Protect your information from physical threats

Updated28 June 2018

Table of Contents

...Loading Table of Contents...

    We do a lot of work to protect the information that lives on or passes through our digital devices. But that work can be undone in an instant should one of those devices be lost, stolen, tampered with, confiscated or damaged. Examples might include a bag forgotten on a bus, a backup drive left in an unlocked office, an untrustworthy public computer or a keen eyed neighbor looking over our shoulder. These and many other physical threats can lead to the loss or exposure of sensitive information.

    A careful risk assessment, a consistent effort to maintain a healthy computing environment and a written security policy can help you avoid this type of disaster. Even if you are not working with a formal organisation, it is a good idea to write out guidelines and response plans for yourself and those with whom you work.

    What you can learn from this guide

    • Examples of physical threats to your devices and the information stored on them
    • How to protect your computer and other equipment from some of these threats
    • How to create a healthy operating environment for computers and networking equipment
    • A number of security considerations for your home, your office, public spaces and other locations where you might work
    • A list of software settings that can help protect your devices from physical threats
    • What to consider when creating a security plan for your devices, yourself and those with whom you work

    Assessing your risks

    Organisations and individuals sometimes underestimate the importance of keeping their offices and equipment physically secure. Even those who take steps to protect hardware like computers and backup storage devices from theft, severe weather and other physical threats often fail to document these steps in a written security policy. Formulating such policies may require input from a number of different people, and maintaining them can be time consuming. These activities are extremely valuable, however, in part because they help ensure that small but important details are not forgotten.

    Many organisations have quality locks on their office doors, for example, but too few keep an up-to-date list of how many keys were created and to whom they were distributed. Policy documents are both a way to reach consensus on such details and a way to keep track of them over time. In order to create a useful security policy, you will first need to assess the risks and vulnerabilities you face by evaluating the various ways in which your information might be lost or compromised and considering the impact if it is:

    • Consider the communication channels you use and how you use them. Examples might include letters, faxes, mobile phones, land line phones, emails, Skype, social media and secure messaging platforms, to name just a few.

    • Consider how you store important or sensitive information. Computer hard drives, email and web servers, USB memory sticks, external hard drives, CDs, DVDs, mobile phones, printed paper and hand-written notes are all common means of data storage. In each case, make sure you know whether or not the data are encrypted and who has access to the keys and passwords needed to decrypt them.

    • Consider where these items are physically located. They could be in the office, at home, in someone's luggage, in a recycling bin out back or, increasingly, "somewhere on the Internet." In this last case, it might be quite challenging to to determine the actual, physical location of a particular piece of information.

    • Consider how you destroy sensitive data when you no longer need it. Many shredders work on CDs and DVDs as well as paper documents. Many power drills and most hammers work on hard drives.

    Keep in mind that a given piece of information might be vulnerable in a number of different ways. Just as you might rely on anti-malware software to protect the contents of a USB memory stick from malware, you must rely on a detailed physical security plan to protect the same information from theft, loss or destruction. Some practices, such as having a good off-site backup policy, are helpful against both digital and physical threats while others are more specific.

    When you decide to carry a USB memory stick in your pocket rather than sealed in a plastic bag at the bottom of your luggage, you are making a decision about physical security, even though the information you are trying to protect is digital. As usual, the correct policy depends greatly on the situation. Are you walking across town or travelling across a border? Will somebody else be carrying your bag? Is it raining? These are the sorts of questions you should consider when making decisions like this.

    Creating your physical security policy

    After evaluating the threats to which you might be vulnerable, you should consider what you are currently doing — and what additional steps you can take — to improve your physical security and the security of your information. Discussing these steps with others, writing them down somewhere and revisiting them from time to time is a good way to maintain a detailed security policy. Most people think about security policies in the context of an organisation or an office, but many of the same principles apply to individuals, families and informal networks.

    Your policy document should provide general guidelines for you, for those with whom you work and, if relevant, for newcomers to your organisation. It should also provide a checklist of actions to take in response to various potential incidents. This is particularly important because the stress and chaos of a physical security emergency can make it difficult to respond quickly and appropriately. Having a well documented place to start can help prevent this sort of paralysis. Everyone involved should be given time to read the policy, ask questions about it, contribute to it and implement the standards and practices it describes.

    Your security policy will contain various sections, depending on the circumstances. Examples might include:

    • An office access policy that addresses key distribution, CCTV cameras, alarm systems, cleaning contracts and other such considerations.
    • A policy on guests, including which parts of the office should be restricted to authorised visitors.
    • An inventory of your equipment, including serial numbers and physical descriptions.
    • A policy on securely disposing of paper rubbish that contains sensitive information.
    • A policy on how to remove digital information from devices that are no longer in use.
    • A policy on the use of personal devices for work.
    • Information about access to legal support.

    Your policy will likely address travel-related practices, as well. Examples might include:

    • How to interact with immigration and border security personnel in various circumstances.
    • "Buddy system" policies for travel to sensitive regions, including what to do if a colleague fails to check in as planned.
    • Policies related to travelling with sensitive data or software that might be seen as incriminating.
    • Information about travel insurance, if relevant.

