Like many of you, I’ve been closely following the situation in Afghanistan. There’s a lot to be concerned about, but an immediate concern is the risk of reprisals against local Afghans who have worked for foreign organisations (governments, military forces, companies or NGOs). While evacuations continue, with the Taliban controlling the streets surrounding the airport, it’s too dangerous for many people to move. As a result, the likely scenario is that many people eligible for evacuation will be left in the country and will have to fend for themselves.
Although the situation in Afghanistan is particularly acute, the situation isn’t entirely unique. Sudden shifts in power can catch foreign organisations and their local staff by surprise, leaving them scrambling to guarantee continued security as the power dynamics shift around them. The coup in Myanmar and the introduction of the National Security Law in Hong Kong are other examples of major situational shifts that can suddenly leave specific groups of people exposed to risk.
Leveraging a combination of digital tools and door-to-door searches, those now in power may decide to target specific groups to either seek retribution or stop dissent. People who have worked with foreigners, journalists, members of certain political parties, human rights advocates, activists, scholars, or specific ethnic groups may be at serious risk.
While organisations may secure their offices and implement other security measures in response to a shift in the security environment, they may find their Achilles’ heel is the security of information. If threat groups are able to access this information, they can use it to target individuals and groups. Potentially with devastating effect.
Imagine if Pol Pot and the Khmer Rouge had access to tools like Facebook and LinkedIn.
If your organisation is working in a country characterised by a volatile political and security situation, and you’re hiring local people, then you have a responsibility to assure their safety and security. To do that, you’ll need to think well ahead and plan for worst-case scenarios.
Information is everywhere
As an organisation hires local employees, it will build up a sizeable amount of information about those employees. As a start point, such information could include CVs, application forms, contracts, pay slips and expense claims. Beyond formal documentation, international team members may take photos with local staff and post these photos on the organisation’s website and in social media feeds.
Local team members will also generate information. Local team members may be justifiably proud of the fact they are working with an international organisation. They will tell their family and friends. They might also want to take photos with the international team, and then share these photos with their friends and relatives, and on social media. The organisation may give local team members gifts with the organisational name and logo, or training certificates, which they’ll proudly display in their homes.
Then there will be information generated in the day-to-day running of operations. Messages, emails and different types of documents. Probably lots of them.
If the security situation suddenly shifts, the collective physical and digital history of the relationship between an organisation and it’s local employees will be difficult — if not impossible — to erase. Social media is a highly persistent medium.
Establish security procedures from the start
The best way to approach information security in higher-risk locations is to establish sound policies and procedures from the start. It’s way too late to start cleaning up information when the government collapses and as all people can focus on is trying to withdraw their savings from the bank and taking care of their families.
Below are some recommendations regarding how to protect local employees from sudden changes in the political situation that may leave them exposed. Not all of these will apply in all contexts, so you’ll need to evaluate each recommendation to determine whether it’s appropriate to your situation.
The key is that these recommendations are designed to be implemented from the get-go. It’s difficult to make substantive changes to security — and to the mindsets necessary to achieve security — once you’ve been on the ground for a few months or more.
1. Give local employees a work phone
Instruct your employees to use this phone for work purposes only, and not to use their personal phone for work. By doing this, you’ll be able to establish a basic level of compartmentalisation, which is a fundamental security principle. Providing an additional phone also ensures each employee has a backup phone in case of emergency.
2. Only collect information you need
Collect the bare minimum of information when hiring and managing local staff. Where possible, sight documents and mark them off on a form rather than retaining copies of passports or identification cards, certificates et cetera. At no time should you collect information relating to political affiliations, ethnicity, or sexual orientation. Such information could be used to target individuals. If you need to collect information on family members and home addresses, ensure this information is in digital format and is appropriately secured.
3. Control the use of uniforms or identity badges
If your local employees wear a uniform, or any article of clothing with organisational names or logos, it may be good practice for them not to take uniforms home or wear them outside of a secure work environment. Similarly, you should ensure ID badges are not visibly worn outside the workplace (they may still need to be carried for identification purposes). Be mindful of what information is included on ID badges. As a guide, only include the essential information necessary to achieve the security objective, without compromising the safety of individuals. Consider the impact if an ID badge is found on an individual at a checkpoint, or if it is lost somewhere outside the office. Establish a procedure so that ID badges can be quickly collected, accounted for and destroyed. Any software or records used to generate the ID badges should also be able to be deleted or destroyed.
4. Establish clear guidelines for photography
In some contexts, it may be good policy to restrict taking photos of team members and work areas. Alternatively, you may allow photography but ask team members not to share the photos or post them on social media.
5. Consider giving local employees cover stories to tell their friends and family
While your local employees may not be able to completely conceal the fact that they work for your organisation, perhaps a simple cover story will enable them to downplay their role. For example, someone on your protection team may just tell people he’s been hired as a driver.
