Protect your information from physical threats
Table of Contents...Loading Table of Contents...
No matter how much effort you have put into building a digital barrier around your computer, you could still wake up one morning to find that it, or a copy of the information on it, has been lost, stolen, or damaged by any number of unfortunate accidents or malicious acts. Anything from a power surge to an open window to a spilt cup of coffee might lead to a situation in which all of your data are lost and you are no longer able to use your computer. A careful risk assessment, a consistent effort to maintain a healthy computing environment and a written security policy can help avoid this type of disaster.
What you can learn from this guide
- More about a few of the physical threats to your computer and to the information stored on it
- How best to secure computer equipment against some of these threats
- How to create a healthy operating environment for computers and network equipment
- What to consider when creating a security plan for the computers in your office
Introduction to physical security
Shingai and Rudo are an elderly married couple with many years of experience helping the HIV-infected population of Zimbabwe maintain access to proper medication. They are applying for a grant to purchase new computers and network equipment for their office. Since they live in a region that is quite turbulent, in terms both of politics and of infrastructure, they and their potential funders want to ensure that their new hardware will be safe, not only from hackers and viruses, but also from confiscation, thunderstorms, electrical spikes and other such disasters. They ask Otto, a local computer technician, to help them devise a plan of action to strengthen the physical security of the computers and network hardware they plan to buy if their grant application is successful.
Assessing your risks
Many organisations underestimate the importance of keeping their offices and their equipment physically secure. As a result, they often lack a clear policy describing what measures they should take to protect computers and backup storage devices from theft, severe weather conditions, accidents, and other physical threats. The importance of such policies may seem obvious, but formulating them properly can be more complicated than it sounds. Many organisations, for example, have good quality locks on their office doors, and many even have secure windows; but if they do not pay attention to the number of keys that have been created, and who has copies of those keys, their sensitive information remains vulnerable.
Shingai: We want to put a brief summary of our security policy into this grant application, but we also need to make sure the policy itself is thorough. What should we include in it?
Otto: I'm afraid I can't recommend a one-size-fits-all solution to the challenge of physical security. The specifics of a good policy almost always depend on a particular organisation's individual circumstances. Here's a piece of general advice, though: when you're trying to come up with a plan, you need to observe your work environment very carefully and think creatively about where your weak points might be and what you can do to strengthen them.
When assessing the risks and vulnerabilities that you or your organisation face, you must evaluate several different levels at which your data may be threatened.
Consider the communication channels you use and how you use them. Examples might include paper letters, faxes, landline phones, mobile phones, emails and Skype messages.
Consider how you store important information. Computer hard drives, email and web servers, USB memory sticks, external USB hard drives, CDs and DVDs, mobile phones, printed paper and hand-written notes are all likely possibilities.
Consider where these items are located, physically. They could be in the office, at home, in a trash bin out back or, increasingly, 'somewhere on the Internet.' In this last case, it might be quite challenging to to determine the particular piece of information's actual, physical location.
Keep in mind that the same piece of information might be vulnerable on many different levels. Just as you might rely on anti-virus software to protect the contents of a USB memory stick from malware, you must rely on a detailed physical security plan to protect the same information from theft, loss or destruction. While some security practices, such as having a good off-site backup policy, are helpful against both digital and physical threats, others are clearly more specific.
When you decide whether to carry your USB memory stick in your pocket or sealed in a plastic bag at the bottom of your luggage, you are making a decision about physical security, even though the information you are trying to protect is digital. As usual, the correct policy depends greatly on the situation. Are you walking across town or travelling across a border? Will somebody else be carrying your bag? Is it raining? These are the sorts of questions that you should consider when making decisions like this.
Protecting your information from physical intruders
Malicious individuals seeking access to your sensitive information represent one important class of physical threat. It would be a mistake to assume that this is the only such threat to the security of your information, but it would be even more shortsighted to ignore it.There are a number of steps you can take to help reduce the risk of physical intrusion. The categories and suggestions below, many of which may apply to your home as well as your office, represent a foundation upon which you should build in accordance with your own particular physical security situation.
