Physically Protecting Information at Work

GuardPhysically Protecting Information at Work

Physical information security is the physical, rather than electronic, protection of information and access to that information. A lot of information security is focused on protecting information from a systems, network or software perspective, but we must not forget to physically protect information as well. All too often, information is easily compromised by unauthorized personnel taking advantage of weak physical security. This article outlines some key ways you can help physically protect information at work.



IDbadgeIdentity Badge

Your identity badge identifies you as a company worker and helps distinguish you from unauthorized personnel. It may also be used to control access within your company premises.


  • Visually display your ID badge at all times when on company premises and challenge anyone not displaying a company issued ID badge.
  • Remove your badge when off company premises, so you are not publicly advertising your identity or who you work for.
  • Look after your badge and protect it from loss or theft. If your badge is lost or stolen, report it immediately.
  • Never lend your badge to anyone else. You could be giving them access to areas that they shouldn’t have access to, and you will be held accountable.


accessAccess Control

Doors or access points are a key area of physical security and the most vulnerable point in a company premises. A locked door is just as important for protecting information physically as a firewall is for protecting information on a network.


  • Never leave secure doors open, even if you are leaving for only a short time.
  • Be aware of people coming through the doors behind you. This is known as ‘tailgating’ and is a commonly used tactic for gaining access.
  • Never hold doors open for people that you don’t know. This goes against typical human politeness, which is precisely why it’s an effective way to gain entry.
  • Be vigilant and watch for individuals gaining access through other vulnerable access points such as fire exits, delivery/loading docks and windows.
  • Ensure systems and network infrastructure are protected in a secure location, with extremely restricted access.



It is common to have visitors at work, but remember that they do not work for the company and therefore, their access must be appropriately restricted. They should not be afforded the same level of trust as company workers.


  • Your visitors are your responsibility at all times whilst they are on the premises. This includes during an emergency.
  • All visitors should be registered, and signed-in on arrival and out at departure.
  • All visitors should be provided with a clearly marked visitor identity badge which you must ask them to wear at all times and return when they leave.
  • Visitor access must be limited to only the areas they need and should be accompanied at all times when on company premises. Never leave visitors unattended in secure or restricted areas.
  • Delivery persons should never be given access beyond the delivery area or office reception


SocialEngSocial Engineers

Social engineering may be used by an individual to trick or manipulate workers into providing them with access into company premises, in order to obtain sensitive company information or for malicious intent.


  • Be vigilant and aware of the social engineering risk at all times. Social engineers are masters of disguise and manipulation.
  • Always verify the identity of anyone that turns up requesting access unexpectedly – no matter how legitimate they may look or sound.
  • Watch out for workers using the ‘I forgot my badge’ excuse – no badge, no entry. All workers who forget their badge must obtain a temporary one from company security.
  • If a smoker; do not be fooled by a stranger sparking up a conversation over a cigarette, then following you back into the building. All workers and visitors must display a company issued identity badge.


deskClear Desk

Physical information security is not just about protecting unauthorized individuals from accessing a company facility, it must also be enforced inside the company premises. It is important to maintain a desk or workspace that is clear of any sensitive information, to prevent fellow workers, contractors or visitors from accessing it. 

  • When leaving a desk or workspace unattended, ensure all sensitive information is locked away and your computer screen is locked with a password.
  • If you must leave a laptop unattended, ensure it is physically secured with a cable lock.
  • Do not leave any valuables or personal items lying around. Theft from inside an office is unfortunately, extremely common.
  • All unwanted paper-based information must be securely disposed of (i.e. shredded)
  • Any sensitive company information stored on physical media (i.e. CD, DVD, USB Storage) must be encrypted.


photocopyFaxing, Printing and Copying Sensitive Information

Care should be taken if sensitive information is faxed or printed. Faxing is not a secure method of communication and faxing sensitive information should be avoided where possible. Fax machines, printers and copiers should be located in a secure area.


  • Always collect your print-outs from the printer as soon as they are printed. If they are left lying around, anyone can (and will) pick them up or read them.
  • Do not leave the photocopier unattended whilst copying sensitive information, no matter how many pages you are copying.
  • When faxing sensitive information; always use a cover sheet and stand by the machine while the fax goes through. Call the recipient immediately after sending to ensure the fax was received.
  • When leaving the printer, copier or fax machine, ensure you have collected all original documents and there is no sensitive information lying around. Ensure all unwanted information is securely disposed of (i.e. shredded).


ReportReporting Incidents or Concerns

It is important to report any physical security concerns or incidents, no matter how trivial they may seem. Reporting a concern could prevent a larger incident or information security breach from occurring. Additionally a number of smaller reported concerns could help identify a much larger concern or incident. 

  • Immediately report any suspicious individuals or activity to company security or your manager.
  • If you are thinking ‘perhaps I should report that’, then yes, you should.


Tagged as: ,

Leave a Response