6. Limit information sharing
Limit the sharing of information to only what people need to know. The objective here is to limit the extent of the damage one person can do if they are coerced (or they volunteer) to provide information to a threat group. I fully recognise that there is a fine line here between being inclusive with local employees and creating a form of separation. The test here is to ask the question: ‘if this employee provided this information to the authorities (or other group), could it be used to harm their colleagues?’ A simple example of this principle in practice would to enforce a complete separation between teams in different localities. For example, local team members working in one province should not know the identities of local team members working in another province. The same rules should apply with international staff — they should also be clear regarding what information they need to protect and why.
7. Protect employee records
Ensure that employment contracts, pay slips, expense reports, and any other documents that can be associated with local employees are protected. Ideally, digitise documents and store them in a secure repository with restricted access. If someone breaks into your office (or residence), they should not be able to find any document that compromises the safety of local employees. Documents that link names, addresses and contact information are particularly sensitive. Minimise what information is included on forms and reports. For example, pay slips probably don’t need to include employee home addresses or contact numbers. If it’s possible to do so, use employee numbers instead of names on key documents, and maintain a secure register that associates names and employee numbers. Avoid hard copy documents where possible. If you need to have hard copy documents, have a plan in place to be able to quickly and easily access these documents and destroy them. When you make this plan, consider the impact of movement restrictions (you may not be able to get to your office in time to get the documents and destroy them). Another factor to consider is that local employees may need proof of employment if they want to apply for a visa to leave the country. You’ll therefore need to be able to access records on request to provide these documents.
8. Provide training in digital security
If you want your employees to follow certain procedures, you’ll need to provide training in those procedures. Similarly, if you require employees to use specific applications for communication, you’ll need to provide training in how to set up and use those applications. Training should align with the practical realities on the ground, and should focus on compartmentalisation and effective security hygiene.
9. Establish a shutdown protocol
If things hit the fan, don’t just vanish into the night and leave your local staff turning up to an empty office and an uncertain future. Ensure local staff understand up front that the situation is tenuous, and operations may need to stop with minimal or no notice. The shutdown protocol should include procedures to sanitise the office, destroy all documents, and either recover or destroy computer hardware. The protocol should also include procedures to sanitise devices (you may wipe devices and restore them to factory settings, or you may destroy them) and clean up social media profiles. Of course, if good compartmentalisation and security hygiene has been maintained, there shouldn’t be too much to clean up.
Also, as part of your shutdown plan ensure you have a supply of cash on hand for contingencies and to pay local staff. For your local staff, a good cash severance payout won’t be the same as having a job, but it may just be enough to help them get through the current situation.
When considering implementing security procedures, don’t assume that the local people you’re working with understand specific security concepts, particularly relating to digital security (to be fair, many international staff will not understand these concepts either). At the same time, you may find your local staff are intuitively good at many aspects of security. In fact, that may be the very reason they’ve survived until now. It may be possible to adapt some hard-learned local practices into your security planning.
The elephant in the room here is the evacuation of local staff if the security situation escalates. While I’m tempted to get into the issue of evacuation here, I’m going to hold off for the moment. Once the dust settles on the current evacuations out of Kabul, I may post some thoughts.
As we’re seeing as the situation unfolds in Kabul, extracting local staff from a country in crisis is a complex and challenging problem. Aside from the obvious moral and ethical considerations, there are also some basic factors that make evacuation difficult. For example, there’s no guarantee that your local employees will have passports. In addition, you’ll never just be faced with the need to evacuate your local employees. You’ll also need to be prepared for the fact that your local employees will also want to evacuate immediate family, extended family and friends. (To be clear, there’s nothing wrong with people wanting this. Faced with a similar situation, you and I would want the same).
If you’re interested, I’ve written a two-volume series on security evacuations. Chapter 4 of Volume I explores the complexities of evacuating local staff. Chapter 2 of Volume I focuses on government evacuations (which I can see myself needing to update in the next few months based on what’s happening in Afghanistan).
To wrap up, if you’re working with local staff in higher-risk and volatile environments, your organisation has a moral obligation to do all it can to protect the safety of its local team members. Think ahead and determine what could endanger the safety of your employees and their families should there be a sudden shift in the political or security situation. Before you hire a single local person, develop a plan for when you leave the country (even if at that time you may not see any imperative to leave). In that plan, make sure your local employees are not going to be adversely impacted by the fact they’ve worked for your organisation. Set realistic expectations by sharing your concerns about the situation with local employees. Engage them in the process of developing sound security procedures that will assure they are protected if the situation deteriorates. This approach builds confidence and reduces the risk of fumbling the ball if the situation suddenly changes.
There will be a lot of lessons to be learned from what has happened in Afghanistan. Let’s hope we do actually learn these lessons and apply them in current and future projects.
Grant is the founder of Spartan9. He assists organisations to intelligently navigate risk in higher-risk environments.