Topics

Protecting Physical Security

Protecting Physical Assets

An essential component of information security is the physical security of your devices. In addition to mitigating the impact of a stolen device by using lockscreens and passwords, implementing full disk-encryption, and turning on remote wipe features, you should also consider how to keep those devices from being stolen in the first place. To make theft more difficult, be sure to install strong locks (and rotate them whenever staff change) at the office and/or home. Also consider buying a laptop safe or lockable cabinet to keep devices more protected overnight. Security cameras have become much less expensive, with simple versions designed for home use available more widely. Such camera or motion sensor systems around the premises can detect and hopefully deter physical break-ins and theft. Look for a privacy-respecting option available in your country, and be sure to select cameras provided by trusted companies that do not have an incentive to hand over data and information to a potential adversary.

If the risk of break-in or office raid is high, keep the organization’s most sensitive data away from the office - either by being stored safely in the cloud (as discussed earlier) or by being physically moved to a less targeted location. If old devices have information still stored on them but are no longer in use, consider wiping them - this guide from WireCutter is a great resource on how to do this for most modern devices. If wiping your devices is not possible, you can physically destroy them too. The easiest, if not most environmentally sensitive, way to do that is to break up the devices and their hard drives with a hammer. Sometimes the oldest solutions still work the best!

Even before these technical steps, take a moment to create an inventory of all the equipment in the organization. If you do not have a list of all your devices, it is harder to keep track of what might be missing if one gets stolen.

Setting up your own office security system

If a full office security system is out of your organization’s budget and you’re particularly concerned about privacy you can try a creative option like the Guardian Project’s Haven App to notify you of potential office intrusion. Haven is a smartphone app that can turn any Android phone into a motion, sound, vibration and light detector. You can set up the app on a few cheap Android devices at different points in the office to notify you of and record any unexpected guests and unwanted intruders. The Haven App can also be useful to set up in a hotel room or apartment if you are at heightened risk. A full security system is best, but if that’s out of reach and you’d like to learn more about how to use the Haven app you can visit the project website.

What do we do with all this paper?

It is likely that your organization has a lot of information that is printed on paper, written in notebooks, or scribbled down on post-it notes. Some of this can be very sensitive: printouts of budgets, lists of participants, sensitive letters from donors, and notes from private meetings. It is essential to think about the security of this information as well. If you absolutely need to keep hard copies of sensitive information, ensure that it is stored safely in a locked cabinet or other safe place. Do not keep any private or sensitive information (including passwords) laying around on a desk or written up on a white board. If you believe your organization to be at high risk of a break-in or raid, keep highly sensitive information in a less targeted location.

To the extent possible, endeavor to dispose of unneeded hard-copy information. Remember: if you do not have it, it cannot be stolen. Set an organizational policy regarding ownership of hard-copy notes, and be sure to collect any paper notes from staff if they decide to leave or are let go from the organization (just like you would collect an organization-issued computer or phone). To get rid of sensitive paper, purchase a quality shredder. A fun end-of-week activity can be taking a 15-minute break with your staff to shred any leftover, sensitive print-outs or notes from the prior week.

The office policy

Although for many the realities of “the office” have changed significantly since the beginning of the COVID-19 pandemic, it is still important for your organization to set a clear policy regarding office access. Such a policy should address key questions including who is allowed inside the office (and when), who can access what office resources (like the WiFi network), and what to do about guests.

A simple yet important question to answer is who gets an office key. Only trusted staff should have keys, and locks should be changed when staff leave and/or on a semi-regular basis. During the day, any doors that are left unlocked should be in constant view of someone trusted in the organization. Also consider whether the organization has a trusted relationship with your landlord or cleaning staff. Think about what information or devices such people might have access to and ensure that is protected, particularly if you do not have that trusted relationship. Whoever has access, someone trusted should always be designated to lock up the office and ensure devices are properly secured before leaving at the end of the day.

Are guests allowed inside the office? If so, ensure they do not have access (or at least unattended access) to devices or sensitive hard-copy data. If it is a requirement or expectation that guests have internet access when they visit, you should set up a “guest” network so that such guests do not have the ability to monitor your regular traffic. In general, only trusted personnel should be able to access the network and network devices such as printers. It is also usually a good idea to require guest registration so that you have a log of who has visited. 

