Three scenarios that play out across the sector with disappointing regularity. The names and numbers are illustrative — the patterns are not.
The bookkeeper who walked. A mid-sized congregation discovers $47,000 missing from the building fund weeks after their bookkeeper has quit. The previous bookkeeper had been the only person with access to the bank account, the only person reconciling statements, and the only person posting transactions. Three roles, one person, no oversight. Discovery comes too late, and recovery isn’t an option.
No cyberattack. No ransomware, no phishing, no zero-day. Just the slow, quiet erosion that happens when a high-trust environment never builds the boring controls that prevent fraud.
The ransomware demand. A different congregation arrives Monday morning to find their Church Management System encrypted. The attackers threaten to leak counseling notes if the church doesn’t pay $80,000 in Bitcoin within 72 hours. Backups exist, but they live on the same network — also encrypted.
The Sunday morning that wasn’t normal. What starts as a typical service ends with an active-assailant scene local first responders had never trained for. The safety team had a plan in a binder. The plan had never been rehearsed.
Three different ministries. Three different threat vectors. One root cause: nobody had built the controls.
The 2025 reality for faith-based organizations
The faith-based sector is no longer below the radar. Three things have happened in parallel:
- Cybercrime got cheap. Ransomware-as-a-Service lowered the barrier so much that novice attackers can deploy enterprise-grade encryption against a small church with the same tooling a Fortune 500 incident-response team would deploy in defense. The attackers don’t need to be sophisticated anymore — the kits are.
- Internal fraud has always been there. The Fraud Triangle (Incentive + Rationalization + Opportunity) doesn’t care whether the organization is a tech startup or a 600-person congregation. In high-trust environments where oversight is informal, opportunity is everywhere.
- Targeted physical violence is rising. Between 2009 and 2019, there were at least 37 incidents of targeted violence in U.S. houses of worship, with more than 120 casualties. 67% of these were motivated by hatred of racial or religious identity; 22% were rooted in domestic disputes. The pattern of “planning behavior” — pre-attack reconnaissance — has been documented in nearly every case.
These aren’t separate problems. They’re the same problem viewed from three angles: the institution is responsible for protecting the people who entrust themselves to it, and the institution hasn’t built the controls.
Why existing frameworks don’t quite fit
The NIST Cybersecurity Framework is excellent — it’s the gold standard for technical security, and we use it every day with our compliance clients. CIS Controls v8 IG1 is the right baseline for any organization. ECFA Standards govern financial integrity for member ministries. CISA’s Mitigating Attacks on Houses of Worship covers physical safety thoughtfully.
But none of these frameworks, on its own, addresses the trio of concerns a ministry’s board chair actually loses sleep over: the data, the donations, and the kids.
NIST doesn’t talk about dual custody of cash offerings. ECFA doesn’t talk about MFA on the ChMS. Neither covers the Two-Adult Rule in children’s ministry. CISA’s guidance covers physical safety beautifully but doesn’t extend into financial integrity or technical security.
A church operating from these frameworks separately ends up with three separate programs, three separate vendors, three separate consultants — and three separate gaps where one framework ends and the next begins. The integration work falls on a part-time church administrator who isn’t trained for any of it.
Introducing the Ministry Cybersecurity & Stewardship Framework
The MCSF is our attempt to put the three together in one auditable, practitioner-built framework. It’s 35 controls across 5 phases, mapped to NIST CSF 2.0, CIS Controls v8 IG1, ECFA Standards, CISA’s Houses of Worship guidance, PCI DSS v4.0, HIPAA Security Rule, and GAAP — so the controls are auditable for whichever audience matters most to you: insurer, board, donors, regulators, or first responders.
Here’s the shape of it:
Phase 01 — Preventative Controls (7 controls)
The technical “digital deadbolts” and access controls. MFA, an enterprise password manager, a 15-character passphrase minimum, session auto-locking, least privilege, automated patching, network segmentation. Boring, foundational, non-negotiable.
