Unattended Electrical Devices and Key Management Risks

1. INTRODUCTION
The security and safety of any tertiary institution are not solely dependent on the presence of security personnel or the installation of surveillance equipment. They are equally shaped by the daily habits, routines, and vigilance of every office occupant within the institution. Two seemingly routine oversights, leaving electrical devices running after closing hours and placing keys to sensitive offices at a communal general office, have emerged as significant yet chronically underestimated threats to institutional security and safety.

This bulletin is to guide, and, to sensitise all office occupants on the serious security and safety implications of these lapses. It further provides actionable recommendations that every staff member must adopt to safeguard themselves, their colleagues, institutional assets, and the academic community at large.

PART ONE: UNATTENDED ELECTRICAL DEVICES IN OFFICES

When office occupants leave work at the end of a shift or at close of day without ensuring that electrical devices are properly switched off, they unknowingly expose the institution to a range of preventable hazards. Common examples of devices frequently left on include fluorescent and LED lighting, ceiling and standing fans, air conditioning units, desktop computers and monitors, phone chargers, printers, and multi-socket extension boards.

1.1 Safety Risks of Unattended Electrical Devices

(a) Fire Hazard
The most catastrophic risk associated with unattended electrical devices is fire. Electrical fires in institutional settings often originate from overheated equipment, faulty wiring, or devices left in operation without human supervision for extended periods. A malfunctioning air conditioner running overnight, or an overloaded extension board connected to multiple devices, can generate sufficient heat to ignite nearby combustible materials such as paper, curtains, and wooden furniture. In the context of an educational institution where offices contain books, student records, research documents, and archived administrative files, the destruction caused by such a fire may be irreversible.

(b) Electrical Overloading and Equipment Damage

Continuous operation of devices beyond their intended hours places undue stress on both the equipment and the building's electrical infrastructure. Air conditioning units, in particular, are designed with operational cycles in mind. Running them continuously for 12 to 16 hours through the night can lead to compressor failure, refrigerant leaks, and costly breakdowns. Similarly, computers left on overnight are exposed to potential power surges, especially in environments where the power supply is unstable, which can permanently damage hard drives and destroy unsaved academic or administrative data.

(c) Escalating Utility Costs
The cumulative financial cost of electricity consumed by unattended devices across multiple offices is substantial. A single air conditioning unit operating overnight consumes significant kilowatt-hours of energy. When multiplied across several offices over weeks and months, the financial burden on the institution is considerable, resources that could otherwise be invested in improving teaching facilities, security infrastructure, or student welfare services.

(d) Environmental Impact
Tertiary institutions have a responsibility to model sustainable practices for the next generation. Excessive and wasteful energy consumption contributes to a larger carbon footprint, undermining any institutional commitment to environmental stewardship. Office occupants who leave devices running unnecessarily are, in effect, participating in avoidable environmental degradation.

(e) Security Vulnerability Created by Active Devices

From a security standpoint, active devices create a false impression that an office is occupied. Lights left on in an office throughout the night can confuse security personnel conducting patrols, causing them to overlook the area under the assumption that a colleague is still present. More dangerously, in the event of a break-in, an intruder who notices that devices are active may deliberately access the office, knowing that data stored on running computers may be accessible without needing to bypass login screens, particularly if screensavers and auto-lock features have been disabled.

1.2 Recommended Solutions: Electrical Device Management

Core Principle:
No office should be locked and vacated with any electrical device left in operation, with the sole exception of equipment specifically designated and authorised for continuous operation by institution management

The following measures are strongly recommended to all office occupants:

Pre-Departure Checklist Discipline
Every office occupant must conduct a brief but thorough visual sweep of their office before locking and departing. This sweep must include checking that all lights are off, fans are switched off at the wall or pulled at the cord, air conditioning units are powered down at the remote and at the main socket, computers are properly shut down, phone chargers and other personal devices are unplugged, and all extension boards are switched off.

