber criminals involved in an attack stole 1.75 Million from a Cleveland-area church ( Just recently the Bishop Luffa School run by the Church of England had all student names published by a cyber criminal (

The attacks on Houses of Faith can be multiple, but some common examples are ransomware and data breaches. Phishing is also worth noting as it is often how cyber criminals gain access to a network. Phishing is also used for direct financial fraud, such as gift card scams and funds transfer misdirection.

Ransomware is the threat we hear about most. It involves the encryption of all data on a network or system. It is easy for a parish to assume they can work without their data while it is recovered. Still, technology has found its way into many aspects of parish life. Live streams can be interrupted or canceled. Shared calendars can be compcybersecurity-blue-locks-data_smlromised, and even access to accounting systems can be lost.

Increasingly as backups have gotten better, attackers have moved to Data Breaches. In a data breach case, sensitive data is stolen by cyber-criminals, and extortion is used to ensure payment. As ransomware has become less effective, this has also been combined with it as a second fashion to ensure users pay.

Phishing is often the attack vector used to gain initial access. On top of being used to gain access to a system for Ransomware or Data Breaches, it can be utilized independently. Scams involving attackers posing as church officials or vendors have redirected donations and payments from parishes. These are sometimes covered by insurance, but in many cases, the burden is on the parish for these costs.

The Cybersecurity and Infrastructure Security Agency (CISA) releases security guidance for general businesses. CISA, in its role, has published a large amount of advice that applies to allCISA_Logo_sml organizations and some specifics for Faith-Based Organizations.

The first resource is CISA's Cyber Essentials at It provides a starter kit to prepare you for your general cybersecurity journey. Once complete, one should review the multi-factor page at This is an excellent resource to explain to staff and leaders why Multi-Factor is needed.

On the Faith-Based side, the CISA Guide to Mitigating Attacks on Houses of Worship located at contains a wealth of information from both a physical security as well as a cyber security perspective.

Unfortunately, many organizations fail to secure their networks properly or have good cybersecurity hygiene. The cost of breaches due to poor security is high and unexpected.

The ransom payment is the most direct cost in a ransomware or extortion case. Ransoms vary wildly from case to case, but most cyber-crime organizations aim for these payments to be approximately 3% of the annual revenue of the organization hit (Source:

However, this cost is only part of the equation. The same source above estimates that the price of ransom itself is only approximately 15% of the total cost. Additional costs are lost revenue or donations and any fees to recover, such as attorneys and equipment replacement.

Reputational damage can be a significant concern for parishes after an attack. Congregants expect churches to maintain high trustworthiness and confidentiality, especially concerning personal or financial information. The loss of trust following a cybersecurity incident can lead to confidence in the organization eroding. This loss of trust can, in turn, lead to a decline in attendance and participation. This can directly impact donation income, with parishioners being reluctant to contribute financially due to concerns about the safety of their information. This loss of income can be devastating for small parishes.


Finally, the cost of incident response and recovery often overshadows the price of the ransom if paid. In many cases, breach attorneys, incidence response professionals, and reputational or media consultants must be engaged at a high cost to the parish.

Many organizations feel insurance will cover these costs, only to find out they are uninsured or under-insured when an incident happens. Even in cases where the entity is insured, coverage will often not cover the entire cost of an incident and cannot help with reputational damage.

These costs are impossible to budget for and make cybersecurity attacks a grave concern for all places of worship but particularly challenging for small parishes.


So what can a House of Worship do to ensure they are safe?

  • Train all staff and volunteers on cybersecurity awareness. Using resources such as the CISA guide, ensure all engaged participants understand security and that they must do their part. In their Data Breach Investigations Report, Verizon calls out that 82% of all attacks involve a human element (source: Educating your staff and volunteers on proper cybersecurity practices can help cut that number down dramatically.
  • Develop a comprehensive cybersecurity plan. Much like physical security and other disaster plans, an organization should have a documented set of policies and procedures they follow before and after a cybersecurity incident. This includes general policies such as acceptable use and funds transfer and a detailed and practiced incident response plan.
  • Ensure you have good backups of all data, including cloud data. This should include offline backups that are not reachable from the main network. This will aid in recovery if a ransomware incident occurs.
  • Review your insurance coverage. Ensure you have coverage in place for all risks you maintain. We recommend working with your insurance broker to determine whether you are covered.

In conclusion, church parishes must recognize the importance of cybersecurity and take proactive measures to safeguard their congregation's data, resources, and trust. By implementing best practices, following CISA advisories, and dedicating time and effort to cybersecurity education and planning, parishes can significantly reduce the risk of cyber threats. We urge all church parishes to prioritize cybersecurity efforts and allocate the necessary resources to protect their digital assets and, ultimately, their communities. Be proactive, stay informed, and work together to build a safer, more secure digital environment for your parish.

If your parish wants to improve its cybersecurity posture and needs help, we're here for you.

Find out how we can help today!

Written By: Jason Slagle