Case Study – Protecting a Mid-Sized Church from Network-Based Attacks After an Email Breach

A mid-sized church in southern Oregon with 4 staff and roughly 100 weekly attendees reached out after a staff email account was compromised. Leadership wanted assurance that the broader church network was secure and that a similar incident could not escalate into something much more damaging. With no in-house IT staff and a volunteer-led tech team, they needed a partner who could assess risk, fix critical issues, and help manage their environment going forward.

Challenge: “If Email Was Hacked, What Else Is at Risk?”

After the email compromise, the senior pastor and board were concerned that attackers might also be able to reach other systems on the church network. They worried about:

• Whether internet-facing systems were properly hardened.

• Whether internal devices and servers could be abused as a foothold.

• How much risk they carried without a dedicated IT/security person.

The church asked us to perform a focused network penetration test and then provide ongoing guidance to keep their environment secure over time.

Approach: One-Week Internal and External Network Penetration Test

We proposed a one-week engagement that combined discovery, testing, and remediation support:

• Scope:

  • External IP ranges.

  • Internal network segments.

  • Key endpoints and servers.

• Method:

  • Black-box vulnerability scanning and validation.

  • Risk analysis mapped to CIS Controls to keep remediation practical and prioritized.

  • Clear, non-technical reporting for leadership, plus actionable tasks for volunteers.

At the end of the week, we delivered a detailed report, remediation plan, and follow-up validation testing to confirm that critical findings were resolved.

Key Findings: Critical Camera System Exposure and Endpoint Risks

The assessment uncovered several issues that could have led to serious disruption if left unaddressed:

• Critical, unpatchable camera system vulnerability
  We identified a known critical remote code execution (RCE) vulnerability in the on-site camera system. The vendor’s hardware and software could no longer be updated, leaving the cameras exposed to the internet and potentially usable as an entry point into the network. We coordinated with the church’s existing security company to plan the replacement of this system with a supported, patchable solution.

• High and medium-risk endpoint configuration issues
  Multiple endpoints and servers had misconfigurations and outdated settings that increased the likelihood of compromise. These included insecure default settings and missing hardening steps that could make it easier for an attacker to move laterally if they gained a foothold through phishing or another entry vector. Using prebuilt, tested scripts, we remediated these configuration issues and then re-tested to confirm that the vulnerabilities were resolved.

Together, these findings showed that the prior email compromise was a symptom of broader weaknesses in the environment, not an isolated event. Addressing these issues significantly reduced the risk of a future incident spreading across the network.

Remediation: Network Segmentation, Least Privilege, and a Budget-Aware Plan

Following the assessment, we worked directly with the church to implement the most impactful changes first, aligned with CIS Controls and their budget realities:

• Network segmentation
  We helped separate key systems to prevent a single compromised device from threatening the entire environment. This limited the potential blast radius of any future incident and provided a clearer boundary between higher-risk and higher-value systems.

• Access control and least privilege
  We adjusted access so that staff and key accounts had only the permissions they needed to do their work. This reduced the damage an attacker could do if they managed to compromise a user account.

• Budget-phased remediation roadmap
  Given the church’s limited resources and reliance on volunteers, we broke remediation into phases. Immediate phases focused on closing critical and high-risk gaps, while later phases addressed nice-to-have improvements and longer-term infrastructure upgrades.

We not only recommended these changes but also implemented them, ensuring the church did not have to translate technical advice into action on their own.

Results: Reduced Attack Surface and Ongoing Protection

Within two weeks, the church had substantially improved its security posture:

• All critical and high-risk findings identified during the assessment were remediated within 14 days.

• The exposed, vulnerable camera system was removed from the attack surface, with a plan in place to replace it with a supported, secure alternative.

• Follow-up scans showed a markedly reduced number of vulnerabilities and misconfigurations across endpoints and servers.

Impressed with both the speed and clarity of the process, the church chose to move into an ongoing relationship that includes:

• Managed security and vCISO-style guidance.

• A bundled program of assessment, remediation, and training.

• Biannual penetration tests to ensure new vulnerabilities do not quietly accumulate over time.

This ongoing partnership gives church leadership confidence that their technology environment is being actively monitored and continually improved, without the need to hire a full-time IT or security team.

How We Help Faith-Based Organizations

Many churches and faith-based nonprofits share a similar profile: limited IT staff, volunteer-led technology, and increasing reliance on email, Wi‑Fi, cameras, and cloud services. A single incident, such as an email account compromise, often reveals that deeper risks may be hiding in the network.

We help churches and faith-based organizations:

• Understand their real-world risk through focused penetration testing.

• Remediate critical issues quickly, using proven frameworks like CIS Controls.

• Implement practical, budget-aware security roadmaps.

• Maintain security over time with managed services, virtual CISO guidance, and regular testing.

If you’d like to discuss how a security assessment and ongoing protection program could work for your church or faith-based organization, we can tailor an engagement to your size, technology stack, and budget.