Churches are being targeted. Deliberately.

Attackers who understand church operations, speak the church’s language, and exploit the trust that makes ministry possible are actively targeting houses of worship. This is not a hypothetical risk; it is a documented reality.

In 2025, the threat landscape for churches has reached a critical point:

• Ransomware attacks on places of worship increased 300%+ between 2021 and 2024.
• Global ransomware attacks rose 32% in 2025, with a disproportionate impact on organizations with fewer than 500 employees—the exact profile of most churches.
• The average data breach for a small nonprofit now costs $2.98 million in recovery and reputational damage.

Churches are attractive targets because they carry significant financial assets, hold sensitive congregant and children’s data, and operate on a foundation of trust that attackers use as a weapon.

Good Shepherd Insights provides the cybersecurity leadership churches need—without selling them a product. We are not a security vendor with a quota; we are your independent technology executive. We assess, govern, train, and protect your ministry.

Our Comprehensive Security Framework

1. Cybersecurity Risk Assessment

What It Is: A structured, comprehensive evaluation of your church’s technology infrastructure, data assets, and organizational practices to identify vulnerabilities, quantify risk, and produce a prioritized remediation roadmap.

Who It’s For: Any church that has never completed a formal cybersecurity assessment, has recently experienced a suspicious incident, or is preparing for a capital campaign, building project, or insurance review that demands documented security posture.

Our Approach & Deliverables:

• External Threat Scan: Identifying exposed services, open ports, and publicly accessible systems that attackers can exploit.
• Internal Vulnerability Assessment: Testing network segmentation, patch levels, and access controls across all church systems.
• Email Security Audit: Evaluating SPF, DKIM, and DMARC configuration to prevent spoofing and Business Email Compromise.
• ChMS Access Review: Auditing user permissions, MFA enforcement, and data export controls on your Church Management System.
• Policy Gap Analysis: Documenting which security policies exist, which are missing, and which need updating.
• Prioritized Risk Report: A board-ready document ranking every identified vulnerability by likelihood and impact, with a clear remediation timeline.

Key Outcomes: A documented, board-ready understanding of exactly where your church stands—and exactly what to fix first.

Why It Matters: Most churches discover they have no MFA on staff email, no DMARC record, and no incident response plan. The assessment provides the evidence base for every security decision that follows.

---

2. Security Policy Development

What It Is: Authoring, implementing, and governing a comprehensive set of security policies tailored to your church’s operations, risk profile, and regulatory obligations—from acceptable use to incident response.

Who It’s For: Churches that have no written security policies, have outdated policies that pre-date current threats like BEC and ransomware, or need documented policies to satisfy insurance requirements or board governance expectations.

Our Approach & Deliverables:

• Acceptable Use Policy: Defining what staff and volunteers may and may not do with church technology and data.
• Incident Response Plan: A step-by-step protocol for identifying, containing, communicating, and recovering from a security incident.
• Access Control Policy: Rules for who gets access to what systems, how that access is granted and revoked, and how privileged accounts are managed.
• Data Handling & Classification Policy: Defining how different categories of church data are stored, shared, and disposed of.
• Vendor Security Requirements: Minimum security standards for every third-party vendor that touches church data or systems.
• Policy Governance Framework: A schedule for annual review, update, and board-level reporting on all security policies.

Key Outcomes: A complete, documented security policy framework that your church can maintain, audit, and present to insurers and board members.

Why It Matters: An incident response plan written after a breach is too late. Policies must be documented before the crisis to protect the church, its leadership, and its congregants.

---

3. Staff Security Training

What It Is: Targeted, role-specific training that teaches church staff and volunteers to recognize, report, and resist the social engineering attacks most commonly used against churches—particularly Business Email Compromise, VIP spoofing, and phishing.

Who It’s For: Every church. BEC is the number one attack type hitting churches, and it succeeds because staff are not trained to recognize it. Churches that handle financial transactions, process donations, or manage vendor relationships are at the highest risk.

