On Crime & Security
As we’ve seen in recent events, both large and small businesses have been targeted by criminals, spies and terrorists.
Large businesses have the resources to employ security professionals who can install security countermeasures to protect their businesses and their people. But what can a small business person do to protect themselves and their business?
You can learn about OPSEC.
Operations Security, or OPSEC, is simply an analytic process that is used to deny an adversary or competitor information that would harm you and benefit them. OPSEC is used to keep threats to your business – criminals, terrorists and others – from discovering critical information about your activities, your business, and yourself.
What can a person observe about your schedule? What are you revealing by your predictable routines and the way you do business? These are OPSEC Indicators. OPSEC helps people identify the indicators that are giving away critical information to people who may want to harm you.
The five basic steps of OPSEC are:
Identify critical information.
The process is not that complicated once you learn about OPSEC through training.
While serving in the U.S. Navy on an aircraft carrier during the Vietnam War I was trained in physical security, communications security and OPSEC. Later, as the administrative officer of a Defense Department command, I was the OPSEC trainer for our command’s military and civilian employees.
It occurred to me that as defense contractors have long used OPSEC to protect both government and corporate information, OPSEC practices could also be beneficial to small business owners.
To learn more about OPSEC I contacted Chris Cox, the president of the Operations Security Professional Association (OSPA). Below is my Q & A interview with him:
Davis: Are small businesses at risk from crime, espionage and terrorism, just like government agencies and large corporations?
Cox: Most definitely! As technology advances, organizations leave “traces” on the internet in the form of online forum postings, press releases, chat rooms- even on their own website! This means that potential attackers have more access to information than ever before, and certainly use every bit of it. In fact, an Al Qaeda training manual captured in 2004 claimed that “public information can provide 80 percent of the information needed about a possible target.”
So, today, you find two primary categories of targets- “targets of opportunity”, which are normally targets that fail to take certain precautions and are targeted because they’re available, and “dedicated targets”, which have something that the adversary wants, whether it’s information, access to other, more lucrative targets, or any other motivation.
Anyone can be a target. That’s certainly not to say that we should all live in fear, but that we should all take very necessary precautions.
Davis: What is OPSEC and how does it differ from traditional security?
Cox: OPSEC is unique as a security discipline, because it is designed to compliment any other security discipline without needing to replace it.
For example, the information security professional knows to secure their network using such devices and technologies as firewalls, intrusion detection and antivirus programs. Adding OPSEC to that equation would ensure that the brand and version of each is kept confidential in order to raise the level of difficulty for an attacker to find a weakness. After a quick search, you might be surprised to see how many IT and information security professionals will list this information on the “open” internet!
Another example applies to physical security. While it may be wise to employ patrolling security guards, the OPSEC element would ensure that patrol schedules are somewhat randomized and shift changes are kept secret in order to prevent a possible intruder from determine a pattern.
Many OPSEC concepts are what some would call “common sense”, but OPSEC teaches individuals to view their organization or operation from an adversary’s point of view, taking into account existing security measures.
Davis: How can OPSEC practices help protect a small business from terrorism, industrial espionage, cyber crime, and street crime?
Cox: OPSEC, fortunately, is a portable method that helps to protect businesses, large and small, as well as individuals, communities and more from any threat. While this is clearly a very bold claim, it’s one that’s demonstrated time and time again as more organizations and entities adopt OPSEC.
Although OPSEC formally has five steps, you can break it down into what Layne Marino from the Department of Energy once called the “OPSEC Two-Step.” First, consider the threats to your organization. Think about who or what is out there that would want to intrude or do harm, and what it is they want. Then simply consider how they may go about getting it, and what you can do to stop them. Suddenly, you’re OPSEC’ing!
As an example, perhaps you’re a small bakery owner that sells a very unique dessert; one that uses a recipe that’s been a family secret for generations. Among others, one of your threats may be a competing bakery, which may want to discover your recipe. (that’s step one- you’ve identified your threat and what they may want). Among other techniques, you figure that they may try to find your recipe by searching through your trash bins for ingredient packaging and order receipts. Knowing this, you may lock your refuse bins or burn your “critical information”. Now you’re doing the OPSEC Two-Step!
Perhaps your business employs a female receptionist. While looking at your organization from an adversary’s perspective, perhaps you notice that the security guards are changing shift at the same time every night, which is also the same time that the receptionist leaves work. That would leave her in what could be a dangerous situation, depending on the environment. It’s important to consider every angle - not only for the security of your organization, but also for the safety of your employees!
Davis: Generally, small businesses don't have a security officer, let alone an OPSEC coordinator, so how can a small business owner become more aware of OPSEC and its practices?
Cox: Fortunately, OPSEC training is readily available online. The information’s out there, and its free, so don’t be afraid to use it!
By providing OPSEC training to all employees, especially security personnel, every employee becomes a “sensor,” able to recognize and respond to some of the subtle clues that could eventually manifest into a large scale security incident. What’s more, by knowing what represents a “vulnerability,” each employee can be a part of (and feel ownership for!) the overall security of the organization.
The OSPA offers free OPSEC training on their web site at www.opsecprofessionals.org/training.html