The military has a vested interest in keeping information secure — and their strategies are worth adopting for private cybersecurity. OPSEC (Operations Security) is an in-depth security and risk management strategy that assesses potential threats and risk to sensitive data and outlines what countermeasures are needed to protect that data and prevent it from getting into the wrong hands.
Examining your organization from an attacker’s vantage and shoring up defenses accordingly isn’t being paranoid — it’s being prepared. From end-to-end security to employee education, OPSEC strategies have proven invaluable to organizations outside of the military. Once you’ve identified critical information, threats, vulnerabilities, and risk, follow both OPSEC and zero trust best practices to make a plan and achieve maximum security.
Zero trust is a cybersecurity framework with clear strategies based on the premise of, “never trust, always verify.” It is the simplest way to reduce vulnerabilities, as access is granted based on context to block inappropriate access and lateral movement through the system. The average time to identify and contain a breach is 277 days, so controls that help expedite the discovery of malware are key.
Systems that allow employees to remain logged in across access points do not practice the guidelines of zero trust. Instead, multifactor authentication (MFA) is championed by zero trust proponents. The potential impact to user experience is vastly outweighed by the preventive protection provided. Both methods prevent sensitive data from falling into the wrong hands — and reduce harm if disaster strikes.
When making a company cybersecurity plan, always verify the identity of entities connecting with your system. Adopt solutions to authenticate and authorize before granting access. While one-time passwords have been most commonly used to verify identity, MFA has been added as a safeguard, though there are still gaps in these methods. A widespread move toward integrating artificial intelligence and machine learning to improve identity verification is anticipated.
To combat some of these concerns, practice least-privileged access. Restrict administrative permissions and access to sensitive data solely to those who need it to do their job. Just because a position’s “always had access” doesn’t mean it should — access permissions should fluctuate as company objectives change. In the same vein, it is also crucial to validate devices and connections regularly. Check and enforce the health of each device and deny all connections unless they meet specific requirements (location, health, patch level, etc.). For unmanaged devices, create alternative access pathways that don’t leave your system exposed.
Training employees to recognize cybersecurity concerns can be taken a step further by teaching them the steps necessary to prevent human errors from causing costly mistakes. Instill a zero trust mentality in your employees, as well as your contractors and consultants, and teach them about cybersecurity best practices. Develop an organization-wide awareness about the seemingly harmless and mostly unintentional ways access to sensitive information is inadvertently granted.
Phishing attacks are designed to be convincing — when it comes down to it your employees’ training is all that stands between them and the 74% of breaches due to human error. At the company level it’s important to run data security analytics and real-time monitoring. Automation can inspect, monitor, and log all activities — and immediately notify in the event of unusual behavior. In the event of a disaster, a practiced and well-known disaster response plan will inform difficult decisions. Knowing how to respond in the event of an attack is half the battle. Backup architecture is also critical to protect your files should their safety be threatened.
1. Think Like The Enemy
Military OPSEC is a detailed, multifaceted strategy that leaves no stone unturned — because seemingly harmless information in the hands of the enemy can lead to catastrophic outcomes. Think like the enemy and audit your organization with meticulous detail like your safety depends on it.
2. Train Your People
A military unit trains all soldiers on OPSEC, regardless of their rank. The strategy focuses on educating military personnel and their families about seemingly harmless ways they can reveal information about military operations — including social media posts, phone calls in public, and this notable Strava OPSEC fail. Your organization’s cybersecurity is only as strong as your weakest link. Consider all employees and third-party resources as you make your OPSEC plan. Instill an OPSEC mentality to prevent unintentional insider threats.
3. Find Proactive Solutions
Military OPSEC is a proactive approach to security that considers all possible threats, known and unknown. It’s time for private organizations to follow the military’s lead: Use proactive cybersecurity solutions to find suspicious behaviors and potentially dangerous code that’s hiding and waiting to strike.
CodeHunter’s malware hunting solution finds threats that are invisible to existing security solutions and automates the complex and time-consuming malware reverse-engineering process, analyzing threats at the binary code level where malware can’t hide. Security teams get actionable threat intelligence for swift remediation and efficient incident response, minimizing impact. Get in touch with one of our malware hunting experts to learn more.