The Hidden Cybersecurity Risk in Charities

Volunteers
Almost every charity has them… volunteers! We can’t live without them. Yet did you
realise that volunteers can also increase your cybersecurity risks?

Let’s dive in deeper.

In workplace laws, the responsibilities of an organisation to a volunteer are no different than their obligations to a paid employee. Yet, how do most charities treat employees compared to a volunteer?

Two Paths: Employees vs Volunteers

When a charity hires a new employee, there’s usually a well-defined process.

Staff are often issued work devices, granted secure access to systems, and covered
by policies such as Acceptable Use of Technology, Privacy, and even those related
to Artificial Intelligence (AI) use.

But when a volunteer joins, especially someone already known to the team, the
process tends to be informal or even ad hoc.

Sometimes, a volunteer is simply added to an email list or given access to a shared
folder without any formal introduction to the organisation’s policies or systems.

This may not seem like a big deal until you consider the kind of information
volunteers often see and handle.

A Privacy Breach Waiting to Happen

I remember doing a cybersecurity risk audit for a Not for Profit not too long ago. A few volunteers had full access to their stakeholder database.

At some stage, one of these volunteers decided to download the entire database into their own files.

The organisation only found out about this later when the volunteer started sending
their personal business marketing emails to some of the stakeholders.

With the new Privacy Act rules, this could have been a reportable breach to Office of
the Australian Information Commissioner.

How the Volunteer Gap Creates Cyber Risks

Let’s take a closer look at some of the main ways the volunteer/staff divide can
create cybersecurity vulnerabilities.

1. Device and Email Security
I once worked with a charity that did a lot of advocacy work, which could be considered politically sensitive.

One of the Board Directors worked for the Prime Minister of the day. Can you
imagine the horror of discovering that all the sensitive charity emails to the Board were being sent to her work email address?

And yet, this would never have happened with an employee.

Employees are usually given organisation-issued devices that are monitored, secured, and updated regularly.

Their email accounts are within the charity’s domain, often protected with multi-factor
authentication (MFA), encryption, and malware scanning.

Volunteers, however, typically use their personal laptops, tablets, or smartphones, and their personal or work email addresses. That means:

• Sensitive documents might be saved on unsecured personal devices.
• Stakeholder data could be stored or forwarded to personal or work inboxes.
• Passwords may be reused or stored insecurely.

Worse still, the charity has no way to remotely wipe or control the data once it leaves
the organisation’s systems.

2. Lack of Cybersecurity Training
Did you know that 70% or more of all cybersecurity breaches are caused by human
error or neglect?

Most staff are required to participate in regular compliance training, including data protection and cybersecurity awareness. They may complete annual refresher
courses or simulated phishing exercises.

Volunteers, however, rarely receive any formal training. As a result, they may:

• Fall victim to phishing attacks more easily.
• Use weak or recycled passwords.
• Be unaware of how to spot and report suspicious activity.

For cybercriminals, volunteers are a vulnerable entry point, especially if they have
access to key systems.

3. Access Without Oversight
Employees are typically granted access to systems based on their role, and those
permissions are monitored, reviewed, and revoked when

they leave.
Volunteers may be given access to:

• Stakeholder databases
• Financial documents
• Grant applications
• Shared drives with sensitive internal information

Unfortunately, access is rarely tracked. And when a volunteer leaves, there’s often
no formal process to remove them from systems. In some cases, former volunteers
retain access to confidential systems and emails for months, or even years.

4. Informal Document Sharing
In many charities, volunteers use tools like Google Drive, Dropbox, or email to share
documents. While these tools are convenient, they’re also outside the organisation’s
control unless properly configured. This means:

• No audit trail of who accessed or edited a file
• No centralised storage or version control
• Sensitive files are being downloaded and stored permanently on unsecured
devices

Practical Steps to Reduce Risk

Volunteers are often the lifeblood of charities, but the lack of structure in how they’re
managed can pose a real risk to stakeholder privacy and organisational security.

In an era where data breaches can damage reputations and result in fines or loss of
funding, charities cannot afford to overlook this gap.

Here are some low-cost, high-impact actions every charity should consider:

1. Introduce a Basic Volunteer Onboarding Process
Even a simple checklist can help. Make sure every volunteer gets a short
briefing on privacy, IT use, and security basics, just like an employee.

2. Restrict Access to ‘Need to Know’
Don’t give every volunteer full access to systems or stakeholder data. Define
roles and set permissions accordingly.

3. Use Organisation, Controlled Platforms
Avoid sharing sensitive information over personal email or uncontrolled cloud
drives. Use your charity’s official systems wherever possible, including a
Board Portal system for directors.

4. Provide Basic Cybersecurity Training
Offer simple videos or checklists that explain how to stay safe online. Make it
part of the onboarding process, not optional.

5. Formalise Offboarding
Revoke access to systems and shared folders as soon as a volunteer finishes
their role. Keep a record of who has access to what, and audit it periodically.

Final Thoughts

With valuable data on donors, clients, and other stakeholders, charities are
vulnerable to cybersecurity attacks.

And while prevention measures may be in place for staff, volunteers can accidentally
open the door to major risks.

It’s time to bring volunteers into alignment. With just a few simple steps, charities can
reduce their exposure while continuing to honour the invaluable contributions of their volunteer.

Tammy Ven Dange of Roundbox Consulting is a former charity CEO, Not for Profit Board
Member and IT Executive. Today, she helps NFPs with strategic IT decisions, especially
around investments and cybersecurity risk mitigations.