OPSEC is a pretty familiar term in this industry, but reviewing its fundamental meaning and what it implies for us today in our current threat landscape is a useful exercise.
After all, being able to secure our systems and information from prying eyes from the likes of cyber thieves, scammers, ransomers, and so on, is a key priority for most businesses today.
OPSEC is the term the industry uses to talk about operational security. It is an analytical process that is designed to classify information and determine the necessary controls to protect these individual classifications of intellectual assets.
The term comes from the military where it was used to describe strategies to fend off adversaries from discovering critical operations and any related data.
According to a Tech Target definition, it is a process of five steps, and I want to focus on the first one.
Identify critical information
This is where you need to isolate the data that would cause the organization harm if it got into the wrong hands. So any personal information from customers, employees, and business partners; financials, assets, strategies, and product designs – to name a few.
With a number of new privacy laws coming into enforcement over the past few years, most companies ought to have a pretty up to date list of this data. However, if it is more than 6-12 months old, it is time for a review.
However, many organizations have stopped their analysis at the network perimeter. This, on the surface, seems logical. In our own homes, our job is to secure the property by locking doors, putting on alarms and using floodlights. Similarly, security software such as anti-malware, firewalls, and application controls are all in use to help us limit unauthorized access to critical information assets.
But in today’s incredibly complex and tangled networks, where we share splatters of information with any number of third parties, it can be incredibly difficult to perform an accurate assessment of your true risk exposure.
Think about it: your organization may have cloud instances that are shared with any number of business partners to streamline the process. However, how certain are you that they are holding up their end of the bargain – taking security as seriously as you are?
This is a growing issue. It has been coined the supply chain management problem. I mean, just who is connected to your network? Do you really know?
So lesson number one is look outside the organizational box: consider all your business partners that are supplying your services and share your data with. See what you are sharing and what risks this poses to your organization.
Organizations like TBG Security offer high-value services brought to you by expert US-based cyber consultants who can help you assess your vulnerabilities, weak spots and supply chain concerns before they bite you in the you know what.
To learn more, get in touch. We are here to help.