As you develop an office policy, the goal should be to allow only trusted people access to sensitive devices, documents, spaces, and systems.

Supporting staff and volunteers

Physical security threats to your organization can impact your staff too. Similar to harassment on social media, these physical security threats often disproportionately impact women and marginalized communities. It is not just about broken windows and stolen laptops. Intimidation, threats or instances of physical or sexual violence, domestic abuse, and fear of attack can have a serious negative impact on the lives of staff. For organizations that work with or support politically active women in particular, NDI’s #Think10 Safety Planning Tool is a useful resource to provide those who might be at increased personal risk as a result of their activity.

The well-being of staff is obviously an important asset to them as individuals, but it is also a crucial element to a healthy and well-functioning organization. To that end, consider what additional resources you can provide to staff to keep them protected and, in the case of physical or digital attack, help them recover. As mentioned earlier in the Handbook, this means at a bare minimum developing a list of resources that you can connect staff to for legal, medical, mental health, and technical assistance if needed. Once again PEN America’s Online Field Harassment Manual includes ideas for how organizations can support staff during and after crises, and Tactical Tech’s Holistic Security Manual includes relevant content on how organizations often respond during times of intense threat.

Booking travel securely for your Organization

When putting together a travel policy, also keep in mind what information might be exposed when you organize or book travel. This can be particularly important if you are organizing large events, trainings, or conferences for which you are handling sensitive information from a variety of staff, partners, or attendees. Think carefully about how you will securely share and store (if needed) personal information like passport details, travel itineraries, and medical records.

Security while traveling

Traveling - whether to another country or the town down the road - often intensifies physical information security risks. It is generally safe to assume that you and your devices have no privacy rights when crossing borders. As such, it is a good idea to include an organizational travel policy within your security plan that includes reminders about key security best practices. 

Your organization’s travel policy should include a lot of the information covered in other sections of the Handbook including securely using the internet and keeping devices and other information sources physically secure and with you at all times when travelling. If possible, leave your sensitive information behind and just use a fresh, cleanly erased computer, access the files you absolutely need from the cloud, and then erase it when getting home again.

In addition to preparing for travel and minimizing the data shared when you do travel, there are a few essential operational tips that you should think through and include in your organizational travel policy.

Consider using travel-specific laptops or phones that have little to no sensitive data stored on them. If most of your organization’s work is done in the cloud, a relatively inexpensive Chromebook can be a good option for such a device. Factory reset, or “wipe”, these devices upon their return before connecting to common WiFi networks at home or the office.

Prepare staff for what to do if they are questioned by authorities or stopped at a border crossing. Consider how you can limit the amount of information that someone travels with if this is a concern, and create check-in protocols for staff travelling to sensitive regions. Provide staff with contact information and a plan of action for what they should do if something goes wrong on their trip. This includes information about local hospitals, clinics, or pharmacies should they need medical assistance while travelling.

Staff should also keep all devices on their person while travelling. For example, keep your laptop at your feet (not the overhead compartment or in checked luggage) when on a bus, train, or plane. Do not assume a hotel room – or even the hotel safe – is a “safe place” to keep sensitive devices and items. And do not trust public USB charging ports. USB charging ports in airports, stations, and vehicles are becoming an increasingly common sight, and a very convenient way to power up devices. But they can be an easy vector for picking up malware. So be sure to either charge devices the traditional way through a plug in the wall, or purchase USB data blockers to allow travelling staff to safely charge up their devices via USB.

Protecting your Physical Security

  • Remind staff to keep devices physically protected at all times.
  • Check and secure all the ways people can get into your space - doors and windows.
  • Develop an office guest and access policy.
  • Use strong locks, and rotate/change them when needed.
  • Consider setting up a camera or other office security system.
  • Have and use a paper shredder.
    • Set up dedicated staff time to dispose of hard-copy documents that contain sensitive information.
  • Develop a list of local professionals, organisations, and law enforcement agencies that you can connect staff to for legal, medical, and mental health assistance in response to physical attacks or threats.
  • Develop an organizational travel policy.
  • Ensure staff know what to do in case of emergency during travel, including preparing staff for what to do if stopped at a border or checkpoint.
  • Ahead of any local, national, or international travel, remind staff to limit information stored on devices.
  • Be mindful of the additional data that is created and shared when organizing travel or events.