There are some scary sounding buzzy buzzwords going on here aren’t there? Well this week, we’re demystifying Operational Security, and exploring how we can all have excellent Operational Security From Home. We look at why it is important, and give you simple tips and tricks to sprinkle security best practices into your workflow.
What is Operation Security
First up, let’s define what we mean when we talk about operational security. Like most concepts, it gets easier when we break it down. So operational just means how we operate our business, or how we go about doing the work we do. Think of it as you just doing your work, whatever that happens to be.
You might think the security part is obvious. You’re here on a cyber-security focused cloud blog, and we all know what security means, right? Well probably, yes. Of course we’re talking about your data on computer systems, login accounts and all that good stuff. But we’re also talking about the papers you leave on the kitchen table after you closed your work laptop for the day. We’re talking about where you choose to have the morning stand-up conference call. Security goes much further than just our laptops.
But to put some context around this idea of security being something a consideration for all kinds of business activities, let’s think about why.
What Might a Bad Actor Want?
We have used the term bad-actor before, but as a recap, we’re just talking about someone with malicious intent towards your systems or data. In this setting, the terms really makes sense too. If we have a nosey neighbour listening in to our private work phone call, you can class them as a bad-actor. So you can see, we’re not just talking about bedroom nerds with screens full of gibberish code.
Now we know bad actors could potentially be all over, what kinds of things might they want? Maybe the recipe for the new dish your restaurant is launching next month. Or the source code to the app your business has been crafting for years?
In reality though, a bad actor will take whatever you’ve got.
Information Leakage and Social Engineering
What if you called your local Tesco right now, and asked for today’s sales numbers. You probably wouldn’t get very far would you? But what if you called the cash office directly, you knew the name of the person who would answer the call, and you had all the details of the person who would usually call at this time of day for the numbers. Alright yes, this is almost certainly fed into a central database now, but you get my point. If you have what sounds like inside information, you have already built trust with the person you’re talking to.
I haven’t spoken to ricky from head office before, but he knows all our procedures and told me that Alan, my manager, said I should give him the information before he headed off on holiday to Cyprus yesterday.
So you can see how my knowing that Alan is the cash-office manager at Tesco, and that he went on holiday to Cyprus yesterday, wouldn’t get me the information I want. And knowing the store number, the time they usually do their daily reports, and the name of a few employees doesn’t get me the data either. But you mix all this together, and you suddenly sound legitimate.
Try to apply this to your role. What kinds of information have you mentioned in passing to folks, and how would that sound if they repeated it to other people in your team?
Let’s talk about the simple things we can all do to help slim down the chances of a bad actor being able to get information out of your organisation:
Identify Your Data
- What kinds of data does your business keep?
- Where is it stored?
- Who has access to it?
- How has that changed since working from home started?
Identify Threats to Your Data
- Do you need all the data you keep? Are you aligned with GDPR and the Data Protection Act?
- Do you know exactly who can access the data? Are you confident of that?
- How do you back up the data?
Put your thinking caps on, and start to think about what would happen in the worst case scenario you can think of, and what you might be able to do about it if you knew about that before it happened. Pro-tip, you now know about it before it happened!
I live in the real world, so I know you have your real job to do as well as thinking about security. With that in mind, let’s prioritise where you can get the big wins and cut down on your operational security risks.
Backups are an awesome quick win, and we wrote about them a while ago.
The Home Part of Operational Security From Home
We started off talking about operational security from home, then we’ve wandered into more general terms. Sorry about that, but it’s really good to understand the detail around security, and what we’re trying to protect.
Now we have done that, let’s go back and hit a quick list of easy wins that we can all do from home to keep ourselves and our business’s data that bit more secure:
- Lock your laptop when you leave your work area at home. It’s just a good habit to be in.
- Clear away any paperwork you have at the end of each day.
- If you need to get rid of papers, keep them and use the shredder at work when you go back. Or better still, buy a cross-cut shredder and use it for your letters and such at home too.
- Be mindful of where you are when you take work phone calls.
- If you have a work laptop, try to keep it just for work. This is a good personal boundary to have too, since it saves you replying to that email late at night when you’re supposed to be enjoying the online pub quiz.
And if you have any other burning security concerns or questions, you can always hit us up, and we’ll help you as best we can.