Volunteer-specific awareness¶
The volunteer population presents a distinct awareness challenge. Volunteers may range from students doing community hours through to retired professionals with decades of relevant experience. They are not employees, the communication channels are less reliable, and their engagement with the organisation varies from one afternoon a month to five days a week.
Calibrating the approach¶
Not all volunteers have the same access or the same risk profile. A volunteer who helps with event setup and has access to a shared team calendar is a different security context from a volunteer who processes donation records in the CRM, or who manages the social media accounts, or who acts as a foster carer coordinator with access to sensitive case information.
Calibrate the awareness effort to the access level. Someone with minimal access to low-risk information does not need the same depth of training as someone who can view and edit donor payment information. But everyone needs the basics: what to do if something seems wrong, and who to contact.
How to reach the volunteer population¶
Volunteers often do not receive regular email from the organisation in the way employees do. They may not attend team meetings. Relying on an annual email with a training link will not reach everyone.
More effective approaches include a short security briefing as part of volunteer induction, a one-page reference guide given to every volunteer (what phishing looks like, what to do if something seems wrong, who to contact), and occasional awareness messages through whatever channel actually reaches your volunteers, which may be WhatsApp, a volunteer newsletter, or a noticeboard at the shelter.
MFA for volunteers¶
The MFA rollout section covers this in more detail. The short version: require MFA for volunteers who have access to sensitive systems. For volunteers with minimal access, make MFA as easy as possible to set up and provide hands-on help during the rollout. For volunteers who genuinely cannot use standard MFA methods, find an alternative rather than creating a permanent exception with no review date.
Volunteers as a social engineering target¶
Volunteers are sometimes targeted specifically because attackers assume they have less security awareness than paid staff. A volunteer who answers the main enquiries line, or who manages the social media accounts, or who is publicly named as a coordinator in organisational communications, may receive targeted approaches.
Make sure volunteers who have public-facing roles know they may be targeted, know what to be cautious about, and know how to escalate if something feels wrong.