Skip to main content
Norvet MSP
Back to Blog
Managed IT

Church and Nonprofit IT: Securing Donations and Member Data

Norvet MSP Team April 2026 7 min read
Church and Nonprofit IT: Securing Donations and Member Data

Churches and nonprofit organizations sit at a unique intersection of community trust and technology risk. Congregations entrust their houses of worship with tithes, offerings, and deeply personal information. Donors trust nonprofits with their financial data, contact details, and sometimes information about sensitive circumstances — domestic violence survivors seeking shelter, families in financial crisis, or individuals receiving substance abuse support.

Yet most churches and nonprofits operate with minimal IT infrastructure, limited technical expertise, and no formal security practices. A single breach can expose thousands of records, trigger legal obligations, undermine donor confidence, and divert scarce resources from the mission to incident response.

What Data Are You Actually Holding?

Before addressing security measures, it is important to understand the scope of sensitive data most churches and nonprofits maintain:

  • Donor and member financial data: credit card numbers, bank account information for recurring gifts, and contribution records that may reveal income levels - Personally identifiable information: names, addresses, phone numbers, email addresses, dates of birth, and Social Security numbers (for employees, contractors, and sometimes scholarship or grant recipients) - Benevolence and counseling records: details about members receiving financial assistance, counseling, or support services — information that is deeply private and potentially damaging if disclosed - Employee and volunteer records: payroll data, background check results, and HR documentation - Child and youth records: enrollment forms, medical information, emergency contacts, and safeguarding documentation for children's ministry and youth programs - Financial records: bank statements, tax filings, payroll records, and audit documentation

This data carries real value to cybercriminals and real legal obligations for the organizations that hold it.

Common Security Gaps in Churches and Nonprofits

Shared Passwords and Accounts

It is extremely common for churches and nonprofits to have a single login shared among multiple staff members and volunteers for email, financial software, donor management platforms, and even bank accounts. Shared credentials make it impossible to track who accessed what, who made changes, and who may have caused a security incident.

When a volunteer or staff member leaves, changing a shared password means everyone with access needs to be notified and updated — which often does not happen, leaving former personnel with active access to sensitive systems.

Unsecured Donation Processing

Online giving platforms are generally secure if configured properly, but many churches and nonprofits also accept donations through less secure channels:

  • Collecting credit card numbers on paper pledge cards - Receiving donations via unencrypted email - Processing payments through consumer-grade card readers without PCI-compliant configurations - Storing credit card numbers in spreadsheets or text files for recurring manual processing

Each of these practices creates unnecessary risk and potential PCI-DSS compliance violations.

No Backup Strategy

Many churches and nonprofits have no backup strategy at all. Financial records, donor databases, and historical membership data exist on a single computer or in a single cloud account without any redundancy. A hardware failure, ransomware attack, or accidental deletion can result in permanent data loss.

Some organizations have backups that have never been tested. Discovering that your backup is corrupted or incomplete after a disaster is equivalent to having no backup at all.

Unmanaged Volunteer Devices

Churches and nonprofits rely heavily on volunteers who use personal devices — laptops, tablets, and smartphones — to access organizational systems, email, and data. These personal devices may have outdated operating systems, no antivirus protection, and no encryption.

When a volunteer's personal laptop is stolen from their car, any organizational data stored on that device is exposed. If the volunteer had access to the donor management platform through a saved browser password, the attacker now has that access too.

Outdated or Consumer-Grade Equipment

Budget constraints often mean churches and nonprofits run on donated or consumer-grade equipment that was outdated when it was received. Old computers running unsupported operating systems cannot receive security patches, making them vulnerable to known exploits.

Consumer-grade routers and networking equipment lack the security features of business-grade alternatives — no VLAN capability, limited firewall functionality, no intrusion detection, and default passwords that are never changed.

Essential Security Measures

1. Implement Individual User Accounts

Every person who accesses organizational systems should have their own unique login credentials. This applies to:

  • Email and communication platforms - Donor management and CRM systems - Financial and accounting software - Cloud storage and document platforms - Website and social media management

Individual accounts enable audit trails, make it easy to revoke access when someone leaves, and allow you to enforce appropriate access levels based on each person's role.

2. Enable Multi-Factor Authentication

MFA should be required for every account that accesses sensitive data. Most platforms used by churches and nonprofits support MFA at no additional cost:

  • Google Workspace and Microsoft 365 both include MFA - Most donor management platforms (Breeze, Planning Center, Realm, Bloomerang) support MFA - Financial platforms and bank accounts increasingly require or support MFA

MFA prevents unauthorized access even when passwords are stolen through phishing — which is the most common attack vector targeting nonprofits.

