Get tailored business security with Avast's next-gen business antivirus
- Security
- Privacy
- Performance
Operational security (OPSEC) began as a military process but is now commonly used in business as a risk management strategy for protecting data from unintentional leaks. This article explains why OPSEC is important for business security and offers best practice tips for implementation, such as keeping your system up to date with comprehensive antivirus.
Operational security (OPSEC), also known as procedural security, is a process designed for risk management. The process is used by businesses to determine how to protect sensitive information from being exploited.
This Article Contains:
This is done by considering the security of a network from the perspective of an attacker and identifying potential weak spots, helping to inform improvements to security measures and best practices.
Operations security was first developed by the US military during the Vietnam War. Despite using secure communications, it appeared that their operations were being anticipated. A team, Purple Dragon, was tasked with finding out how the enemy was obtaining information on forthcoming military operations. They discovered that the US army had been inadvertently sharing information, not thought to be sensitive itself, which was enough to reveal their plans. Operations Security was introduced as a response, to identify and protect information that could be valuable to an attacker.
The concept has since evolved from military and national security use into a common aspect of business operations.
OPSEC considers all aspects of a network, from devices and servers to software and processes.
The purpose of operational security is to identify and minimize access to sensitive information that could be used by bad actors for phishing and identity theft. Strong security is not only about hardware or software, but having a detailed understanding of how those pieces combine and where the gaps are.
Not all forms of information are considered sensitive when used in isolation. However, should a hacker combine this information, it could be possible to use it for another purpose — to gain access to user accounts or to create convincing phishing emails.
For example, names and email addresses are commonly shared without much thought, but combined with ID numbers and internal company information, they could be enough to prepare a convincing phishing attack or reset account passwords.
Raising awareness of this issue can be challenging. Simply instructing staff to be careful when handling data does not provide the level of guidance required to establish confidence and understanding. Using the OPSEC process will result in a framework for implementing procedures and best practices, enabling a company to set out guidelines for staff based on the identified threats and vulnerabilities to their business.
As well as providing the original OPSEC concept, the military has also highlighted the consequences for not effectively implementing the required security measures. For example:
In 2018, sensitive information about the location of secret US military bases was revealed due to military personnel using tracking features on their fitness apps.
In 2014, journalists were able to prove that Russian troops were in Eastern Ukraine using geotagging data on Instagram posts by a Russian soldier.
Failure to correctly implement operational security could seriously impact the reputation of your business and the trust of your customers.
The operational security process is commonly split into the following five steps:
Identification of critical information
Determine which data could cause harm to your business if it were to fall into the wrong hands. This could include customer information, financial data, intellectual property, or research.
Analysis of threats
List potential threats for each type of data identified in the first step. There could be multiple threats from a range of angles including hackers, competitors, insider threats, or even human error, such as clicking on a malicious link in an email. The key is to understand where the threats could come from and the types of data they would be most likely to target.
Analysis of vulnerabilities
Assess the current state of your security to identify vulnerabilities that could be used to gain access to your sensitive data. This should include both physical and software security measures — from automating security patches to staff awareness, training, and best practices, including 2FA and strong passwords.
Assessment of risk
Assess each vulnerability against factors such as the likelihood of an attack, the level of damage it would cause, and the cost of downtime and recovery. You can use these risk levels to prioritize actions.
Application of appropriate countermeasures
Secure your company’s information and minimize risk. The plan should be broad and include new policies, training, improved encryption, equipment upgrades, and incident response plans.
To ensure your operational security strategy is robust and effective, it should include best practices, many of which align with business security best practices around data security:
Manage access permissions
Access permission should be strictly limited to those who require it to complete their work. If roles change or tasks are completed, you must review and adjust permissions accordingly.
Keep security tools and software up to date
With new threats emerging every day, next-generation antivirus solutions and firewalls must be regularly updated with the latest security patches. Frequently used apps and software, including operating systems, should also be routinely updated to protect against known vulnerabilities and minimize the impact should a breach occur. In many cases, these processes can be automated, reducing the risk of human error.
Use of strong passwords, 2FA, and VPNs
Human error is one of the most common causes of data breaches. In addition to training staff on identifying potential phishing threats, you should ensure that strong passwords and two-factor authentication (2FA) are in use on every user account.
When transferring data or working remotely, VPNs should be used to ensure that data is securely encrypted during transfer.
Incident response planning
Even when operational security measures are in place, you must still prepare for crisis events — for example, by creating a business continuity plan. Keeping backups and providing training for a rapid response are crucial to minimizing the downtime and costs associated with a data breach or attack.
Operational security requires a proactive approach to identify weaknesses and prevent security threats. This includes carefully monitoring potential attack vectors with Avast next-gen antivirus, which uses artificial intelligence, behavior-based machine learning and cloud threat lab analysis to identify and prevent a range of attacks including phishing, Trojans and other malicious software.