OPSEC, a military and security services term which shortens the words Operational Security.
· What is OPSEC?
· Is OPSEC relevant to industry?
· How do I maintain OPSEC in my organisation?
· What are the issues for my organisation if I don’t have OPSEC?
· What are the risks in breaches of OPSEC?
When put into a military and security services context, OPSEC is a very important part of the operation of these services. Due to strategic and tactical considerations, these organisations do not talk about their current future plans, movements, missions, operations and planning, or what they are up to currently for that matter. This is due to denying the enemy a chance to plan ahead and counteract the forward planning of the given organisation. This obviously plays into INFOSEC which is the term used to describe Information Security (This topic will be covered in depth in a future post). OPSEC in its most simple terms, the reticence of information relating to any organisations operations, conduct or general working.
So how does this play into industry, business and commercial organisations? There is no “enemy” so to speak so why is OPSEC important to your organisation? In all businesses and organisations you have competitors, they ae the other businesses who do the same things and offer the same products and services as your own business. In short, these competitors can be described as the enemy (in the sense that if they get work you don’t, which in turn costs money for your company). In this instance a critical error that you could make as a business is to announce your upcoming changes. Depending on what your business is, even the release of information about what you are currently could play into the hands of a competitor. If you have a ground-breaking idea that would give you an advantage in your field, why would you notify your competitors? Why would you allow them to get a jumpstart on your plans and set up the very thing you are planning that would give you the edge? You just wouldn’t do it.
The problem for any organisation comes from within, people talk. People like to talk, they like to talk about their work. The majority of people enjoy what they do, and like to tell people about what they do. They often have friends in similar professions and they talk with them. People do not necessarily talk about operational capacity and current work, plans, upcoming implementations and what they are working on in order to sabotage, but a lot of people do not understand the implications of talking about these things. A lot of people do not believe and have never really come across those people in the world that are actively trying to steal secrets, use subterfuge and dishonesty to get a jump on the competition. The reality is, industrial espionage is a real thing, and organisations will go to great lengths to ensure that they always have the jump on their competition.
So how do you combat the release of operational information. Like most things in life, it comes from education and setting up measures to ensure that people are held accountable for their actions. Education can be delivered internally, or by an organisation who has experience in OPSEC and other matters to deliver a complete training package to the organisation and staff. This training will talk about the risks of disclosing information around current operations and operational planning to others, cover a multitude of topics and likely cover a half to full day of information.
Consequential measures are quite simply things like having robust legal documentation in place that all staff, contractors, directors and shareholders must sign. These documents cover confidentiality, privacy, reticence etc. As well as this, having policies in place that spell out in plain language the consequences for breaches of OPSEC and confidentiality ie Evidence will be provided to the relevant prosecutorial authority and legal proceedings will be taken. This however must be enforced, if there is a breach it needs to be shown that the company will act. If the company fails to act on these matters, it will breed complacency in the company and may lead to breaches.
So what are the consequences for a breach of OPSEC? This is a complex question as it depends on the nature, severity and to whom the breach is directed. It could be as simple as a staff member speaking out of turn to a friend about a given project, the friend could even be a colleague in a different department. The likelihood of fall out is small but there is still the issue of continued talk and passing on of the information particularly if any receiver of the information does not understand the implications of the passing in on to a third party. However, the real risk comes from speaking out of turn, either to a person who has a vested interest in receiving the information or in a crowded area where a person with a vested interest can overhear the information. This can lead to operationally sensitive information getting into the hands of a competitor who could then gain an advantage over your organisation and allow them to potentially take clients, sales or advance themselves in any other way in the market. OPSEC breaches can include information around what you are doing, how you are doing it, clients you are in talks with, your pricing structures etc All of this information could have the potential to lose an advantage and in turn lose income to your organisation.
The overarching truth is, OPSEC breaches should not be tolerated and the education of staff with ongoing reminders is a must. You want the best competitive advantage you can in the industry you are in and you need to protect your secrets.