HomeNews & FeaturesFeature StoriesArticle View
NEWS | Oct. 20, 2015

In Discussion with Shirley Brown, Chief of the Counterintelligence Awareness and OPSEC Division

From an OPSEC perspective, how do you approach protecting NSA, which protects national security networks?

First, let me define the term operations security or OPSEC. OPSEC is the protection of unclassified but critical information, such as personally identifiable information of employees. Major focus areas for us include containing OPSEC vulnerabilities and managing the large amount of information that ends up on the open Internet. This information can reveal critical information about the Agency, such as our operating status, location of sites, and mission areas of current interest. The Associate Directorate for Security and Counterintelligence (ADS&CI), where I work, is responsible for administering the NSA/CSS OPSEC Program, and developing uniform implementation procedures and guidelines that can be applied across all NSA/CSS organizations and field sites.

What kind of protections can individuals take at home to stay safe while connected?

Regardless of your location, those who seek to harm you can easily search for details about you that will help them implement their bad acts. It is imperative that you make OPSEC part of your daily routine, both at work and in your personal life. You should carefully review your online social media accounts for information that might attract the attention of criminals or other nefarious actors, such as information pertaining to your job, your travel plans, and personally identifiable information (PII). In addition, use a unique, strong password, and set your privacy settings to limit what information you share publicly.

Where can individuals go for support and resources when something happens to their information online?

If you believe your PII has been compromised online, you should: request that each of the three major credit bureaus issue a fraud alert and attach a statement to your credit report; review your credit reports for fraudulent accounts or inquiries and report any suspicious information or activity to the credit bureau that issued the credit report; fill out an identity theft victim's complaint and affidavit; and monitor your social networking sites. If you believe someone is using your lost or stolen information to impersonate you, report your suspicion to the company involved and to the appropriate law enforcement agency.

Additionally, be aware of those to whom your personal financial information is sent and how they are using that information. Don't disclose personal information over the phone, through the mail, or over the Internet unless you initiated the contact or know exactly with whom you are dealing. If a company sends you an email asking you to verify your account information or to provide personal information, don't click on links in the email as this could be a phishing attempt. Instead, contact the company through their customer service department, either via the company's verified website or the customer service phone number provided on your account statement, to verify the validity of the request.

In the age of social media, how can we strike a balance between being socially connected and being too flippant with our personal information?

While many of us depend on social media, its use comes with risks. The best way to strike a balance between being socially connected and being too flippant with your personal information is to remember that adversaries can use social media to collect information about you and use it for nefarious purposes. Remember that social media sites often default their security settings to "public." Routinely check your security settings to ensure that you share information only with the people with whom you want to share it. Don't treat all of your "friends" equally, and make sure to group them and control their access permissions based on the groups. Finally, while this may seem like common sense, don't post information that you don't want the public to know, such as your house address. It's practically impossible to guarantee things you post won't be seen by people other than your friends. If you don't want it to be publicly available, don't post it.

Is it possible to use social media safely?

While it is likely impossible to use social media completely safely and securely, it can be used prudently. By minimizing the amount of personal information that is shared on social media, you can make it harder for the bad actors to collect information about you. Again, it is imperative that you stay vigilant and secure your data!