Jonathan Smith is the President of MBS, Inc. and the Director of Technology at Faith Ministries in Lafayette, IN.
He is an author and frequent conference speaker.
You can reach Jonathan at jonathans@mbsinc.com and follow him on X @JonathanESmith.
Copyright © 2025 Jonathan Smith. All Rights Reserved.
The line between security and convenience can be a challenging line to navigate.
I frequently speak with pastors and ministry leaders about how to protect an organization while still empowering users to accomplish their mission.
The more secure you are, the less convenient it is for the users. The more convenient it is for the users, the less secure your church is and more open to attack. It concerns me that in 2025 many ministries still err on the side of convenience over security. Perhaps this is why cyber insurance and cyber liability coverage premiums are skyrocketing.
As you look to lead with technology, there are two aspects of security vs. convenience that I encourage you to invest time in evaluating. I believe these two should be non-negotiable and are critical if you want help with your next cyber coverage renewal.
Two-factor authentication
Two-factor authentication (2FA) should be enabled on everything possible. Again, it’s not convenient; yet, while not perfect, it’s a tremendous safety net should a user be compromised. Two-factor, or multifactor, authentication cannot prevent a user from giving away his or her access through a phishing attempt, but it can stop the attacker from getting very far and allow the ministry valuable time to mitigate before much damage can be done.
Regular security training, testing
Security awareness training should be done every week. There are many providers who offer this service, but you really need to train and test more than once or twice a year. I recommend testing at least weekly as the best practice, and at least monthly as the minimum. My church, for instance, does three tests each week.
Ideally, if you are doing security awareness training consistently, and if you have 2FA enabled on everything, your security posture will be strong. This way, if a user does fail and give out his or her username/password as a result of a phishing attempt, 2FA will help your church avoid significant damage.
Think of your network access to your ministry’s email, management software and so on as the keys to your house. If, through a phishing attempt, I trick you into giving me the keys — without a second factor, like a code sent via text message or a 2FA authenticator app — I can walk right in. However, if I trick you into giving me the keys, but when I get to the door it requires your keys and a separate code, you’ve stopped me or at least really slowed me down.
Hopefully, you are doing consistent security awareness training so you can avoid users getting tricked into giving away their “keys” in the first place.
Xxx
Although churches and ministries should be doing both — enabling 2FA and consistently training and testing and training for security — far too many aren’t doing either. When I talk with ministry leaders, they tell me it isn’t convenient, or senior leadership won’t do it. You’d think we were talking about retinal scanners, voice ID and fingerprint readers before you can check your email! None of those would be convenient, but — in determining where you draw the line — how much convenience are you willing to give up in the name of reasonable security?
Leaders have to lead; if ministry leaders are leading through inaction or fear of user response, they might very well pay a significant price. I’ve helped negotiate six- and seven-figure insurance claims; and trust me, it’s easier if you’re at least doing security awareness training and have already implemented 2FA.
If you need help implementing 2FA or security awareness training, reach out to your IT staff or IT vendor. (In fact, they should already be presenting these options.) As a provider of these services, we understand the need to make ministry convenient but also the importance of it being secure.
Doing nothing isn’t an option
I talk with church leaders every week who have gotten “hit,” and 99 percent of the time they’re not doing 2FA or consistent security awareness training. While shifting from convenience towards security, these two suggestions can help you steward your ministry technology resources while ensuring your Kingdom impact isn’t interrupted because you were more focused on ease than security.
Remember, it isn’t a matter of if you’ll get compromised — it’s a matter of when.
Originally published at https://churchexecutive.com/archives/tech-bytes-with-jonathan-smith