OPSEC stands for Operations Security. OPSEC is a process that aims to recognize vital and sensitive information, possible threats if the information is acquired by an adversary, determine the possible adversaries, how the adversary could get their hands on the information and, finally, what steps can be taken to keep the information safe.
Originally used in military context, OPSEC has become an important term and process in modern day information security. Despite its military origins, it can be used by companies and individuals just as well. In fact, you are probably using some OPSEC methods already, whether you know it or not.
For example, you probably wouldn’t post your credit card number on social media. Why? Because it’s sensitive information that can be used for your loss. How? By using your credit card to buy things at your expense. By whom? In this case basically anyone who can see your post in social media. Conclusion: your credit card number is information you do not want others to have access to, so it should be kept secret. How? For starters, don’t post it on social media.
Got nothing to hide?
Maybe not, but you probably have something to protect. For example the aforementioned credit card number. Other examples could be social security number, home address, passwords etc. The list goes on. Anything that can be used to harm or identify you should be on your list of things you want to keep safe. Having something to hide doesn’t make you a crook, it just means that your information can be used to your disadvantage by someone.
The tricky part is to know what is such information. There are multiple examples on how hackers have used seemingly insignificant details to piece together personal information. It might be even impossible to know everything that can be linked to you. However, OPSEC is about identifying the risks of information being exposed. You can minimize these risks by considering what information you need to protect and how to do so. Maybe you can’t cover all your tracks, but it’s already a lot to cover the important ones.
Access – restricted
There can be multiple reasons these pieces of information should be kept secret, and the importance can vary based on the person. Someone wants to keep their personal phone number private, someone else has to have it available because they use it for business purposes. Additionally, not all information needs to be hidden from everyone. It’s probably ok for your family members and friends to know your home address, but you don’t want burglars or hackers to know it. OPSEC is also about recognizing who can have access to the information.
But who would want to get your information? Well, that depends on the information. From an individual’s point of view, it can be rather difficult to pinpoint who would gain from your information. You probably aren’t the number 1 target for foreign state spying, for example. But that’s also part of OPSEC – knowing who you don’t need to be prepared against. Most of the time your mother-in-law isn’t such a threat when compared to a burglar or hacker. And not all parties intend to do you harm if they have your information, for example marketers.
However, individuals do have possible adversaries, even if faceless. It’s nothing personal, but hackers and other criminals are definitely after the information of individuals as well. All kinds of information can be used for identity theft, and then for different kinds of fraud. The amount of hacked accounts sold in the dark web are measured in billions. It’s not paranoia to minimize the risks of something that can actually happen.
It can also get personal. If an individual is a celebrity or another publicly exposed person, there can be a great deal done by malevolent parties, for example doxxing, stalking and sending threats via mail.
OPSEC isn’t only about data and computers. For example, you most likely have your doors locked and the location of your spare key kept secret. But why it is very important in the digital world is because we often do not realize how our information is used and can be used to our disadvantage. OPSEC aims to give you understanding of the risks that your digital behavior may cause you.
For example, using the same password on multiple platforms is a risk, because if someone learns it, it can be used to access your other accounts as well. You can be located based on your social media posting and then stalked. And if you post vacation pictures or otherwise signal that you’re not home, the burglars who learned your home address based on your data can then go rob your house with ease. Sounds farfetched? Well, it isn’t. And it’s up to you to decide which threats you want to prepare for.
OPSEC and cyber security
We have a lot of information of us in the internet. Not only on our profiles and accounts, but we also leave a digital footprint based on our browsing and cookies. There are many ways all this data can be used by different parties.
So how does cyber security fit into this OPSEC thing? You can prepare against many online threats with cyber security programs such as VPN, which helps keep your web traffic safe. Many malware have information stealing capabilities, so having an antivirus software helps keep your information safe. And stop reusing passwords – create unique passwords and get a password manager to keep them safe. All these are included in F-Secure TOTAL. But all these programs can do only so much if you are not aware of the risks.
Common sense can go far when it comes to OPSEC. It goes without saying that you should not post your credit card number on social media. But it’s not always as clear what can be used against you and by whom. So, every time you post something or feed your personal information to a service it is recommendable to take a minute to think. Is there anything that can be used to your disadvantage? Who could use the information and how? Can they get access to it somehow? Is there something you can do to prevent it or at least minimize the possible damage? That, my friend, is OPSEC.