An ordinary day at your office. While chatting with colleagues, you take a group selfie. You post it on Instagram, but the next day, your boss calls you in for a quick chat. You learn that the flipchart in the background of the photo had the username and password of a sensitive database. Opsec can help you avoid such situations.
The term Opsec (“Operation Security”) was coined by the US military during the Vietnam War. Commanders found that some operations failed because their adversaries were able to secure information about them. The military officials then codified preventive measures and recommendations to avoid such situations and called the process “Operation Security.”
The term is now widely used in cybersecurity and online privacy. More generally, it means the protection of data used in a process or operation that an adversary (e.g., a cybercriminal or a rival company) could gather and abuse.
A lot of things fall under this umbrella:
In the age of intense data collection and advanced hacker techniques, even the tiniest, most trivial details can be used against you. For example, an out-of-office email might tell a hacker that an important employee is out of the office and that it’s an excellent opportunity to initiate an attack. Your selfie’s background details might indicate your whereabouts and open the door to stalkers.
To prevent such leaks, companies usually ask their employees to sign non-disclosure agreements (NDA). NDAs often oblige them not to disclose even such seemingly innocent information such as the company’s address, products, relations to other companies, etc. In a non-corporate context, you should always watch whether your public info on social media does not expose too many personal details, reduce your digital footprint, always separate your personal and professional onlines selves, etc.
Opsec is a five-step process. An entity must carefully consider each step to identify and safeguard its information:
The first step is identifying data that might jeopardize the organization if it ends up in the wrong hands. This might be anything from financial records to social media metadata. Sometimes it is really difficult to determine which info might be harmful. Always stay up-to-date about new dangers and threats. Seemingly harmless things like a city skyline in the background, a job ad on LinkedIn or an out-of-office email might do damage.
Identify external and internal threats for the organization. Name specific or general adversaries who might exploit the data mentioned in step 1. Consider what data would be the most interesting to them. For example, your adversaries might be:
Consider the main vulnerabilities your adversaries could abuse to access your data (e.g., loopholes, backdoor access, configuration weaknesses, potential data leaks, etc.). A few potential situations:
When you discover your weak spots, you should evaluate the level of threat they pose. You should consider the probability of an attack, what sort of damage it would do, and how difficult it is to defend against. This will help you prioritize your efforts. For example, you might potentially ask whether a hacked Ring device might do more damage than a rival companies’ skim through your employees’ social media profiles.
After identifying the vulnerabilities and their risks, you should identify the appropriate mitigation measures to protect yourself. This can include:
The Opsec five-step process is helpful not only in corporate settings, but also for everyday users' risk management. Each of us has critical information, like passwords or intellectual property. The Opsec program can serve as a good cyber security guideline. Be one step ahead to avoid data breaches.
To learn more about cybersecurity, subscribe to our monthly blog newsletter below!