Our Approach & Deliverables:

• BEC Recognition Training: Teaching staff to identify Business Email Compromise attempts—emails that appear to come from vendors, board members, or the Senior Pastor requesting urgent financial action.
• VIP Spoofing Defense: Training administrative and financial staff to verify identity when they receive requests from senior leaders via email or text, especially those involving wire transfers, gift card purchases, or sensitive data access.
• Phishing Simulation & Reporting: Regular simulated phishing campaigns with a simple, documented reporting process so staff can flag suspicious messages without embarrassment.
• ChMS Security Training: Role-specific guidance on protecting Church Management System accounts—enforcing MFA, managing permissions, and recognizing unauthorized access.
• Incident Reporting Protocol: Clear, written instructions for what staff should do the moment they suspect a security incident.

Key Outcomes: A staff that can identify and resist the top attack types targeting churches, with a documented reporting process that turns human vulnerability into human defense.

Why It Matters: 91% of cyberattacks begin with a phishing email. Training is the single highest-ROI security investment a church can make—and the one most churches have never implemented.

---

4. AI Governance & Policy

What It Is: A structured framework for evaluating, governing, and documenting the use of artificial intelligence tools across your church’s staff and ministry operations—ensuring AI serves the ministry without compromising data security, congregant privacy, or theological integrity.

Who It’s For: Churches where staff are already using AI tools (ChatGPT, Claude, Gemini, etc.) without formal guidance, churches that want to adopt AI responsibly, and church boards that recognize the governance gap between AI adoption and AI policy. With 93.5% of church leaders actively engaging with or exploring AI in ministry—and only 5% having a formal AI policy—the governance gap is real and growing.

Our Approach & Deliverables:

• AI Use Inventory: Documenting which AI tools staff are currently using, for what purposes, and what data has been entered into third-party AI platforms.
• Theological & Ethical Framework: Evaluating AI use against your church’s specific values and pastoral responsibilities.
• Formal AI Policy Drafting: Written guidelines on permitted use cases, attribution standards, and data handling.

Key Outcomes: Clarity for staff on which tools are safe to use and board-ready documentation of responsible AI governance.

Why It Matters: Pasting counseling notes into a public AI to draft a letter is a massive data breach. AI governance ensures technology serves the ministry without compromising the trust of the congregation.

---

5. Data Privacy & Compliance

What It Is: A comprehensive inventory and alignment of the personal data your church collects with applicable legal and regulatory frameworks.

Who It’s For: Churches running schools or children’s programs, those using online giving platforms, and large parishes with complex data environments.

Our Approach & Deliverables:

• Data Inventory Mapping: Documenting what data is collected, where it’s stored, and who has access.
• COPPA Compliance Review: Ensuring children’s ministry data practices meet legal requirements for minors.
• PCI-DSS Alignment: Assessing giving platforms and donation processing for credit card security.
• Privacy Notice Development: Drafting a transparent notice for the congregation regarding data handling.
• Breach Notification Readiness: A documented protocol for regulatory and congregational communication following a breach.

Key Outcomes: A documented compliance posture that protects the church from legal risk and reinforces member trust.

Why It Matters: Non-compliance with COPPA or PCI-DSS isn’t just a legal risk; it’s a betrayal of the trust congregants place in the church to protect their most sensitive information.

Security Is Not a Product. It’s Leadership.

Every church that engages GSI for cybersecurity work discovers the same truth: security is not a tool you buy or a box you check. It is an ongoing practice that requires leadership, governance, training, and vigilance—updated continuously as the threat landscape evolves.

Your church’s data, your congregants’ trust, and your leadership’s fiduciary responsibility deserve more than a one-time audit. They deserve a technology executive who stays engaged.

Stop making reactive, crisis-driven technology decisions. Protect your ministry with sustained leadership.

Learn About the Fractional CTO Engagement →