We Cannot Forget the Importance of Operational Security

Being able to share information instantly with just a push of a button, the click on the keyboard, or in casual conversation, it’s easy to forget the importance of maintaining operational security for an EP assignment. Often, critical data is transmitted and shared throughout the assignment. Sometimes seemingly innocent factors such as particular Internet connections and casual conversation can be a hindrance and even potentially, a direct threat.

The five steps of operational security include determining the scope of critical information, developing threats, identifying weaknesses, calculating risks and ultimately implementing countermeasures. As professionals, when we address each of these areas there are multiple opportunities to make a mistake and reveal something that could be detrimental to the integrity of the assignment.

Critical Information

After handling many operations, we must remember that the information we request initially (the who, what, when, where, and how of the assignment) is basic to our preparation and often the most vulnerable element. We are given a significant amount of detail regarding our principal’s movement and itinerary that must be handled prudently. As we come in contact with people during the advance, we must decide what pieces of information we are able to parcel out to them based on our need for their support and conversely, what pieces of information we must keep close to the vest. This first step is identifying what type of information is critical and examples include:

  • The name of the principal.
  • The schedule of events.
  • The method of travel and movement.
  • Residential, lodging and transportation details.
  • Just the fact that security is present (which often provokes interest where none may normally have been shown).

Not everyone that we come in contact with during the advance should be privy to these details and in fact, if they don’t already know a piece of information, we should be very cautious about giving it to them. For example, a hotel manager may be aware of our principal’s name and room number, but not any elements of the itinerary during the stay. It’s sometimes easy to assume that since they are aware of one piece of information, that it’s okay to reveal additional pieces of information. We should be very cautious of casual conversation that could potentially lead to areas for compromise. A difficult choice of balance may occur when we have a recognized principal attending an event where we need to have special considerations made for entry/exit, movement and seating. As much as we may be hesitant to reveal who our client is, we must weigh that against our ability to garner assistance from, for example, an event staff manager or security manager. When choosing to provide the identity of the client to these individuals, we must also factor in the timing of revealing that information. Giving it to them a week prior opens the possibility of a greater risk than were we to reveal it just an hour or two before the event.

With regards to identifying the presence of security, this can play an important role. If the principal is not recognized by name and/or previously associated with a known security team, it’s often best to downplay our role to those with whom we come in contact. If we tell outside individuals that we are protective agent, this can sometimes cause more interest than if we were to just say we are providing security assistance or transportation assistance. The choice of wording and the approach should be made with discretion.

Threats, Weaknesses and Risks

We should keep in mind that threats may come from those who may be monitoring what we are doing and who are looking for patterns. It’s important to remember that the repetition of doing things the same way, traveling the same routes could put the assignment at risk. If you decide to review open source information regarding your principal (to stay on top of what may be reported about them through the Internet and the media) just keep in mind that those wishing to do harm also have access to that same open source information. Your principal’s company may have a media or public relations department that, through press releases and other marketing, may inadvertently reveal details affecting operational security.

An often-overlooked consideration is utilizing Internet connections that are unsecured and notoriously vulnerable to compromise. The next time you decide to connect to the free Internet provided at a coffee shop, you should think twice about doing so.

In a 2017 Mobile Security Report by IPass, there was a survey conducted of over 500 CIO’s and IT decision-makers with results that were not terribly surprising. In the report, 78% of those surveyed indicated that coffee shops were the top three most dangerous places to have access compromised. Accordingly, “C – Suite” executives were deemed most vulnerable. Of the US companies surveyed, they ranked unsecured networks highest in their “degree of concerns”, yet still acknowledged allowing public WiFi and MiFi use. Sadly, only 36% of the US companies took measures to ban employee use of these hotspots all the time. Even more concerning is that often security practitioners are not required in any way to adhere to these policies.

78% of those surveyed indicated that coffee shops in the top three most dangerous places to have access compromised

It’s very important to consider alternatives such as using your own cell phone’s data plan or bringing along a separate secured connection that you can use.

Countermeasures

As you make efforts to arrange elements of the logistics for the coverage of your principal, you should decide where your potential weak points are and review the dissemination of information accordingly. It’s best to develop information about who has already been provided details of your client’s arrival and what type of details they were given. As sometimes this prior dissemination is out of your control, it’s important to decide what steps you must take after the information is already out. If the principal is recognized and giving an announced presentation, it’s very hard to control information in that regard. Similarly, if they are booked into a hotel, then the registration, bell and cleaning staff may also be aware of their presence. Although there may not be much that you can do at this point, you at least have some other times in between where your itinerary and movements may only be known to you. For example, if your client was planning on going to a particular restaurant or attending a particular event your advance may require contact with staff at these locations. I have found that doing additional advance work for other locations (even if they weren’t going there) would add a measure of security. If information were somehow revealed to a potential threat, and to their knowledge there were multiple options for dining, it would make it more difficult for them to pinpoint an exact location at a specific time.

It would not be unusual to throw out a “red herring” even to event staff, other location’s security and those outside of the protective team so as to keep critical information from being passed along by these people. By keeping the details vague and indicating that sometimes “the client changes their mind” about things at the last minute, it allows you to have the flexibility of not being pinned down at a specific location at a specific time – despite the fact that you might already know that you are. The irony is, that oftentimes your client will make last-minute changes anyway.

Although it’s debatable whether one should be entirely truthful with hotel or event security, just keep in mind that whatever you provide them loses its security integrity as soon as they know. It is not without reason to assume that a hotel security manager would almost immediately share confidential details with his or her staff the moment you walk out their office. Overall, this is not meant to be a comprehensive review of operational security, but just a reminder to keep that in the forefront of your thinking and planning for each and every assignment.

Steve Ketter
Steve Ketter
I am a Corporate Risk and Investigations professional with 28 years of experience. I've handled assignments in nearly every state in the US and have worked a myriad of projects for Fortune 100 companies, the Department of Veterans Affairs and the US Department of Justice. My experience is primarily in Executive Protection, Corporate Threat Management and Complex Investigations. Contact: Steve@PremierRiskSolutions.com