The Faithful Fight Toolkit: Protecting cyber and physical security

April 9, 2025
Share

Houses of worship and religious nonprofits face a multitude of security threats – from phishing attempts, to vandalism, to physical threats, and even frivolous litigation from private actors or government agencies.
Below are 3 Sets of Resources for Resiliency leaders can consider in preventing online threats, preserving records, and protecting people.

This Toolkit is intended for general information and educational purposes only, and should not be relied on as if it were legal advice about a particular fact situation. It contains hypertext links to information created and maintained by third parties and the authors of this toolkit do not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

This toolkit is part of the Faithful Fight series, developed in partnership with the Horizons Project. This toolkit is part of the Faithful Fight series, developed in partnership with the Horizons Project.

Data and Cyber Security:
Preventing online threats

Safely store passwords through a password management tool to generate and securely store passwords that are more difficult to hack. (Examples: 1Password, Lastpass).

Utilize two-factor authentication (2FA) services to prevent hacking attempts by providing verification codes sent via email, text, phone call, or an authenticator app upon logging into email or other password-protected websites. (Examples of authenticators: Google Authenticator or Microsoft Authenticator; How to enable 2FA on email platforms: Gmail or Microsoft, depending upon your email platform)

Install virus protection software to prevent viruses from accessing computers and other devices. Here are some helpful reviews of software from reputable websites: TechRadar, PC Magazine, CyberNews, Forbes or many others.

Scrub publicly accessible, personal information from the internet to prevent bad actors from attempting to shame or embarrass leaders and staff online – or worse, threaten or attack them in-person or at their home. (Example: DeleteMe)

Guard against email phishing scams by utilizing prevention software and conducting regular Security Awareness training on how to stop scammers from trying to steal sensitive information by tricking message recipients into clicking dangerous links and attachments while pretending to be from trusted sources. (Examples of email security products: Checkpoint, Mimecast and Proofpoint; examples of security awareness: KnowBe4, Hoxhunt)

Further reading and courses:

Cybersecurity Academy Courses: A series of online courses ranging from email security to incident response and cyber security tabletop exercises.

GCA Toolkit for Mission-Based Organizations: Free tools, guidance, and training is designed to help organizations take key cybersecurity steps and be more secure.

Legal Compliance:
Preserving and managing records

Establish and enhance legal compliance and public disclosure policies to maintain effective governance, strong financial oversight, and responsible fundraising. (Example: Principles for Good Governance and Ethical Practice)

Ensure your compliance policies are up-to-date so you can continue mission-critical work and preserve nonprofit tax status. (Example: Guide for Maintaining Nonprofit Tax-exempt Status)

Create strong document retention and records management policies to make your organization more resilient in the event of a lawsuit. (Example: Template and guidance)

Protect your board officers through D&O insurance. (Read more from Board Effect)

Ensure that policy advocacy efforts are in compliance with relevant federal and state requirements to maintain the ability of your staff to influence decision makers and avoid fines or other legal consequences. (Example: Advocacy Compliance Self-Assessment)

Further reading:

Protect Democracy’s Report, Protecting Civil Space: A Primer.

Physical Security:
Protecting your facilities and the people you serve

Create a year-round physical security plan to secure your facilities. (Example: FEMA guide to 5 ways your community can get started today, CISA Protecting Houses of Worship Guide)

Conduct a comprehensive risk assessment to identify a range of vulnerabilities – everything from Fire Extinguishers and EKG placement to visitor registration. (Example: CISA Online Self-Assessment for Houses of Worship)

Develop an in-house security/response team to assist with everything from medical events to crowd control during evacuations.

Invest in de-escalation training to keep emergencies as peaceful as possible – and even prevent some events from escalating to an emergency situation. (Example: AAPI Bystander Training, )

Create and use a security plan to prevent and respond to emergency situations at your facilities. (Example: FBI guide for development of Emergency Operations Plans for Houses of Worship)

Purchase and maintain reliable security camera systems to help identify bad actors should wrongdoing occur, and to offer a deterrent effect for those seeking to identify weak points in your security system. Maintaining a system with sufficient visual range and determining whether or not wireless or wired-in is best for your facilities are key considerations for your security team.

Implement consistent, modern access control measures to maximize facility access for those who need it most while offering the ability of quickly locking down multiple shelter areas – or an entire facility – in the event of emergencies. Based on the size and number of access points of your facility, your security team should consider varying degrees of control measures – and whether or not keys (least secure/easiest copied or lost), keycard, or keyless (most secure, most difficult to copy) will work best for your facility.

Further reading:

Protecting Places of Worship: Six Steps to Enhance Security Against Targeted Violence Fact Sheet from CISA

FEMA Nonprofit Security Grant Program

Best practices from Jewish Security Network