Phase 02 — Governance & Financial Stewardship (10 controls)
This is where most ministries have the biggest gap. Segregation of duties. Dual custody of offerings. Expense approval and dual signatures. Rotation of financial roles. Fidelity bonding. Independent audits. The procedural controls that prevent that first kind of loss.
Phase 03 — Facility Safety and Children’s Ministry (9 controls)
Physical safeguards across three perimeters: parking lot, building, interior — and into the children’s ministry specifically. Secure check-in and check-out. The Two-Adult Rule. Open-viewing visibility standards. Classroom lockdown readiness. Panic buttons that go straight to the local PD.
Phase 04 — People, Culture, and Training (5 controls)
The people layer. Background checks for staff and volunteers. ALICE active-threat training for the safety team and congregation. Phishing simulations specifically tuned to “VIP spoofing” of senior pastors. A congregant privacy policy. CPR/AED training, because the most likely emergency on a Sunday morning is medical, not violent.
Phase 05 — Detection & Response (4 controls)
When — not if — something happens. Documented Emergency Action Plans. An Incident Response Plan that’s printed (because digital copies are inaccessible during a network compromise). Quarterly vulnerability assessments. A vCISO relationship for the kind of senior judgment a small church can’t otherwise afford.
Total: 35 controls. Auditable. Mapped to standards regulators recognize. Designed to be implementable by a part-time church administrator with the right partner.
The hardest control to talk about
Phase 03’s Two-Adult Rule (Control C16) is the one we get the most pushback on. Pastors will say: “We have great volunteers. Most of them have been here for years. We trust them.”
We trust them too. The Two-Adult Rule isn’t about distrust. It’s about protecting volunteers as much as it’s about protecting children. A volunteer alone with a child is exposed — to false accusation, to the cognitive load of being the sole responsible adult during an emergency, to a moment of poor judgment they would never have alone if a colleague was watching. Two adults aren’t there to police each other. They’re there to protect each other and the children equally.
The same logic runs through the financial controls. Dual custody of offerings isn’t because we suspect the volunteer counters. It’s because we don’t ever want a volunteer to be in a position where, if money goes missing, they are the only one who could have taken it. Segregation of duties protects the bookkeeper from suspicion as much as it protects the church from theft.
Stewardship, in its honest form, is about removing opportunity for harm — to the institution, to the people inside it, and to the people doing the work.
Why we built MCSF
Dryve does compliance work for the middle of the market every day. EvangelOS, our flagship venture, is a Church Management System built from the ground up with security and compliance baked in. Between the two, we sit at the intersection of “the field as it actually is” and “the technology as it could be.”
Most ministry-security guidance is one or the other: either deeply technical CISO-grade material that loses pastors in the second paragraph, or deeply pastoral material that doesn’t know what NIST AC-5 means or why it matters.
The MCSF is what we wished existed when we started talking to ministries. It’s what we’d hand to a 1,200-person congregation today and say: “Here. This is what good looks like. Pick the three you can implement this quarter.”
How to start
You don’t need Dryve to use MCSF. The framework is published, the standards mappings are documented, and the controls are deliberately specific enough that a competent church administrator can take any one of them and start.
If you want to look at it: the full 35-control framework lives here. If you want help working through which controls matter most for your specific ministry: contact us and we’ll set up a working session — no pitch deck, no procurement cycle, just a conversation.
EvangelOS satisfies four of the controls (C01 MFA, C05 Least Privilege, C15 PCI Compliance, and C34 Vulnerability Scanning) at the platform layer for any ministry that adopts it. That’s not the whole framework — but it’s the foundation, and we built it that way deliberately.
Either way: start with one control. The one your bookkeeper hasn’t asked for. The one your safety team has been quietly worried about. The one that, if something happened tomorrow, you’d wish you’d done last month.
That’s the work.