Around the office
Get to know your neighbours. Depending on the security climate in your country and in your neighbourhood, one of two things may be possible. Either you can turn them into allies who will help you keep an eye on your office, or you can add them to the list of potential threats that your security plan must address.
Review how you protect all of the doors, windows and other points of entry that lead into your office.
Consider installing a surveillance camera or a motion-sensor alarm.
Try to create a reception area, where visitors can be met before they enter the office, and a meeting room that is separate from your normal work space.
In the office
Protect network cables by running them inside the office.
Lock network devices such as servers, routers, switches, hubs and modems into secure rooms or cabinets. An intruder with physical access to such equipment can install malware capable of stealing data in transit or attacking other computers on your network even after he leaves. In some circumstances it may be beneficial to hide servers, computers or other equipment in attics, over a fake ceiling, or even with a neighbor, and use them through wireless connection.
If you have a wireless network, it is critical that you secure your access point so that intruders cannot join your network or monitor your traffic. If you are using an insecure wireless network, anyone in your neighbourhood with a laptop becomes a potential intruder. This is an unusual definition of 'physical', but it helps to consider that a malicious individual who can monitor your wireless network has the same access as one who can sneak into your office and connect an ethernet cable. The steps required to secure a wireless network will vary, depending on your access point hardware and software, but they are rarely difficult to follow.
At your work
You should position your computer screen carefully, both on your desk and when you are away from the office, in order to prevent others from reading what is displayed there. In the office, this means considering the location of windows, open doors and the guest waiting area, if you have one.
Most desktop computer cases have a slot where you can attach a padlock that will prevent anyone without a key from getting inside. If you have cases like this in the office, you should lock them so that intruders cannot tamper with their internal hardware. You might also consider this feature when purchasing new computers.
Use a locking security cable, where possible, to prevent intruders from stealing the computers themselves. This is especially important for laptops and small desktops that could be hidden inside a bag or under a coat.
Software and settings related to physical security
Make sure that, when you restart your computer, it asks you for a password before allowing you to run software and access files. If it does not, you can enable this feature in Windows by clicking on the Start menu, selecting the Control Panel, and double-clicking on User Accounts. In the User Accounts screen, select your own account and click Create a Password. Choose a secure password, as discussed in our guide How to create and maintain good passwords, enter your password, confirm it, click Create Password and click Yes, Make Private.
There are a few settings in your computer's BIOS that are relevant to physical security. First, you should configure your computer so that it will not boot from the USB device, CD-ROM or DVD drives. Second, you should set a password on the BIOS itself, so that an intruder can not simply undo the previous setting. Again, be sure to choose a secure password.
If you rely on a secure password database, as discussed in our guide How to create and maintain good passwords, to store your Windows or BIOS passwords for a particular computer, make sure that you do not keep your only copy of the database on that computer.
Get in the habit of locking your account whenever you step away from your computer. On Windows, you can do this quickly by holding down the Windows logo key and pressing the L key. This will only work if you have created a password for your account, as described above.
Encrypt sensitive information on computers and storage devices in your office. See our guide How to protect the sensitive files on your computer for additional details and pointers to the appropriate Hands-on Guides.
Rudo: I'm a bit nervous about messing around in BIOS. Can I break my computer if I do something wrong?
Otto: You sure can, at least for a little while. In fact, the settings that you might want to change are pretty simple, but the BIOS screen itself can be a little intimidating, and it is possible to leave your computer temporarily unable to start if you do something wrong. In general, if you're uncomfortable working in BIOS, you should ask someone with more computer experience to help you out.
Keep your laptop, your mobile phone and other portable devices that contain sensitive information with you at all times, especially if you are travelling or staying at a hotel. Travelling with a laptop security cable is a good idea, although it is sometimes difficult to find an appropriate object to which you can attach one. Remember that meal times are often exploited by thieves, many of whom have learnt to check hotel rooms for laptops during hours of the day when they are likely to be unattended.