    Emergency response procedures might include:

    • Who to contact in the event of a fire, flood, or other natural disaster.
    • How to respond to a burglary or an office raid.
    • How to contact the organisations that provide services like electrical power, water and Internet access.
    • What steps to take if a device is lost or stolen.
    • Who should be notified if sensitive information is disclosed or misplaced.
    • How to recover information from your off-site backup system.
    • How to perform certain key emergency repairs.

    These policy documents should be stored securely, backed up regularly and reviewed periodically to ensure that they remain up-to-date.

    Protecting your information from physical intruders

    Malicious individuals seeking access to your sensitive information — or to the valuable hardware upon which that information is stored — represent a key physical threat. There are a number of steps you can take to help reduce the risk of physical intrusion. The categories and suggestions below are merely a foundation upon which you will have to build in accordance with your own physical security environment.

    Around your home or office

    Security considerations extend beyond the rooms and buildings within which you live and work. Below are a few suggestions to help you protect your data from threats in the surrounding area.

    • Get to know your neighbours. Depending on the security climate where you work, this may provide one of two opportunities. If you are lucky, your neighbours will become allies who can help you keep an eye on your home or office. If not, they will become another entry on the list of potential threats that you need to address.

    • Review how you secure the doors, windows and other points of entry that lead into your home or office.

    • Consider installing motion sensors or CCTV cameras around your office. This kind of surveillance has privacy implications for those who work in or near the building, but it can be an effective way to capture evidence of a burglary or an office raid, particularly if the cameras are configured to transmit video to an off-site location. These videos should of course be encrypted, both in transit and wherever they are stored.

    • Try to create a reception area where visitors can be met when they enter the office and a meeting room that is separate from your normal work space. (If you work out of your home, this might require that you move documents and equipment into a bedroom or some other private space when meeting with visitors.) Avoid leaving Ethernet or USB ports accessible from within these "public" areas of your office. This includes ports on devices like printers, monitors and projectors that are in locations where visitors might be left alone.

    • It is important that you set a strong passphrase on your wireless network so that others cannot join your network or monitor your traffic. If your WiFi relies on a weak password — or no password at all — anyone within range is a potential intruder. You may not think of this as physical security, but an attacker who is able to join your wireless network has the same access as one who is able to sneak into your office and connect an Ethernet cable. The precise steps required to secure a wireless network will depend on your access point, but you should look for a WPA2 password setting and, if necessary, review the Tactics Guide on how to create and maintain strong passwords.

    • When setting up your wireless network, consider giving it a name that does not clearly identify you, your organisation or the location of the access point.

    • Many access points allow you to create a separate WiFi network for guests. By doing so, you can give visitors access to the Internet without sharing your WiFi password or allowing them to access local devices when they are in range.

    • Be wary of any USB memory sticks you might find lying about. People are often tempted to plug random storage devices into their computers so they can look for clues as to who might have lost them. Unfortunately, such devices are a common source of malware. In some cases, they spread malware picked up from infected computers on which they have been used previously. In other cases, attackers create them intentionally and "drop" them near the home or office of a target organisation or individual.

    Inside your home or office

    Both criminals and politically motivated attackers may have reasons to target your data. They might be seeking financial information, sensitive data related to your work or personal details they can use to intimidate, blackmail or impersonate you. Criminal and political attacks are often difficult to distinguish, and attempts to obtain sensitive data often look like attempts to steal valuable hardware. Accordingly, it is important to take precautions both where you live and where you work.

    Below are a few recommendations on how to protect your data within your home or office.

    • If you live with other people or share an office with another organisation, talk to them about security. Try to determine what behaviours you can expect from one another and from visitors.

    • Consider purchasing a laptop safe or a locking cabinet for sensitive documents and equipment.

    • Find out what legal protections you have against law enforcement personnel, landlords and others who might try to enter your home or office.

    • Avoid running Ethernet cables outside the building to prevent those without keys from tampering with them when the building is empty.

    • If possible, lock networking equipment like servers, routers, switches and modems inside a secure room or cabinet. An intruder with physical access to such equipment can install malware capable of stealing data in transit or attacking other computers on your network.

    • Most desktop computer cases have a slot where you can attach a padlock that will make it difficult for anyone without a key to get inside. You should consider this feature when purchasing hardware.

    • Use locking security cables, where possible, to prevent intruders from stealing desktop and laptop computers.

    • We are often surrounded by equipment that we think of as televisions, cameras, phones, printers, video game consoles and other Internet of Things (IoT) devices. On some level, all of these "things" are computers, and they come with many of the same risks. Simple, physical habits — like covering camera lenses and unplugging "smart devices" when they are not in use — can sometimes help. But you should always think twice before connecting new equipment to your home or office network.

    At your desk or workstation

    There are a number of good security habits that pertain to the specific location where you work.

    • Position your computer screen to prevent others from reading what is displayed there. When doing so, remember to account for windows, open doors, visitor waiting areas and other such considerations.

    • Consider purchasing privacy filters for your devices. Privacy filters make it difficult to read a screen unless it is directly in front of you. They are available for laptops, external monitors, tablets and smartphones.