Adoption of Institutional Shutdown Checklists

The Security Department recommends that a standardised office shutdown checklist be placed behind the door of every office. Occupants should be required to tick and initial this checklist before leaving. Heads of Department and Unit Supervisors should periodically audit compliance with this requirement.

Installation of Occupancy-Based Controls

Where budget permits, the institution should consider installing motion-sensor lighting that automatically turns off when no movement is detected. Automatic timer switches for air conditioning units can also be configured to ensure all units shut down at a designated institutional closing hour.

Smart Power Strips and Socket Protectors

Smart power strips that automatically cut electricity to connected devices when the primary device (e.g., a computer) is powered off should be adopted across all offices. These strips prevent phantom load, the electricity consumed by devices in standby mode.

Security Patrols and After-Hours Checks

Security personnel conducting nightly patrols should include an active device audit as part of their patrol protocol. Where lights or other devices are observed to be operating in a locked office, the officer on duty should log this and notify the relevant occupant or their supervisor at the earliest opportunity.

Awareness and Training
Periodic sensitisation sessions on energy conservation and fire safety should be organised by the Security Department in collaboration with the institution's Estate or Maintenance Unit. New staff induction programmes should include a module on office safety compliance.

PART TWO: KEY MANAGEMENT: SENSITIVE OFFICE KEYS AT THE GENERAL OFFICE

A second and equally serious lapse observed within institutional office environments involves the practice of depositing keys to sensitive offices, including the offices of the Principal, Vice-Principal, Finance Officer, Registry, Examination Store, and other restricted areas, at the general or administrative office, while that general office itself is secured only by locking its main entrance. While this arrangement may appear to provide a measure of order, it introduces critical vulnerabilities from both a security and a data protection standpoint.

2.1 Security Threats Posed by Open Key Deposition

(a) Unauthorised Physical Access to Sensitive Areas

When keys to restricted offices are placed openly at a general office, whether hung on a hook board, placed in an unlocked drawer, or left on a desk, any person who gains access to that general office, whether through legitimate means during working hours or through unauthorised means after hours, effectively has the ability to access all the offices whose keys are held there. This includes the offices of senior management, financial records rooms, examination stores, and ICT server rooms. A determined intruder or internal bad actor needs only to breach one access point, the general office, to compromise the security of an entire building.

(b) Risk of Key Duplication
Unsupervised access to institutional keys creates an opportunity for unauthorised key duplication. A person with access to the general office, including cleaners, temporary staff, or visitors who are briefly left unattended, can remove a key, have it duplicated within a short time, and return it before the absence is noticed. This results in the institution having duplicates of its master or sensitive office keys in circulation without any knowledge of it, a situation that cannot be resolved without a comprehensive and costly rekeying exercise.

(c) Theft of Institutional Assets and Documents

Once a sensitive office is accessed by an unauthorised person, the potential for theft of valuable assets is significant. This includes institutional funds or petty cash, examination question papers and answer scripts, student academic records and transcripts, procurement and contract documents, computing devices and removable storage media containing confidential data, and official stamps and institutional letterheads that can be used fraudulently. The consequences of such theft extend far beyond the immediate material loss and can damage the institution's academic credibility, legal standing, and public reputation.

(d) Data Protection and Privacy Violations

From a data protection perspective, the open storage of keys to offices containing personal data, including student records, staff personnel files, and health information constitutes a failure to implement adequate physical access controls. This is inconsistent with data protection principles, which require that personal data be secured against unauthorised access through appropriate technical and organisational measures. An institution found to have inadequately secured the physical premises containing personal data may face regulatory scrutiny and reputational damage.

(e) Insider Threat Amplification
The practice of depositing all keys at a central unsecured location amplifies the risk posed by insider threats. An employee with a grievance, a disgruntled staff member who is aware of the key arrangement, or a person exploiting access during a busy period can compromise a sensitive office with minimal effort and a very low risk of detection. The centralisation of keys without robust access logging effectively removes accountability from the key custody process.

