Cybersecurity and information security might be “the buzz” within news headlines these days, but information security is not new.
Securing and protecting information has been going on since, well, information became a thing! At Beryllium, using a military mindset to protect information makes sense. Here’s why.
There are a variety of reasons to protect information. From privacy concerns to competitive advantage in business, all the way up to national security concerns with the latest updated to DFARS compliance.
Due to the various reasons, there are also several ways from which one can gain access to critical information.
Our team is built up of members of both the cybersecurity community and the military. We’d like to share some perspective on what this means from their point of view.
Why do we protect information in the military? At the core, keeping intentions and knowledge from the enemy allows for more effective operations while protecting our own forces from hostile intent.
In business, it is about keeping our competitive advantage gained from our proprietary information and practices. In the military, instead of protecting profit and earnings, you are protecting human life.
Instead of gaining dominance over a segment of the market, you are inflicting damage on the enemy’s military forces, infrastructure, and will to fight.
Have you ever been to a military facility? If not, you can plan on being greeted by armed guards that check your identification and make sure that you are authorized to gain access. They may go even further and check the contents of your vehicle.
Why would an organization have these physical controls, yet leave the computer networks completely open? Because the principle of information security with a military mindset is:
Check access restrictions and deny it to those who do not need it.
The United States, with its market-driven and unplanned economy, depends on privately-owned businesses and corporations to supply the needs of government.
We do not have a centrally planned economy where business competition is artificially depressed.
Nor do we have a government-owned manufacturing arm to develop and build the needed goods for an executive department, such as the Department of Defense (DoD).
In regards to information security and cybersecurity, the recently announced Cybersecurity Maturity Model Certification (CMMC) and updated NIST 800-171 compliance requirements will be the method the DoD will use to assure that companies are complying with the need to secure sensitive data.
We need to keep the DoD’s sensitive information from competing entities such as China and Russia. Their state-directed defense and technology industries create the “chaotic evil” stateless actors such as terrorist or criminal hackers.
Since the Vietnam War, the Department of Defense has used the term Operations Security (OPSEC in DoD Acronym Speak).
It is defined as:
The action of protecting information critical to the current operations of friendly forces while simultaneously denying such information to hostile forces.
Most of the time, this information is unclassified.
However, if your enemy could get enough pieces of unclassified information together and use it against you, it becomes far more critical information.
For example, let’s say your enemy gained access to the date of a unit deployment, that unit’s specialty, and the mode of transportation. They could then plan for that date, understand what attacks and weapons may be used, and what capability that unit has.
Think that will be a successful mission? Not likely.
Unfortunately, such information is often available on social media such as Facebook, LinkedIn, as well as articles in web and print media.
This is where information security with a military mindset comes in handy.
You wouldn’t publicize the problems that your organization was having developing a new product or technology, would you?
With the ease of automated scanning tools, unhardened networks are simply advertising their weaknesses to hackers.
These hackers are business-minded, just like you. Instead of delivering goods and services, however, they rely on network vulnerabilities to steal information and money.
Think about how ransomware works. They (cyber-criminals) shake you down like a virtual mafia organization, promising that if you pay the ransom, everything will be okay.
In the business world, we like to publish our capabilities. This is important to market our products, services, and competencies in order to maintain and grow revenue.
However, for certain projects related to work done with the United States Government, it might be important to consider exactly what message is portrayed.
Sure, the statement “We work with and are trusted by the US Government” can be powerful for marketing. But does it unnecessarily endanger the information that is entrusted to you? Does it put a target on your back?
OPSEC is naturally at odds with PR, but it is not the Department of “No.” There must be a balance between the two.
In the case of sensitive projects, it might be worth it to be a little more tight-lipped than you might normally be.
Another acronym is DIME. It represents the four elements of national power (Diplomacy, Information, Military, Economics).
The United States exerts influence in all these arenas in order to advance its agenda and interests on the international stage.
We are not suggesting that you operate your business as a sovereign nation-state, but we wanted to introduce the concept of information as a use of power.
Control over information is wielding power, whether overt or not. By allowing and denying access, a nation-state or business organization can achieve effects, whether in the power balance between nations, or in the share of market size.
Leaving your information networks unsecured is tantamount to ceding control over information to the competitors.
This is a well-established business concept that the military has adopted. It simply means that we reduce risk to acceptable levels for operations. Meaning, take no unnecessary risk.
Notice the caveat of unnecessary? The nature of kinetic conflict means that risks are taken with human life every single time the enemy is engaged.
But soldiers wear body armor.
Similarly, connections to outside networks are generally necessary in the business environment.
But, the protections around your network must also be properly configured.
These configurations and best practices are the “body armor” that your business networks use when in the competitive marketplace in the digital age.
Thus, information security with a military mindset.
At Beryllium, we like to think that the way forward will provide a business with the most return on information security investment is training.
Training your employees is a way to increase their decision-making skills and turn a liability into an asset.
If an employee receives a phishing email, will they take the extra couple of seconds to be critical about the risk of clicking on an attachment or putting in credentials?
And if they’re still not sure, do they know to forward it to your IT Security team? Will they ignore it, thus risking the chance they ignore a real email with critical information?
Training, especially when paired with phishing exercises, can be effective at increasing the Operational Risk Management capabilities of your employees.
It gives employees their own personal risk management engine for which they can be critical about the nature of the communication. Training is the “body armor” an organization can provide employees, to give them a critical task in protecting the business.
Have you ever read a news story where the author breathlessly reports about leaked information?
Some knowledge is not meant for everyone. In the military, knowledge is classified based on the damage it could do if released to persons without proper access.
Sometimes a junior Soldier will have access to information that a senior officer may not. Why? Because the junior needs this information to do his or her job.
The senior officer may only need to know parts of the information in order to achieve his or her job function – making the decision.
Similarly, CEO’s may not need the same types of access to information that those manipulating the information need in order to achieve their job functions.
And here is where we come to the principle of least privilege. Sure, it may be easier to give everyone access to everything, but do they really need it?
With regards to sensitive projects, a worker should only have access to the information that they need to do their job function, and not a mite more.
This can seem harsh, but it’s not about punishing employees. It’s not even about trust. It’s about limiting liability and risk.
People are naturally curious and want to learn new things, but like the Garden of Eden, sometimes temptation should be avoided.
The military has long been concerned with how information can shape and help to win in international conflicts and has developed practices to ensure it has a superior footing.
As a businessperson, you can use these concepts to achieve a higher readiness posture of information and cybersecurity.
By protecting your information, you secure your profits and ensure that you remain open for business.
Other countries do not have such a split between private and public entities and are engaged in rampant state-sponsored corporate espionage.
You lock your house from those who you don’t want to steal your possessions, right? You must also do this with your business’s information assets.
If you’re doing work with the DoD, it will help to have a common language when talking about the threats that face your business. Work with experts like Beryllium who understand those threats, and what to do in order to prevent them.
We look at information security with a military mindset for a reason.
The security of our nation is demanding that businesses (big and small) take these threats seriously as well.
Check your “doors” and “windows”, otherwise you may come home to an empty house.