How to complete the second step of OPSEC effectively
Operations Security, or OPSEC, is a five-step process that aims to prevent adversaries from accessing sensitive or classified information. These five steps are identifying the sensitive information that needs to be protected, identifying threats to that information, analyzing your company or contract’s vulnerabilities, assessing the risk the threats pose to the information and applying countermeasures to prevent adverse action. The second step, identifying potential threats, is an important security skill for Facility Security Officers (FSOs) that needs to be sharpened to protect sensitive information.
How to Identify Your Threats
To begin to identify your cleared facility’s specific threats, you need to know what threats exist generally. While many of these are external, one of the greatest threats to your program may be your own personnel. Insider threats are adversaries who have privileged access to your facility or information, such as a cleared employee or vendor. These can be a risk to any company, so they should always be considered when applying OPSEC.
For any classified program, foreign adversaries need to be considered a threat. This could be someone operating on behalf of an adversarial government or a member of a terrorist organization. The U.S. State Department keeps a list of countries of particular concern that can be a helpful aid in identifying specific adversaries.
Phishing attacks remain a major concern for any business, and the high-security industry is no exception. While you need to be on the lookout for typical scams aimed at stealing financial information, you must also be concerned that stolen passwords could be used to access information.
Local criminals could also pose a threat to your business, even if they’re unaware of the type of information you’re working with. If you have a facility in a high-crime area, you need to consider what physical protections you need for your facility to keep yourself from becoming a victim.
Not every facility faces every type of threat. Part of identifying threats is analyzing intent and capability. Do these potential adversaries have a reason or a likely desire to try to steal sensitive information? Do they actually possess the ability to carry out an adverse action? You must also consider if this potential threat has a history of carrying out such actions. All of this helps determine whether someone is a threat, and if they are, how much of a risk they actually pose.
The Importance of Analyzing Threats
Effective security measures are built off of understanding how vulnerabilities may be exploited by adversaries. There is no one-size-fits-all security solution that will prevent your company from never facing an incident. You could put all your energy into reinforcing your physical security and building up cybersecurity, only for an insider threat to sell your classified information to the highest bidder.
When completing the final three steps of the OPSEC process, you need to be analyzing it through the eyes of your adversary. If you don’t understand who poses a threat to the things you protect, you can’t begin to protect it.
Your adversaries will not remain static forever, however. You cannot complete OPSEC once and assume your facility is secured forever.
OPSEC as an Ongoing Process
OPSEC is not a one-time security solution. As an FSO, you need to be constantly evaluating your facility’s security and adapting it to changing scenarios. While some threats remain consistent, you may get a new contract that means new enemies, or you may become a target of increased phishing attacks. Without acknowledging new threats, you cannot patch the holes in security that they may exploit.
The Defense Contract Management Agency (DCMA) adds a sixth step to OPSEC—the periodic assessment of effectiveness. Essentially, you should always be evaluating how your security mitigations are operating and looking for ways to improve them. Schedule a time once a month or once a quarter to repeat the process. When there is a security incident, don’t wait until your scheduled time to address it, however. Run through the OPSEC process again then. You also want to be constantly evaluating how effective your training is, since your personnel will always be your first and best line of defense against any threats, and they are also a likely weak point to be exploited.
If you’re looking for help with your training or enhancing your facility’s OPSEC, our FSO Support Team is your trusted security partner. Whether you just want someone to handle Personnel Clearance (PCL) management so you can focus on other duties, or you’re looking for ways to revitalize your security program, we can meet your needs. Contact us today to learn how together we can build a strong security program.
