As you take steps to secure your business from cyberattacks and data breaches, you may have wondered how the malicious activity starts. And the truth is that oftentimes it’s remarkably simple and opportunistic.
Cyber criminals use the same information as your customers to understand your company and business practices. This preparation is known as reconnaissance (“recon”), and it resembles the same sort of research and investigative digging that you would expect of a prospective employee before their interview.
What do you do?
Who works for you, and what’s the company culture like?
What are your biggest customers? Competitors? Vendors and technology partners?
Like a burglar who first cases out susceptible neighborhoods, threat actors will profile businesses that would be the easiest to target. They comb through social media, company websites, business reviews, even public records and court filings.
They creatively use the information we make readily available to figure out how to potentially deceive employees, bypass known security safeguards, or exploit IT vulnerabilities.
What is OPSEC and why is it important?
Originally a military term, OPSEC is short for Operational Security. It is a valuable concept that businesses can incorporate into their Security Programs and apply in how they assess the threat facing their organization. For both large enterprises and small businesses alike, effective OPSEC can be summarized in a handful of essentials.
Smart OPSEC practices stem from knowing what can be learned about your organization, resources, and processes through various, unassuming details published in both public and semi-public spaces, such as a private social media account or online communities for registered members.
Following recommended best practices helps in maintaining an awareness of the ways that information disclosures can be leveraged by an adversary for nefarious purposes. It is a key component to protecting your organization.
Security awareness training plays a critical role in effective OPSEC. From names, job titles, and emails in LinkedIn profiles to the anonymous Glassdoor reviews, the people of an organization can disclose treasure troves of useful information to threat actors. This knowledge can then in turn be used against employees through phishing and social engineering campaigns.
Regularly investigating your own company, either yourself or with the support of security professionals, is also a smart way to proactively stay ahead of critical OPSEC breaches. By thinking like a potential attacker and what they would likely want to target within your organization, you can uncover what could be learned about your business. And with this knowledge, you can stay ahead of information leaks and better prepare employees for what intel would-be attackers may try using against them.
Click the links at the top of the page to follow Focivity on Twitter, LinkedIn, and Facebook and let us know what you think!