Operations Security, or operational security (OPSEC), is the process of safeguarding an organisation at all operational levels holistically by considering potential entry points into the organisation in the same manner as an adversary. OPSEC covers more than just technical or cybersecurity-related systems in an organisation.
Originating from the US military, OPSEC involves scoping issues that range from publicly available information on social media to, for example, printer security or physical entry points into an organisation’s premises. This wide-ranging effort prevents an adversary from combining different strategies to gain unauthorized access to an organisation’s private assets.
Organisations may have a fully developed cybersecurity strategy with relevant infrastructure such as threat monitoring in place, which alleviates the risk of a cyber-attack to a great extent. However, in the absence of the bigger picture of OPSEC threats, they may still be prone to breaches because most cyber-attacks today work in multiple stages, combining public information with other vulnerabilities. Some questions to consider in improving OPSEC are:
- What information available on the Internet, such as on social media, must be protected? Techniques such as employee credential enumeration or leaked intellectual property may fall in this category.
- Who are potential adversaries, and what private information or access might they be seeking?
- Based on the above, has the organisation identified and remediated security vulnerabilities?
- Are the vulnerabilities that remain unaddressed severe? What are the worst-case scenarios?
- Does the organisation have the means necessary to continue assessing OPSEC threats, such as threat intelligence or access to digital forensics?
- Is there a mitigation plan in place, such as disaster recovery, incident response, and business continuity?
Organisations may also wish to consider basic OPSEC hygiene, such as the principle of least privilege or zero-trust networks, continuous monitoring, separation of responsibilities in personnel, and continuous penetration testing.