    • If you work with paper documents or leave physical notes for yourself, be conscious of what information is accessible at your desk. Paper calendars, planners, journals, address books and sticky notes are refreshingly immune to malware, but they are also impossible to encrypt. If they are stolen, copied or photographed, they can reveal extremely sensitive information.

    In public spaces

    Few people work exclusively in their homes and offices. Below are a few suggestions related to working in public spaces:

    • Avoid using laptops, tablets and mobile phones in public spaces unless you have reason to believe they are safe. And try to avoid putting such devices on display when you are not using them. Consider carrying your laptop in something that does not look like a laptop bag.

    • Keep your mobile devices, including your laptop, with you at all times when travelling or staying in a hotel. Consider travelling with a security cable and practice finding workspaces near objects to which you can attach one. Thieves often exploit meal times and restroom visits to steal unattended equipment from hotel rooms and cafes, respectively.

    • When working in public, it is even more important that you take care to position your screen so that others cannot read it. If you often work in public, you should buy privacy filters for the devices you use.

    • Public spaces often have insecure wireless networks. Even when a strong WiFi password has been set, other people on the same network have the ability to monitor your Internet activity and read the unencrypted data you send and receive. When working in an environment like this, you should use a virtual private network (VPN) or the Tor Browser to prevent these attacks. You can learn more about these tools in the Tactics Guide on how to remain anonymous and bypass censorship on the Internet.

    Software and settings related to physical security

    Below are a few suggestions on how to configure your software to make it less vulnerable to physical threats. You can find more information about these topics in the appropriate Tool and Tactics guides:

    • Make sure that, when you restart your computer, it asks you for a password. See the Basic Security Tool Guides for Windows and Linux for more detail. Choose a strong password, as discussed in the Tactics Guide on how to create and maintain strong passwords.

    • Encrypt the storage on all of your computers, tablets and smartphones. For additional information, see the Tactics Guides on how to protect the sensitive files on your computer and on how to use smartphones as securely as possible.

    • If you run any servers in your office, work with whoever maintains them to ensure that the information they contain will be encrypted if they are turned off or unplugged.

    • Get in the habit of locking your screen whenever you step away from your computer. Windows, Mac and Linux computers all have keyboard shortcuts that allow you to do this quickly and easily.

    • Enable the lock screen on your smartphone so that people with physical access to your device cannot easily see its contents.

    • There are a few settings in your computer's BIOS that are relevant to physical security. First, you should configure your computer so that it will not boot from the USB device, CD-ROM or DVD drives. Second, you should set a password on the BIOS itself, so that an intruder can not simply undo the above configuration. As always, be sure to choose a strong password.

    • If you rely on a password manager to remember the login and BIOS passwords for a particular computer, as discussed in the Tactics Guide on how to create and maintain strong passwords, make sure you keep a copy of that password database on a different device. Otherwise you might lock yourself out.

    • If your smartphone, tablet or laptop has a "Find my Device" feature, consider activating it so that you can locate the device or remotely wipe its contents should it be lost, stolen or confiscated.

    Maintaining a healthy environment for your equipment

    Computers, networking equipment and data storage devices can be quite delicate. The same is true of CCTV cameras, printers, "smart devices" and other hardware we install in and around our homes and offices. Devices like this do not always adapt well to unstable electrical power, extreme temperatures, dust, moisture, mechanical stress and other such hazards.

    Electrical fluctuations like power surges, blackouts and brownouts can cause physical damage to computers and other digital devices by harming electronic components or destroying data on hard drives. There are a number of things you can do to protect your equipment from these threats:

    • At a minimum, all electronics should be plugged into surge protectors. Not all power strips contain surge protectors, so you should check for this when outfitting your home or office. A surge protector should specify a maximum voltage and list a rating in Joules. If your power supply is particularly unstable, you might also need a power filter or a line conditioner.

    • If you can afford them, consider installing Uninterruptible Power Supplies (UPSs) and using those instead of regular surge protectors. A UPS will stabilise your power supply and provide temporary power in the event of a blackout. They are particularly valuable for local servers and desktop computers that lack internal batteries.

    • Try to use electrical sockets and plugs that have ground lines. When moving into a new building, try to test the power supply before plugging in important equipment. If it behaves poorly with lamps, lights and fans, you might want to think twice before using it to power your computers.

    Irregular power is just one of many environmental threats you should consider when setting up shop. Below are a few additional suggestions:

    • Avoid placing important hardware in easily accessible locations like hallways and reception areas or next to windows. Position surge protectors, UPSs, power strips and extension cables where they will not be unplugged or powered off by an accidental misstep.

    • When you find yourself with access to high-quality computer cables, surge protectors and power strips, consider picking up a few extras. Sparking power strips that fall out of wall sockets and fail to hold plugs securely are quite common in some parts off the world. They are also quite dangerous (even before people start "fixing" them with duct tape).

    • If you keep a running computer inside a cabinet, make sure it has adequate ventilation to prevent it from overheating. Computer equipment should not be housed near radiators, heating vents, air conditioners or other ductwork.

    Further reading