Volunteer awareness¶
The volunteer population presents a distinct awareness challenge. Volunteers range from students doing community hours to retired professionals with decades of relevant experience. They are not employees, the communication channels are less reliable, and their engagement with the Home varies from one afternoon a month to five days a week. The afternoon session format works well for staff. It does not scale to a volunteer population of several thousand people who are never all in the building at the same time.
Calibrating to access level¶
Not all volunteers carry the same risk profile. A volunteer who helps with event setup and has access to a shared team calendar is a different security context from one who processes donation records in Covenant, manages the Adopt-a-Legend correspondence, or coordinates foster care placements with access to resident case information in Bestiary.
The awareness effort should be calibrated accordingly. Someone with minimal access to low-sensitivity information does not need the same depth of training as someone who can view and edit donor payment information. But everyone needs the essentials: what to do if something seems wrong, and who to contact. These two things should be covered at induction for every volunteer regardless of role, because they are the minimum that makes reporting possible.
How to reach volunteers¶
Volunteers often do not receive regular communication from the organisation in the way staff do. They may not attend team meetings, may not read the staff newsletter, and may not encounter the awareness posters in the main office if they work primarily in the east wing or the medical bay. Relying on an annual email with a training link will not reach everyone, and it will not reach them at the right moment.
More effective approaches are a short security briefing as part of every volunteer induction, delivered in person by whoever is running the induction rather than delegated to an online module; a one-page reference card given to every volunteer at induction and available at the front desk, covering what phishing looks like, what to do if something seems wrong, and who to contact; and occasional awareness messages through whatever channel actually reaches the volunteer population, which at the Home includes The Coven for the night shift, the volunteer newsletter, and the noticeboard in the communal dining room, which is read by everyone eventually.
MFA for volunteers¶
The MFA rollout guidance covers this in more detail. The short version is: require MFA for volunteers who have access to sensitive systems. For volunteers with minimal access, make MFA as easy as possible to configure and offer hands-on help during the initial rollout. For volunteers who genuinely cannot use standard MFA methods due to device constraints or accessibility needs, find a documented alternative with a review date rather than creating a permanent exception with no oversight.
Volunteers as social engineering targets¶
Volunteers are sometimes targeted specifically because attackers assume they have less security awareness than paid staff. A volunteer who answers the main enquiries line, manages social media accounts, or is publicly named as a coordinator in the Home’s communications may receive targeted contact. The Adopt-a-Legend programme publishes the names of the team members who write the monthly updates. The Home’s website names the volunteer leads for several programmes. This is appropriate transparency that also answers questions an attacker researching the organisation would want to answer.
Volunteers with public-facing roles should be told directly that targeted approaches are a possibility, what those approaches might look like, and how to escalate. This is not a reason to alarm them. It is a reason to make sure they are not surprised, because surprise is what social engineering depends on.