5 OpSec Best Practices to Live By
By Palen Schwab
Often when we talk about security, we focus on the mechanics of how to keep technical infrastructure safe. It can be easy to forget that operational security is just as important. When done right, strong OpSec practices will keep your business safe from leaked information, competitive disadvantage, and even public embarrassment.
Without good OpSec, your business may be vulnerable to information theft via an attack surface that has little or nothing to do with computers. With that said, here’s what you need to know about OpSec today.
What is OpSec?
OpSec stands for Operational Security. Many people think of it in a military or national security context. In those realms, OpSec means understanding what your adversaries can deduce from the communications you put out, and taking steps to limit the usefulness of any information they can easily gather. For our purposes — in the world of business — when we say OpSec, we mean: “Actions taken to ensure that information leakage doesn’t haunt you.”
Similar concept, different context. OpSec in the world of business is all about making sure that information about your business that should remain private, does remain private. This article offers a helpful framework for applying OpSec principles to business. Below, we’ll explain what we’ve learned and how we share that with our own employees.
Why is OpSec So Hard?
Strong operational security is difficult because it relates to information and knowledge. More specifically, OpSec is hard because we’re all human. We have a very human desire to be seen as knowledgeable and to impress others, and this can lead us to gossip, brag, and otherwise overshare.
Often, OpSec missteps happen when folks are casually discussing something that doesn’t seem particularly sensitive, or when people forget to consider their surroundings before blurting something out. We may either be proud of the info we have access to and want to share it with others, or we may simply forget to consider our whereabouts before opening up. Either way, this type of laxity can have some pretty serious consequences.
The 5 Big OpSec Rules
To prevent these consequences as much as possible, we teach basic OpSec best practices to all new hires at Threat Stack as part of our security awareness training program. When we do this, we share five primary rules to live by when it comes to keeping our business operationally secure.
1. Remember: You Could Be a Target
We tell employees to remember that, no matter your role or function within the organization, you could be a target. This is especially true at a security company. We are a natural target for all sorts of attacks — from garden-variety cybercriminals to competitive spying (sounds dramatic, but it’s real!). That said, it doesn’t really matter what industry you’re in. If you have any sensitive, proprietary information at all (and let’s face it, most employees do), then you could very well be a target. This is a good thing to always keep in mind.
2. Remain Vigilant
We also advise employees to remain vigilant, especially in regard to unexpected Go to the full article.