Here is a simple and unchanging truth: technology alone can’t protect your privacy. Privacy tools are just that, tools. Just as the best tools mean nothing in the hands of someone who does not know how to use them, privacy tools need to be applied through a solid methodology.
That’s where the idea of Operational Security comes into play. It’s an approach to information security that helps us identify which pieces of information are both valuable and at risk. Then it helps you to strategize on the protection of that information. It’s a powerful approach to security that has been used to great effect in, for example, World War II. OpSec has five distinct phases in each cycle of an application. As you’ll see, they are as relevant to your personal privacy as they are to a company or entire nation.
Phase One - What Information is Sensitive?
You can’t protect all your information. Plenty of it has to be shared in order to live or do business. A lot of it just isn’t all that important. No one cares about it and there’s nothing they can really do with it. In order to build effective protection for yourself, you need to focus on the information that really matters.
Think about the types of information that belong to you and what someone who gains access to it could do with it. Things like credit card numbers, scans of your passport and other common confidential information is obviously in need of protection. However, less obvious are items such as bills, bank statements, email correspondence, and photos. To name a few. Carefully think about all your information categories and decide which should be filed under “sensitive”
Phase Two - Threat Assessment
Now you have to take each type of information that you have decided is sensitive and then list the sorts of threats that each one may attract. For example, if your mailbox doesn’t have a lock, you may be at more risk of a random person targeting it. The same goes for your trash. If your trash is not stored in a secure area, someone might go ahead and rifle through it. Do you have sensitive information on a computer connected to your LAN? Someone could access it by hacking your WiFi.
That’s the sort of thinking that has to happen in phase two, where you try to come up with the channels through which someone could access your private, sensitive info. When you have a good idea of which vectors of attack may be used and who the most likely people are to attempt these attacks, you have the basis of a strategy already.
Phase Three - Finding Security Weaknesses
OK, so now you know two things.
You know what information is likely to be targeted thanks to its value and level of sensitivity. You also know who might be interested in getting to that information and what types of attacks they could use to do it.
The next step is to look at the protective measures that are already in place and assess what sort of weaknesses they have. If this is the first cycle of OpSec, then obviously there might be no protections in place at all. Regardless of the status quo, look at your security measures objectively and list the different ways you can think of someone could use to defeat them.
Don’t worry about some of them being far-fetched for now. The idea is to be thorough.
Phase Four - Risk Assessment of Vulnerabilities
Now that you have a comprehensive set of vulnerabilities, you have to assign a risk score to each of them. That is, the better the chances that someone will actually try to attack you using that vulnerability, the higher its risk score.
In cybersecurity, there is a constant stream of new vulnerabilities discovered all the time. The vast majority of these are serious, but also very unlikely to happen. They might only work under very rare circumstances or need the attacker to physically be present. Take into account how hard a specific vulnerability is to exploit and how likely someone is to take that step. The value of the information also plays a role here. If the information you want to protect is very valuable the chances someone will try a long-shot vulnerability goes up.
Phase Five - Countermeasure Design
With all of this information under your belt, the time has come to design the set of countermeasures for each vulnerability. Countermeasures cost time and money to implement, so for the most far-fetched, low-risk vulnerabilities your countermeasure might be nothing at all.
Countermeasures are also not only technological. They can include things like changing the way your work, learning more about spotting things like phishing emails and rethinking where and how you store your data.
Your countermeasures also need to be practical, affordable and effective. It's quite a balancing act, but with each cycle of these five phases, your protection grows more granular and more effective.
OpSec is for Everyone
While OpSec (or progressive security) is an approach usually associated with governments and corporations, this type of security thinking is applicable to almost any situation. As long as you have a valuable asset that needs protecting, OpSec is a practical system to continuously beef up what you have in place.
The best bit is that you can do it all on paper. OpSec costs nothing to plan in theory. So there's no excuse not to try it yourself!