What do we do with all this paper?
It is likely that your organization has a lot of information that is printed on paper, written in notebooks, or scribbled down on Post-it notes. Some of this can be very sensitive: printouts of budgets, lists of participants, sensitive letters from donors, and notes from private meetings. It is essential to think about the security of this information as well. If you absolutely need to keep hard copies of sensitive information, ensure that it is stored safely in a locked cabinet or another safe place. Do not keep any private or sensitive information (including passwords) laying around on a desk or written up on a white board. If you believe your organization to be at high risk of a break-in or raid, keep highly sensitive information in a less targeted location.
To the extent possible, endeavor to dispose of unneeded hard-copy information. Remember: if you do not have it, it cannot be stolen. Set an organizational policy regarding ownership of hard-copy notes, and be sure to collect any paper notes from staff if they decide to leave or are let go from the organization, just like you would collect an organization-issued computer or phone. To get rid of sensitive paper, purchase a quality shredder. A fun end-of-week activity can be taking a 15-minute break with your staff to shred any leftover, sensitive print-outs or notes from the prior week.
The office policy
Although for many the realities of “the office” have changed significantly since the beginning of the COVID-19 pandemic, it is still important for your organization to set a clear policy regarding office access. Such a policy should address key questions including who is allowed inside the office (and when), who can access what office resources (like the WiFi network), and what to do about guests.
A simple yet important question to answer is who gets an office key. Only trusted staff should have keys, and locks should be changed when staff leave and/or on a semi-regular basis. During the day, any doors that are left unlocked should be in constant view of someone trusted in the organization. Also consider whether the organization has a trusted relationship with your landlord or cleaning staff. Think about what information or devices such people might have access to and ensure that is protected, particularly if you do not have that trusted relationship. Whoever has access, someone trusted should always be designated to lock up the office and ensure devices are properly secured before leaving at the end of the day.
Are guests allowed inside the office? If so, ensure they do not have access (or at least unattended access) to devices or sensitive hard-copy data. If it is a requirement or expectation that guests have internet access when they visit, you should set up a “guest” network so that such guests do not have the ability to monitor your regular traffic. In general, only trusted personnel should be able to access the network and network devices such as printers. It is also usually a good idea to require guest registration so that you have a log of who has visited.
As you develop an office policy, the goal should be to allow only trusted people access to sensitive devices, documents, spaces, and systems.
Supporting staff and volunteers
Physical security threats to your organization can impact your staff too. Similar to harassment on social media, these physical security threats often disproportionately impact women and marginalized communities. It is not just about broken windows and stolen laptops. Intimidation, threats or instances of physical or sexual violence, domestic abuse, and fear of attack can have a serious negative impact on the lives of staff. For organizations that work with or support politically active women in particular, NDI’s #Think10 Safety Planning Tool is a useful resource to provide those who might be at increased personal risk as a result of their activity.
The well-being of staff is obviously an important asset to them as individuals, but it is also a crucial element to a healthy and well-functioning organization. To that end, consider what additional resources you can provide to staff to keep them protected and, in the case of physical or digital attack, help them recover. As mentioned earlier in the Handbook, this means at a bare minimum developing a list of resources that you can connect staff to for legal, medical, mental health, and technical assistance if needed. Once again PEN America’s Online Field Harassment Manual includes ideas for how organizations can support staff during and after crises, and Tactical Tech’s Holistic Security Manual includes relevant content on how organizations often respond during times of intense threat.