This is not a criticism of volunteers. It is a fact about how attacks work. Volunteers bring personal devices, use personal email, share login credentials, and rotate in and out of organizations without a formal offboarding process.

Each of those patterns creates an opening for attackers. In 2026, those openings are being exploited more often and with more sophisticated tools than ever before.

The Personal Device Problem

71% of nonprofits allow volunteers to use personal, unsecured devices on organizational networks. A volunteer’s phone or laptop often runs outdated software, has no endpoint protection, and connects to multiple networks throughout the day.

When a volunteer connects to your network, every vulnerability on their device becomes your problem. Attackers look for exactly this: an unpatched personal device with access to organizational data.

Shared Credentials Multiply Risk

Shared login credentials are common in nonprofits. One account for the donor database, used by five people. One email platform login, passed around in a group text.

When someone leaves, the credential stays active. When one person’s personal account gets compromised, every system using that shared password is now at risk. There is no way to audit who accessed what, or when.

The Offboarding Gap

Most nonprofits do not have a formal offboarding process for volunteers. Accounts stay active after someone leaves. Former volunteers, who had legitimate access, retain the ability to log in weeks or months later.

This is not a volunteer behavior problem. It is a process gap. Volunteer access needs to be treated the same way staff access is treated.

What to Do Right Now

Create a network policy. Personal devices connect to a separate guest network with no access to organizational systems. Set this up on your router today. Most modern routers support it at no cost.

Stop sharing credentials. Every person who needs system access gets their own account. This costs nothing on most platforms and gives you the ability to revoke access instantly when someone leaves.

Build an offboarding checklist. When a volunteer finishes, their access gets removed within 24 hours. Make this a standard step, not an afterthought.

Run a quarterly access audit. Pull a list of every active account across every system and remove anyone who no longer needs access.

If your organization does not have the staff to manage this, a fractional cybersecurity consultant builds these processes for you. You get the controls without the cost of a full-time internal hire.