The State of Church Payroll Security 2026: A Benchmark Report

Executive Summary

For the first time, the average American church is more likely to face a cybersecurity incident in a year than a building problem. This is supported by data from several sources covering 2023 to 2025. Cyberattacks against nonprofits increased by 30% in 2024 (BDO 2025) and by another 241% from 2024 to 2025 (NetHope 2025). Faith-based organizations are among the most targeted groups (Okta 2026).

This 2026 edition of The State of Church Payroll Security is intended to serve as an annual benchmark for church leaders. APS plans to refresh the report in 2027 with updated incident data, cost benchmarks, and control adoption trends so churches can track their progress over time.

This report aggregates the publicly available evidence on church payroll security across five dimensions:

1. Threat exposure: how many churches are being attacked and by which methods
2. Financial loss: what an incident actually costs a faith-based organization
3. Compliance posture: where churches face the most risk in payroll-specific compliance (housing allowance, dual-status, classification)
4. Operational readiness: which controls are usually in place and which are missing
5. The path forward: the few changes that can close most of the gap

Three headline findings:

• Over 70% of churches have been targeted by a cyberattack (Olusanya, 2025), but only a small number have invested in basic controls such as multi-factor authentication or formal offboarding processes. As immediate next steps, church administrators should enable multi-factor authentication on all payroll and financial systems, and put in place a simple written process for offboarding departing staff. These two actions provide the most impactful starting point for quickly improving security.
• Employee personal information is the most valuable data in a church office. It makes up 37% of all breached records, with an average remediation cost of $168 per record (IBM 2025). For a church with 25 staff, this means a minimum exposure of $4,725 per incident.
• Most failures are not complex. Business Email Compromise (BEC), direct deposit redirection, and credential theft account for most reported losses. All three can be prevented by the same three controls: MFA, out-of-band verification, and employee self-service direct deposit.

There is reason for hope: the gap between where most churches are now and being well-defended is small. The same five to seven controls appear in every framework. The most impactful controls are:

• Multi-factor authentication (MFA) on payroll system access
• Written wire and direct deposit change policy
• Same-day offboarding and immediate access removal for departing staff
• Use of a dedicated, church-owned device for payroll
• Employee self service for direct deposit changes with verification
• Regular user list reviews
• Properly documented clergy compensation and housing allowance policies

Putting them in place takes hours, not months. For most churches, the missing piece is not ability, but the decision to act.