(f) False Sense of Security
Locking only the main entrance of the general office while sensitive keys remain accessible within gives management and staff a misleading confidence in the institution's physical security posture. This false sense of security is arguably more dangerous than no security measure at all, as it reduces vigilance and discourages further investment in proper physical access controls.

2.2 Recommended Solutions: Key Management

Core Principle:
The security value of a locked office is completely nullified if the key to that office is accessible to any person who enters the building. Physical access control must be applied at every layer, including the management and storage of keys themselves.

The following key management measures are recommended for immediate consideration and implementation:

Establish a Controlled Key Custody Register

A formal key custody register must be maintained for all institutional offices, particularly sensitive ones. This register should record the name of the key holder, the date and time of key collection, the date and time of key return, and the authorising officer. Any key removal or return outside of normal hours must require written authorisation.

Install a Secured Key Cabinet
All institutional office keys deposited at the general office must be stored in a lockable, wall-mounted key cabinet, not left in open drawers or on hook boards accessible to all visitors. The cabinet itself must have a separate access code or key, and only designated custodians should hold this access. The key cabinet should be positioned in a location not visible from public-facing areas of the general office.

Introduce Role-Based Key Access
Not every staff member needs access to keys for all offices. A role-based key access protocol must be developed whereby each staff member or department is only issued keys relevant to their official functions. The Finance Office key, for instance, should only be accessible to the Finance Officer or a designated deputy, not to the general office staff unless there is a documented emergency protocol.

Deploy Electronic Access Control Systems

For the most sensitive offices, including the examination store, ICT server room, Finance Office, and Principal's office, the institution should consider transitioning from physical key access to electronic access control systems such as PIN-pad entry, proximity card readers, or biometric access. These systems generate an automatic audit trail of every entry and exit, making it possible to review access history in the event of a security incident.

Strict After-Hours Key Management Protocol

No key to a sensitive office should remain at the general office after closing time. Offices whose occupants have gone off duty must have their keys taken home by the designated key holder or secured in a tamper-evident key safe accessible only to senior security or administrative personnel. A system of emergency contacts must be maintained for situations where after-hours access is required.

Visitor Access Management
During working hours, the general office must manage visitor access strictly. No visitor should be left unattended in the general office, particularly in proximity to key storage areas. A visitor log must be maintained and a staff member should be present at all times when the general office is open.

Periodic Key Audit
The Security Department, in collaboration with the institution's administration, must conduct quarterly key audits to verify that all keys are accounted for, that no unauthorised duplicates have been made, and that the key register accurately reflects current custody arrangements. Where any key is reported lost, the affected lock must be replaced immediately, not simply reported and deferred.

3. RISK AND SOLUTIONS SUMMARY

4. CONCLUSION
Security is not the exclusive responsibility of the Security Department. Every member of staff who occupies an office within this institution is a security actor. The decision to switch off a fan before leaving, to ensure a computer is properly shut down, or to deposit a key responsibly — these are acts of institutional security in the truest sense.

The threats discussed in this bulletin, fire, energy waste, data exposure, unauthorised access, and asset theft, are neither hypothetical nor distant. They are the product of everyday habits that, over time, create windows of opportunity for accidents, loss, and malicious exploitation. The Security Department urges all office occupants to internalise the recommendations in this advisory and to actively contribute to a culture of security awareness and personal responsibility.

It is far less costly to prevent a security or safety incident than to manage its aftermath. Institutional security begins with each individual; at the moment they lock their door and walk away. Let that moment always be preceded by diligence.

[

About The Author
Richard Beyemba Yorda is a Security Administration Professional and Certified Data Protection Officer (CDPO) serving in the Security Directorate of the University of Education, Winneba (UEW). He writes on Data Protection, Institutional Security, and Governance in the Ghanaian context.