If you have a laptop, tablet or other mobile device, try to avoid putting them on display. There is no need to show thieves that you are carrying such valuable hardware or to show individuals who might want access to your data that your shoulder bag contains a hard drive full of information. Avoid using your portable devices in public areas, and consider carrying your laptop in something that does not look like a laptop bag.
Maintaining a healthy environment for your computer hardware
Like many electronic devices, computers are quite sensitive. They do not adapt well to unstable electricity supplies, extreme temperatures, dust, high humidity or mechanical stress. There are a number of things you can do to protect your computers and network equipment from such threats:
Electrical problems such as power surges, blackouts and brownouts can cause physical damage to a computer. Irregularities like this can 'crash' your hard drive, damaging the information it contains, or physically harm the electronic components in your computer.
If you can afford them, you should install Uninterruptible Power Supplies (UPS') on important computers in your office. A UPS stabilises electricity supply and provides temporary power in the event of a blackout.
Even where UPS' are deemed inappropriate or too costly, you can still provide power filters or surge protectors, either of which will help protect you from power surges.
Test your electrical network before you connect important equipment to it. Try to use power sockets that have three slots, one of them being a 'ground line', or 'earth'. And, if possible, take a day or two to see how the electrical system in a new office behaves when powering inexpensive devices, such as lamps and fans, before putting your computers at risk.
To defend against accidents in general, avoid placing important hardware in passages, reception areas or other easily accessible locations. UPS', power filters, surge protectors, power strips and extension cables, particularly those attached to servers and networking equipment, should be positioned where they will not be switched off by an accidental misstep.
If you have access to high-quality computer cables, power strips and extension cables, you should purchase enough to serve your entire office and pick up a few extras. Power strips that fall out of wall sockets, fail to hold plugs securely and spark constantly are more than just annoying. They can be quite damaging to the physical security of any computers attached to them. They can also lead frustrated users to secure their loose computer cables to a sparking power strip with tape, which creates an obvious fire hazard.
If you keep any of your computers inside cabinets, make sure they have adequate ventilation, or they might overheat
Computer equipment should not be housed near radiators, heating vents, air conditioners or other ductwork
Creating your physical security policy
Once you have assessed the threats and vulnerabilities that you or your organisation face, you must consider what steps can be taken to improve your physical security. You should create a detailed [security policy] /en/glossary#Security_policy) by putting these steps in writing. The resulting document will serve as a general guideline for yourself, your colleagues and any newcomers to your organisation. It should also provide a checklist of what actions should be taken in the event of various different physical security emergencies. Everybody involved should take the time to read, implement and keep up with these security standards. They should also be encouraged to ask questions and propose suggestions on how to improve the document.
Your physical security policy may contain various sections, depending on the circumstances:
- An office access policy that addresses the alarm systems, what keys exist and who has them, when guests are allowed in the office, who holds the cleaning contract and other such issues
- A policy on which parts of the office should be restricted to authorized visitors
- An inventory of your equipment, including serial numbers and physical descriptions
- A plan for securely disposing of paper rubbish that contains sensitive information
- Emergency procedures related to:
- Who should be notified if sensitive information is disclosed or misplaced
- Who to contact in the event of a fire, flood, or other natural disaster
- How to perform certain key emergency repairs
- How to contact the companies or organizations that provide services such as electrical power, water and Internet access
- How to recover information from your off-site backup system. You can find more detailed backup advice in our guide How to recover from information loss.
- Who should be notified if sensitive information is disclosed or misplaced
Your security policy should be reviewed periodically and modified to reflect any policy changes that have been made since its last review. And, of course, don't forget to back up your security policy document along with the rest of your important data. SeeFurther reading*** section for more information about creating a security policy.
- For additional information on assessing risks, see the 1.2 Security Awareness, and 1.3 Threat Assessment sections of the Digital Security and Privacy for Human Rights Defenders book.
- For a more detailed explanation of how to set a BIOS password, see the 2.1 Windows Security chapter in the Digital Security and Privacy for Human Rights Defenders book.
- For guidelines on creating a security policy, see 4. Case Study 1 in the Digital Security and Privacy for Human Rights Defenders book.
- See also the Protection Manual and Protection Handbook for Human Rights Defenders.