Getting started with OPSEC
So, you’re a small or medium business with security concerns. How do you get started with OPSEC? What kind of budget do you need? Forget those questions for a minute and think about the following:
- What information would be useful to an attacker? Identify the key, critical information that would allow access to your data either physically or via a network.
- What are the threats? Who would most likely benefit from having access to your data?
- Determine your vulnerabilities. What are your weak spots in terms of information security?
- What is the risk of these vulnerabilities being exploited? Think about reputation, business impact and value.
- What measures need to be taken to reduce these risks?
Only once you have answered these questions in a very real, thorough way can you think about getting started. Why? There is no point getting salesmen in to scare you into spending thousands if the risk of a data breach is minimal in terms of cost. Answering the above questions will allow you to prioritise and cost your OPSEC risks.
Once the above is complete, it’s best to establish a baseline of network security measures. These will allow you to monitor and control access to your data via the network and physical means. Now, we’re well aware of the cost of controlling physical access ‘properly’, i.e. who can access what and when. We know that most SMEs can’t afford a full access control system. We’ll start with the easy stuff:
- Run services that have to face the Internet on non-standard ports
- Change default passwords (PLEASE!!!!)
- Apply updates to your operating systems, applications and routers
- Set up a firewall that logs incoming traffic
- Set up network traffic monitoring
- Add the ability to react to bad network traffic
- Add a web filtering proxy so staff can’t look at ‘bad’ sites
- Try to have functioning, up to date Antivirus on your servers
- Have a decent anti-spam filter in place
Hang on, that was the easy stuff? If you’re thinking that we can’t blame you. It depends on a couple of things – your starting point and who you have helping you. What if we told you you could have all the above without paying a penny in License costs? That’s right, there are a number of Military-grade (in terms of quality and the fact they are used by the Military) Open Source solutions out there that can open the doors to massively improved OPSEC for those with little or no budget. The catch? There isn’t one.
If you need help, contact us.