3
Device & Endpoint Security
Laptops, phones, USB drives, updates and travel.
4 quiz questions
Your device is your perimeter
For an NGO, "the perimeter" is no longer the office network — it is each staff laptop and phone, anywhere in the world. Securing devices well covers most realistic scenarios.
Three controls that pay for themselves
•Full-disk encryption: FileVault (macOS), BitLocker (Windows Pro), LUKS (Linux). On phones, ensure a strong passcode and that encryption is active (default on modern iOS and Android).
•Automatic security updates for OS, browser and key apps. Restart promptly when prompted.
•A non-administrator account for daily work; use an admin account only for software installation and configuration.
Mobile devices
Phones are increasingly the primary work device for NGO staff. Treat them with the same seriousness as a laptop.
•Set a 6+ digit passcode (or alphanumeric); avoid pattern-only unlock.
•Install apps only from official stores; review permissions on each install.
•Keep iOS/Android up to date — old versions have known, weaponized vulnerabilities.
•Disable lock-screen previews for messages on sensitive accounts.
USB drives and external media
USB drives, SD cards and external disks from untrusted sources have repeatedly delivered malware in NGO environments. Treat any unknown device as hostile. If you absolutely must inspect contents, use a separate device with no sensitive data and an up-to-date OS.
Networks and Wi-Fi
•Prefer your phone's personal hotspot over unknown public Wi-Fi for sensitive work.
•When using public Wi-Fi, run a reputable VPN, especially on a device used for finance or admin access.
•On the office router: change the default admin password, keep firmware updated, use a guest network for visitors.
Travel and border crossings
High-risk travel deserves its own checklist:
•A clean travel device with the minimum data and accounts.
•Full-disk encryption enabled, device powered off (not just locked) at borders.
•Sign out of sensitive accounts before traveling; sign back in after arrival.
•Know your local legal rights — and limits — around device inspections.
A stolen, unencrypted laptop with an active session is often a worse incident than a ransomware attack.