While operational security, or OPSEC, has its origins in securing information important to military operations, it has applications across the business community today. In a commercial context, OPSEC is the process of denying hackers access to any information about the capabilities or intentions of a business by identifying, controlling, and protecting evidence of the planning and execution of activities that are essential to the success of operations. OPSEC is a continuous process that consists of five distinct actions.
- Identify information that is critical to your business.
- Analyze the threat to that critical information.
- Analyze the vulnerabilities to your business that would allow a cyber criminal to access critical information.
- Assess the risk to your business if the vulnerabilities are exploited.
- Apply countermeasures to mitigate the risk factors.
In addition to being a five-step process, OPSEC is also a mindset that all business employees should embrace. By educating oneself on OPSEC risks and methodologies, protecting sensitive information that is critical to the success of your business becomes second nature. An understanding of the following terms is required before the process can be explained.
- Critical information – Specific data about your business strategies and operations that are needed by cyber criminals to hamper or harm your business from successfully operating.
- OPSEC indicators – Business operations and publicly available information that can be interpreted or pieced together by a cyber criminal to derive critical information.
- OPSEC vulnerability – A condition in which business operations provide OPSEC indicators that may be obtained and accurately evaluated by a cyber criminal to provide a basis for hampering or harming successful business operations.
Identity of critical information. The identification of critical information is important in that it focuses the remainder of the OPSEC process on protecting vital information rather than attempting to protect all information relevant to business operations. Given that any business has limited time, personnel and money for developing secure business practices, it is essential to focus those limited resources on protecting information that is most critical to successful business operations. Examples of critical information include, but should not be limited to, the following:
- Customer lists and contact information
- Patents and intellectual property
- Leases and deeds
- Policy manuals
- Articles of incorporation
- Corporate papers
- Laboratory notebooks
- Audio tapes
- Video tapes
- Photographs and slides
- Strategic plans and board meeting minutes
Importantly, what is critical information for one business may not be critical for another business. Use your company’s mission as a guide for determining what data are truly vital.
Analyze threats. This action involves research and analysis to identify likely cybercriminals who may attempt to obtain critical information regarding your company’s operations. OPSEC planners in your business should answer the following critical information questions.
- Who might be a cyber criminal (e.g. competitors, politically motivated hackers, etc.)?
- What are the cyber criminal’s goals?
- What actions might the cyber criminal take?
- What critical information does the cyber criminal already have on your company’s operations? (i.e., what is already publicly available?)
Analyze vulnerabilities. The purpose of this action is to identify the vulnerabilities of your business in protecting critical information. It requires examining each aspect of security that seeks to protect your critical information and then comparing those indicators with the threats identified in the previous step. Common vulnerabilities for small businesses include the following.
- Poorly secured mobile devices that have access to critical information.
- Lack of policy on what information and networked equipment can be taken home from work or taken abroad on travel.
- Storage of critical information on personal email accounts or other non-company networks.
- Lack of policy on what business information can be posted to or accessed by social network sites.
Assess risk. This action has two components. First, OPSEC managers must analyze the vulnerabilities identified in the previous action and identify possible OPSEC measures to mitigate each one. Second, specific OPSEC measures must be selected for execution based upon a risk assessment done by your company’s senior leadership. Risk assessment requires comparing the estimated cost associated with implementing each possible OPSEC measure to the potentially harmful effects on business operations resulting from the exploitation of a particular vulnerability. OPSEC measures may entail some cost in time, resources, personnel, or interference with normal operations. If the cost to achieve OPSEC protection exceeds the cost of the harm that an intruder could inflict, then the application of the measure is inappropriate. Because the decision not to implement a particular OPSEC measure entails risks, this step requires your company’s leadership approval.
Apply appropriate OPSEC measures. In this action, your company’s leadership reviews and implements the OPSEC measures selected in the assessment of risk action. Before OPSEC measures can be selected, security objectives and critical information must be known, indicators identified and vulnerabilities assessed.