The 5-Step Cybersecurity Plan

A simple, non-technical guide to protecting your data, your donors, and your mission.

✓ No technical expertise required✓ Implement at your own pace✓ 100% actionable

Protecting your organization's data is like protecting your building—it's an act of stewardship. This guide breaks cybersecurity down into 5 manageable steps.

Start Here: The “Must-Do” Priorities

Feeling overwhelmed? If you can only do three things right now, do these:

  1. Enable Multi-Factor Authentication (MFA) on email and financial accounts (Step 2)
  2. Set up automatic backups of critical data (Step 4)
  3. Train your team to recognize phishing emails (Step 1)
1
Build Your “Human Firewall” (Training)

What it is: Your people are your first line of defense against phishing emails and social engineering attacks.

Teach everyone to spot these red flags:

  • Urgent or threatening language: “Your account will be closed!” or “Click now or lose access!”
  • Suspicious sender address: Hover over the “From” address—does it look legitimate?
  • Requests for passwords or money: Real companies never ask for passwords via email
  • Unexpected attachments or links: When in doubt, don't click—verify by calling the sender
  • Generic greetings: “Dear Customer” instead of your actual name

Make it ongoing: Security training isn't a one-time event. Include it in onboarding and refresh it quarterly.

ACTION:

Find Training Resources →
2
Lock Your Digital Doors (Access Control)

What it is: Only giving “keys” to people who need them—and making sure those keys are strong.

1. Enable Multi-Factor Authentication (MFA) EVERYWHERE:

  • • Require MFA on email accounts (your #1 vulnerability)
  • • Enable MFA on financial/banking systems
  • • Use MFA on your church management software
  • • Even if a password is stolen, MFA blocks the attacker

2. Use a Password Manager:

  • • Creates strong, unique passwords automatically
  • • You only need to remember ONE master password
  • • Many offer nonprofit discounts (see our directory)

3. Follow the “Principle of Least Privilege”:

  • • Only give people access to what they need for their role
  • • Remove access immediately when staff or volunteers leave
  • • Review who has access to sensitive systems quarterly

ACTION:

Browse Password Managers →
3
Protect Your Devices (Antivirus & Updates)

What it is: Securing the computers and phones used for church or ministry business.

1. Install Antivirus/Anti-Malware Software:

  • • Every device needs protection (computers, tablets, phones)
  • • Free options exist, but paid options offer better protection
  • • Many providers offer deep nonprofit discounts (see TechSoup in our directory)

⚠️ CRITICAL: Always Install Software Updates

  • • Updates are FREE security fixes for known vulnerabilities
  • • Enable automatic updates whenever possible
  • • This includes: Windows/Mac updates, web browsers, plugins, and ALL software
  • • Outdated software is the #1 way attackers break in

3. Secure Your Wi-Fi Network:

  • • Use WPA3 encryption (or at minimum WPA2)
  • • Change the default admin password on your router
  • • Create a separate “Guest” network for visitors

ACTION:

Find Antivirus Solutions →
4
Back Up Your Data (Resilience)

What it is: Making copies of your critical information (donor lists, financial records) in case of ransomware or hardware failure.

Why it matters: Backups are your ONLY defense against ransomware. If your files are encrypted, you can restore from a backup instead of paying criminals.

The 3-2-1 Backup Rule:

  • 3 copies of your data (the original + 2 backups)
  • 2 different types of storage (e.g., external hard drive + cloud)
  • 1 copy off-site (cloud storage or physically at a different location)

What to Back Up:

  • • Donor database and financial records
  • • Church management software data
  • • Important documents and files
  • • Email archives (if not cloud-based)

🚨 CRITICAL: Test Your Backups

A backup you can't restore is useless. Test your backups quarterly by actually restoring a file to make sure the process works.

Recommended Approach:

  • • Use automatic cloud backup (Google Drive, Microsoft OneDrive, or Backblaze)
  • • Keep one offline backup on an external hard drive (disconnect it when not backing up)
  • • Set backups to run automatically (daily or weekly)

ACTION:

Find Secure Cloud Services →
5
Make a Plan (Policy)

What it is: Writing down the rules so everyone is on the same page about security.

Why it matters: When a crisis happens, you don't want to be figuring out what to do. A plan ensures everyone knows their role.

Start with an Incident Response Plan (IRP):

Your IRP should answer these questions:

  • Who do we call? (IT provider, law enforcement, legal counsel)
  • Who makes decisions? (designate a response team leader)
  • How do we communicate? (if email is compromised, use phone/text)
  • How do we contain the threat? (disconnect infected devices, change passwords)
  • How do we recover? (restore from backups, document lessons learned)

Other Important Policies:

  • Acceptable Use Policy: Rules for using church computers and email
  • Data Retention Policy: What data to keep and for how long
  • Password Policy: Requirements for strong passwords and MFA

Legal Compliance Note:

If your organization handles health information, children's data, or sends marketing emails, you may be legally required to have a Written Information Security Plan (WISP).

Key regulations to be aware of:

  • HIPAA: If you handle health information (counseling centers, clinics)
  • COPPA: If you collect data from children under 13 (youth programs)
  • State Data Breach Laws: Most states require notifying people if their data is breached

Keep It Simple:

You don't need a 50-page manual. A simple, 2-3 page document that everyone can understand is far better than a complex policy no one reads.

ACTION:

Download Policy Templates →

Need Help Getting Started?

Explore our curated directory of free and low-cost tools, or find funding to pay for security improvements.

Browse ResourcesFind Funding