Everyone has heard the phrase "loose lips sink ships." That's the very essence of military operational security. Commonly shortened into "OPSEC," it is a fundamental—if not the most important—part of military operations.
OPSEC refers to all the different ways the military maintains secrecy and security in its operations—even the smallest leak can cost lives, destroy campaigns, and lead to an enemy victory.
The business world isn't nearly as life and death but that doesn't mean the same rules don't apply. The military has five basic steps to proper OPSEC, and they're just as useful in the civilian world, especially with the proliferation of tech that makes leaks and security breaches more common.
1. Identify critical information
In the military this means troop movements, organizational structures, and anything else an enemy can use to destroy plans and disrupt operations. In the civilian world it includes those elements, but with the addition of a whole bunch of others.
SEE: Security Awareness and Training Policy (Tech Pro Research)
Customer data, passwords, network information, data for analysis—all of those things and more are critical. Determining what is truly essential for your organization means having a complete understanding of how you operate.
Ask yourself this question: Would this bit of information be a risk to the success of my business or the security of my customers? If the answer is yes it's critical and needs to be protected.
2. Analyze potential threats
Protecting a military operation doesn't just mean knowing all about your capabilities—it means knowing your enemies as well. While you're busy planning OPSEC you also need to be gathering intelligence in the hopes of breaching your opponent's OPSEC strategies.
Hopefully your business isn't engaging in industrial espionage, but that doesn't mean you can afford to ignore threats. Keep up to date on the latest infosec threats, hacks and exploits, and the trends in cyber—and physical—security.
Know your enemy, and thereby know yourself.
3. Know your own weaknesses
OPSEC professionals don't just focus on what the enemy is capable of: they also learn to think like the enemy in order to identify weaknesses in a unit's security. Businesses need to think in the same way: how would someone exploit our network, our employees, or our operations to get inside and do damage?
IT leaders should be sure they know the ins and out of the network to determine where potential flaws are, HR should be aware of potential social engineering attacks, and every single machine should be audited regularly to be sure it's clean of spyware and malware.
4. Assess risks
Once military leaders know threats and weaknesses they compare them to figure out how great a risk they are. Threats range from low to high and are based on how likely and how devastating they would be.
SEE: The hacking toolkit: 13 essential network security utilities (TechRepublic)
Once you know what kind of security threats you have and where your most vulnerable areas are you can determine what needs to be done. Whether it's instituting better BYOD guidelines or buying a new firewall the costs of good security are always far less than the costs of a major breach.
5. Apply countermeasures
There's no need to have workers on 24-hour security rotations in the civilian world, and no one needs to go to the arms room to start prepping for a (very) hostile takeover. What you do need to do is take action when you identify a weakness.
OPSEC planning is completely useless without OPSEC application. The best leaders in the history of the military were definitely on top of their OPSEC, and you need to be too. The threats are different for everyone but they're no less real.
The 3 big takeaways for TechRepublic readers
- OPSEC requires complete understanding of your company from the inside out. If you're truly going to be as secure as a well-oiled military unit you need to think about—and think like—the enemy.
- Think about the threats you might face and compare those to your vulnerabilities. The military uses that comparison to figure out where they need to focus on OPSEC—it is no different in the civilian world.
- Planning is nothing without execution. Make sure you're putting OPSEC lessons into play, and also be sure that everyone in your company is on board. The lowest ranking Private in the Army takes OPSEC classes, and so should the lowest level employee at your company.
- Infographic and interview: The explosion of cybercrime and how to protect your business (TechRepublic)
- Thousands of security threats happen every five minutes: Trend Micro VP (ZDNet)
- Cloud Security Alliance releases top 100 big data best practices report (TechRepublic)
- Breaches showing patterns of both desirable, questionable characteristics (ZDNet)
- Report exposes common cracks in cybersecurity (CBS News)
Brandon Vigliarolo has nothing to disclose. He does not hold investments in the technology companies he covers.
Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.