By: Natalie Johnson
For most of American history, churches have worried about attendance, doctrine, and community trust. Very few have worried about ransomware.
That omission is no longer sustainable. As churches digitize their giving, communications, and operations, they have quietly become some of the most vulnerable institutions in the country. They store sensitive personal data. They operate on limited budgets. They rely on volunteer labor. And perhaps most critically, they assume goodwill in a digital environment that rewards exploitation.
Jonathan Hernandez has seen what happens when that assumption breaks.
A cybersecurity professional with experience spanning government work, Fortune 100 companies, and healthcare systems, Hernandez now finds himself fielding calls from pastors and church administrators facing threats they never imagined would target them. His path from the Philippines to Ohio to a seminary in Kentucky has positioned him as a leading voice in a neglected corner of the tech world.
Why Churches Are the Ideal Target for Hackers
From a technical standpoint, churches present an ideal attack surface.
Many rely on aging systems assembled through years of incremental fixes. Budgets are often allocated toward visible ministry needs rather than invisible infrastructure. Volunteers manage critical platforms with minimal training. Security updates are delayed. Passwords are reused. Backups are incomplete or nonexistent.
The most dangerous vulnerability, Hernandez says, is cultural.
“Churches operate on trust,” he explains. “That trust works beautifully in person. Online, it becomes a liability.”
Churches collect donation data, contact information, counseling records, and, in some cases, background check materials for children’s ministry volunteers. Hackers know this. They also know churches rarely maintain incident response plans, legal counsel for breaches, or cyber insurance coverage. A single phishing email can compromise an entire organization.
Unlike corporations, churches often assume they will not be targeted. That assumption is precisely what attackers exploit.
The Unexpected Rise of a Church Cybersecurity Specialist
Over the past year, Hernandez’s inbox has filled with invitations that did not exist before. Churches began asking him to assess their systems. Conferences invited him to speak. Administrators reached out quietly after noticing suspicious activity. What emerged was a clear pattern of unmet need.
“I didn’t plan to work in this space,” Hernandez says. “But once I saw the gap, I couldn’t ignore it.”
His background positioned him to respond where few others could. He understands enterprise-level security threats, but he also understands how churches operate, often with limited resources, volunteer-run systems, and a deep sense of relational trust. That combination has made him uniquely effective in a space largely overlooked by both the tech world and the church.
At conferences, Hernandez watches leaders react in real time as he walks through common attack vectors. Many are stunned by how exposed their systems are. Others realize, often uncomfortably, that they are already vulnerable. What distinguishes Hernandez in these rooms is not only technical fluency, but the way he frames risk without condemnation.
He does not approach churches as negligent. He approaches them as responsible leaders who were never given the information they needed.
How Seminary Shapes Crisis Response
Hernandez’s seminary training has not softened his technical advice. It has sharpened it.
When churches experience breaches or near misses, fear and blame often follow. Seminary has shaped how Hernandez navigates those moments. He emphasizes shared responsibility over individual fault. Recovery over accusation. Education over embarrassment.
“Once blame enters the room, the technical problem becomes relational,” he says. “And then you have two crises instead of one.”
Christian ethics also inform how he frames data privacy. Protecting information is not merely a compliance issue. It is a pastoral responsibility. Churches hold stories, struggles, and identities entrusted to them. Mishandling that data violates care, not just policy.
His theological training has taught him to ask different questions. Not only what failed, but who is hurting. Not only how to secure systems, but how to rebuild trust.
The Church’s Digital Blind Spot
Across regions, Hernandez encounters the same misconception. Churches believe that moral integrity makes them less attractive targets.
“That is exactly why they are targeted,” he says. “Attackers look for places where skepticism is low.”
Artificial intelligence has accelerated this vulnerability. Deepfake audio can imitate pastors requesting urgent transfers. AI-generated emails mimic familiar writing styles. Social engineering attacks now scale with alarming precision.
When Hernandez explains these threats, pastors often respond with disbelief, then concern, and finally urgency. Many admit they assumed technology was neutral or peripheral to spiritual leadership. That assumption no longer holds.
When Vulnerability Becomes Visible
At a recent U.S. conference, Hernandez guided church leaders through a simulated breach scenario. Within minutes, administrators saw how interconnected their systems were and how quickly damage could cascade. Several realized they were one incident away from operational paralysis.
Internationally, similar conversations take on even greater weight. In parts of Asia, churches face digital surveillance alongside cybercrime. There, cybersecurity is not only about finances. It is about safety and continuity.
“These are global conversations,” Hernandez says. “The threats just wear different faces.”
What unites them is unpreparedness. Churches often discover their vulnerability only after harm occurs.
Faithfulness Is Not Passivity
Hernandez is careful not to frame cybersecurity as fear-driven. He frames it as stewardship.
Faithfulness, he argues, does not mean inaction. It means responsibility. Ignoring risk does not demonstrate trust in God. It abdicates care for people.
If every church asked for his help tomorrow, Hernandez would begin with culture before code. He would build security awareness as a form of discipleship. Train leaders who could educate their congregations. Document systems so that churches are not dependent on a single individual. Prepare response plans so panic does not dictate decisions.
“Security is not about locking everything down,” he says. “It is about making sure the mission can continue when something goes wrong.”
A Mission Still Taking Shape
Hernandez does not present himself as a savior for the church’s digital crisis. He presents himself as a servant responding to a visible need.
Through consulting, teaching, public speaking, and training, he hopes to help churches recognize risks before damage occurs. The emotional burden, he admits, is witnessing communities remain unaware of vulnerabilities that could fracture trust overnight.
“I wish more churches understood that being targeted does not mean they failed spiritually,” he says. “It means they live in the same digital world as everyone else.”
American churches are not under siege because they are weak. They are under siege because they are trusted, connected, and often unguarded. In an AI-accelerated world, that combination demands attention.
Jonathan Hernandez is paying attention. And increasingly, the church is listening.
Church leaders seeking expert guidance on cybersecurity risks, digital preparedness, and safeguarding their congregations in an increasingly digital world can contact Jonathan Hernandez at itsjhernandez14@gmail.com for education, training, and consultation.
Disclaimer: The information provided in this article is for educational purposes only and does not constitute professional advice. Church leaders should consult with qualified cybersecurity professionals for specific guidance tailored to their needs.
