An overview of operations security and how to make sure your facility is using OPSEC best practices
Your facility’s operations security (OPSEC) is the core of keeping the assets you protect safe. Operations could refer to what your company does, their mission or the way they process or store information. For cleared facilities, this is especially important, since bad OPSEC doesn’t only put your company at risk, but it can potentially put national security at risk as well.
The Five Steps of OPSEC
Whether you’re building your company’s OPSEC or trying to improve it, there is a five-step process you need to undergo. This process will help you address your company’s unique security concerns so you can properly address them.
1. Identify Critical Information
What are the assets your company is protecting? In this step, you need to identify what information your company works with that would damage the company or endanger security if it fell into the wrong hands. Do you have a database of clients that includes Social Security numbers or classified files for the DoD? This step should be fairly quick and easy to complete, but you can’t start figuring out how to protect your assets until you know what those assets are.
2. Identify Threats
Who can pose a danger to your company or facility? This can be anyone from cyber criminals to foreign adversaries to competitors. Like identifying critical information, this isn’t a time-intensive step, but knowing who your enemies are means knowing how to deal with them. If your facility is in a high-crime area, physical security may be more of a concern to address potential break-ins, but if you have online databases, cyber security will likely need to be a priority to stop adversaries who might hack you.
3. Assess Vulnerabilities
This is going to be one of the most time-consuming steps. With your critical information and threats in mind, you need to analyze the ways enemies might try to access your information. You want to analyze your business from an outside perspective. Walk around your facility. Are there blind spots in your cameras, or windows that computer screens with sensitive information can be seen through? Talk to your employees to address any weaknesses you may have. You may not be familiar with the measures used to protect company data, so ask your IT team about what’s in place and if they have any concerns about what could be lacking.
Google your company and your employees. You’re looking for anything online that could potentially be putting your information at risk. Most of your employees will likely be on LinkedIn with the company they work for listed. Part of assessing your vulnerabilities is making sure they aren’t posting information that you wouldn’t want being spread, or things that you don’t want your adversaries or competitors to know.
You can also hire a third party to evaluate your company security. This is a great option, since you may be too close to be able to see some vulnerabilities, and they can offer a fresh set of eyes. They may be able to spot things you can’t since they specialize in spotting potential security issues. If you’re a Facility Security Officer (FSO) who is having to balance multiple roles, an outside company can take some of the burden off your plate. This can be especially helpful if you’re performing these steps for the first time or haven’t taken stock of your company’s OPSEC in a while.
4. Analyze the Risk
Once you’ve found your vulnerabilities, you need to triage what areas have the most pressing need and what can wait to be addressed. This is also a quick step. This may also be a step where you decide some of the possible vulnerabilities don’t need to be addressed unless they grow more serious.
5. Develop and Apply Countermeasures
Discovering your vulnerabilities isn’t worth much if you don’t then work to address them. The time this step takes will vary depending on the types of countermeasures. Some problems can be addressed in minutes, like a small cyber security concern being patched. However, some may be a long process. If you find a key to your facility is missing, addressing that would mean replacing your locks and reissuing keys to any employees who hold one, which could take weeks.
These five steps aren’t a one-and-done situation. They need to be performed regularly, every month or so, to be the most effective. A new company could pop up that’s a competitor to your company and could pose a threat. A researcher working for your company could start sharing their findings online that should be protected information. Essentially, your security needs to be dynamic. The assets you’re protecting will change, as will the threats and vulnerabilities that put them at risk.
Knowledge is Power
Education is going to be one of the major ways that you protect your company’s OPSEC. While the average employee doesn’t need to—and shouldn’t—know the intricacies of how your assets are protected, they can be an important part of your security. Negligent errors accounted for 56% of insider threats in 2022, according to the Ponemon Institute 2022 Cost of Insider Threats Global Report. Proper education can help protect your business from this potentially costly type of threats.
It’s not enough to give your personnel a set of rules and expect them to follow them. They need to have a reason to care, a “why.” One great way to do this is to use real-world examples in your training. These should show ways that bad OPSEC hurt people and companies. They can serve as a strong reminder that good OPSEC does actually make a world of difference, even when it feels small or pointless.
Phishing remains a large threat to both personal and company security. Make sure your employees are aware of the common scams currently happening, especially if anyone at your company has recently received one. You can send around examples of the scam that employees have received so others are trained on what to look for. Encourage them to forward any suspected phishing scams to the security team.
You want your personnel to practice a healthy amount of suspicion in the world. This means being aware of their surroundings and avoiding discussing any potentially sensitive company information outside of the office, even if they’re just sitting down to a casual dinner. As the saying goes, “Loose lips sink ships,” so make sure they act as though someone could be listening in.
If you hold a Facility Clearance and need help in educating your personnel in OPSEC and other important security topics, Adamo’s FSO support services can help. Our team of experts lead engaging and informational briefings to make sure your employees are receiving the best quality of training.