3. Secure Online Donation Processing

Use PCI-DSS compliant payment platforms for all donation processing. Reputable church giving platforms such as Tithe.ly, Pushpay, and Subsplash handle PCI compliance and encryption automatically.

Critical practices:

  • Never collect credit card numbers on paper, by email, or by phone unless using a PCI-compliant phone payment system - Never store credit card numbers in spreadsheets, documents, or email - Ensure your website's giving page uses HTTPS and that the payment form is hosted by or iframed from your payment processor — not handled by your own web server - Review your payment platform's security settings annually

4. Establish a Backup and Recovery Plan

Implement automated backups for all critical data:

  • Donor and membership databases - Financial and accounting records - Email archives - Documents and files stored on local computers or shared drives - Website content and configuration

Follow the 3-2-1 backup rule: maintain at least three copies of your data, on two different types of storage media, with one copy stored offsite or in a geographically separate cloud location.

Test your backups quarterly by performing a test restoration. Document the recovery process so that someone other than your primary IT person can execute it in an emergency.

5. Create an Acceptable Use Policy

Document clear expectations for how staff and volunteers use organizational technology:

  • What types of data can and cannot be stored on personal devices - Requirements for device security (encryption, screen lock, current OS) - Prohibition on sharing login credentials - Guidelines for using public WiFi when accessing organizational systems - Procedures for reporting lost or stolen devices - Requirements for securing workstations when stepping away (screen lock, logging out)

Have every staff member and volunteer with system access acknowledge the policy in writing. Review and update it annually.

6. Manage Volunteer and Staff Offboarding

When a staff member or volunteer leaves, their access to all organizational systems must be revoked promptly. This includes:

  • Email and communication platforms - Donor management and CRM systems - Financial software and bank account access - Cloud storage and shared drives - Building security systems and alarm codes - Social media and website administrative access - Any shared passwords they may have known (which should be changed immediately)

Create an offboarding checklist and assign responsibility for executing it. Access should be revoked within 24 hours of the person's departure — waiting days or weeks creates unnecessary risk.

7. Segment Your Network

If your church or nonprofit facility has WiFi for guests, members, or event attendees, that WiFi network must be isolated from your administrative network. A guest connecting to your WiFi should not be able to reach your office computers, donor management server, or financial systems.

At minimum, implement:

  • A dedicated administrative network for staff computers and organizational systems - A separate guest WiFi network with internet access only - Business-grade access points and router with VLAN support - Password protection on the administrative network with credentials limited to authorized staff

8. Invest in Security Awareness Training

Most security incidents in churches and nonprofits begin with a phishing email or social engineering attempt. Training staff and key volunteers to recognize and report these threats is one of the most cost-effective security investments you can make.

Effective training includes:

  • Quarterly phishing simulation exercises - Brief training sessions (10-15 minutes) covering current threats - Clear instructions on how to report suspicious emails or requests - Specific training on common nonprofit-targeted scams: fake vendor invoices, fraudulent wire transfer requests, and impersonation of executive directors or pastors

Working Within Budget Constraints

Churches and nonprofits do not have Fortune 500 security budgets, but they do have access to significant discounts and free resources:

  • Microsoft 365 Business Premium is available to qualifying nonprofits for free or at deep discount through Microsoft's nonprofit program, including MFA, endpoint management, and email security - Google Workspace for Nonprofits is free for qualifying organizations - TechSoup provides discounted software, hardware, and cloud services to verified nonprofits - Many managed IT providers offer nonprofit pricing tiers that make professional IT support accessible

The cost of basic security measures is a tiny fraction of the cost of a data breach, and increasingly, donors and grant funders expect organizations to demonstrate responsible data stewardship.

Get Started

Norvet MSP serves churches and nonprofits across metro Atlanta with managed IT services designed for mission-driven organizations. We understand the unique challenges of limited budgets, volunteer workforces, and sensitive beneficiary data. Contact us for a free IT security assessment — we will identify your most critical vulnerabilities and help you build a practical, affordable protection plan.

Need help with Managed IT?

Norvet MSP delivers fully managed IT support so your team can focus on what matters most — growing the business.

Get a Free QuoteOr start with a free IT assessment

Related Articles

The Backup Exit Strategy: Can You Move Your Data Without the Vendor's Help?
Cybersecurity

The Backup Exit Strategy: Can You Move Your Data Without the Vendor's Help?

Read more
Clean Desk 2.0: Securing Your Home Office from Physical Data Leaks
Cybersecurity

Clean Desk 2.0: Securing Your Home Office from Physical Data Leaks

Read more
The Session Cookie Hijack: Why MFA Can't Always Save You
Cybersecurity

The Session Cookie Hijack: Why MFA Can't Always Save You

Read more