How often should volunteers receive cybersecurity training?

Full training during onboarding, then brief monthly reminders and a quarterly phishing simulation. Long-term volunteers should refresh their training every 6 months.

Are there free cybersecurity training materials for NGOs?

Yes — Cyber Readiness Institute offers a free training program for organizations. NIST and ENISA publish free educational materials. Google Phishing Quiz provides interactive phishing recognition testing.

How to convince volunteers to take cybersecurity seriously?

Show real consequences — stories of attacks on NGOs where beneficiary or donor data was leaked. Emphasize that protecting data means protecting the people the organization serves.

Cybersecurity Training for NGO Volunteers

Training volunteers — short, practical, jargon-free

Training volunteers in cybersecurity requires a different approach than training full-time employees. Volunteers donate their time to the organization — training must be short (30 minutes maximum), practical, and free of technical jargon. Instead of lecturing about attack vectors, show concrete examples of fake emails from the NGO context. Volunteers learn best from real examples — use anonymized incidents from your own organization or the nonprofit sector.

Three-module training program

Module 1 — Recognizing Phishing (10 minutes): Show 3-5 examples of fake emails typical for NGOs. Teach checking the sender address, hovering over links before clicking, and verifying unusual requests through an alternative channel. Module 2 — Secure Passwords and MFA (10 minutes): Hands-on configuration of a password manager and authenticator app on the volunteer’s phone. Module 3 — Organization Security Procedures (10 minutes): Who to report suspicious emails to, how to handle donor data, rules for using personal devices for NGO work.

Maintaining awareness with high volunteer turnover

A one-time training is not enough — the key is embedding cybersecurity into the volunteer onboarding process. Prepare a short welcome material (video or PDF) that every new volunteer receives along with access credentials. Send monthly brief reminders about current threats. Conduct quarterly phishing simulations — free tools like GoPhish allow sending test emails and checking who clicked. Recognize volunteers who report suspicious messages — positive reinforcement is more effective than penalties.

Cybersecurity for Your Industry

Learn more about cybersecurity in your industry:

Cybersecurity for NGO & Foundations

Why this matters for organizations

Volunteers are the strength of nonprofits, but without training they can be a security risk. Learn a practical cybersecurity training program for NGO volunteers. In the context of growing cyber threats and tightening regulations (NIS2, DORA), organizations must proactively manage this security area. Failure to implement adequate safeguards can lead to data breaches, financial penalties, and reputational damage.

Best practices for implementation

Effective implementation requires several key steps:

Risk assessment and inventory — identify assets, threats, and vulnerabilities specific to your organization.
Policy development — document requirements, roles, and responsibilities.
Technical controls — deploy tools and configurations proportionate to identified risks.
Training and awareness — engage employees in protecting organizational security.
Monitoring and continuous improvement — regularly verify effectiveness and adapt to the evolving threat landscape.

How to Train Volunteers in Cybersecurity — A Practical Program for NGOs

Training volunteers — short, practical, jargon-free

Three-module training program

Maintaining awareness with high volunteer turnover

Cybersecurity for Your Industry

Why this matters for organizations

Best practices for implementation

Tags:

Share:

Talk to an expert

Grzegorz Gnych

Want to Reduce IT Risk and Costs?