The term “force protection” entered the American military vernacular in the late 70’s and 80’s in response to several events. One of the key drivers, though not the only driver, was the activities of the Red Army Faction or “Baader Meinhof Group”. This group was responsible for several bombings, assassinations, & kidnappings over three decades. As US bases and US military personnel were frequently the targets of these attacks (as well as attacks from other groups), the need to develop specific plans to protect ‘the rear’ began to be articulated. In effect, ‘the rear’ was no longer the rear.
Military organizations have always been aware of the concept of ‘protecting the rear’ or ‘covering your flank.’ However, the asymmetric, unpredictable aspects of these attacks put the military in the position of having to explicitly define a process for protection of assets that were not traditionally in harm’s way. Further, by naming and mandating the process, it was clear that some percentage of resources originally intended for forward operations would need to be diverted to support force protection. This was a shift in thinking.
I believe a similar thing could be occurring with managing information risk and security in small to medium-sized businesses (SMB’s). Relatively suddenly, these businesses are finding themselves in hostile territory and if they want to stay in business, then they must dedicate some operational resources — whether marketing, production, R&D, revenue, etc — to support these protective and risk-lowering activities.
Early Marine Corps doctrine on force protection
I found a Marine Corps publication, “AntiTerrorism/Force Protection Campaign Plan” from 1998 that presents some operational concepts that could be helpful analogies to the issue of information risk and security for SMB’s.
The publication provides some definition of force protection:
In its purest sense, force protection is an overarching concept. It includes those procedural, training, equipment and leadership principles necessary to ensure … safety and well-being … In essence, force protection is an inherent function of [leadership] and as such should be an integral part of the way we do business on a daily basis.
Similarity in threat analysis
It goes on to describe analysis of the threat as considering a stool with three legs — Does the enemy have
- motivation
- means
- opportunity
We can apply similar analysis to SMB information risk.
- Does ‘the enemy’ (criminals or nation-state actors) have motivation to attack or compromise an SMB’s information assets? Yes, certainly. A successful attack provides, 1) potential revenue, 2) an attack point for attacks on other, possibly larger, more lucrative businesses
- Do they have the means? Yes. They have readily available computers, pre-built networks for attacks, often anonymity, and sometimes protection from their parent state (country)
- Do they have the opportunity? Yes. There are many poorly protected and non-resilient SMB computer networks available for attack.
Marine Corps operational doctrine on force protection (from 1998) |
Potential analogies in SMB information risk management |
“Force protection is an operational aspect of every mission …” |
For example, resources are shifted away from marketing, R&D, production, etc to support SMB’s information infrastructure |
Work to “eliminate the belief [by the enemy] that opportunity [for attack] exists” |
Employ basic measures such as anti-virus, firewalls, managed/standardized computers, and awareness education to create an unappealing risk/value proposition for potential attackers |
“The value of alarms and drills…[Leaders] at every level should develop recognizable alarms for potential emergencies and critical incidents.” |
Rehearse disaster recovery and business continuity plans. Practice activities such as data recovery tests. |
The US military found itself in a position of having to develop and evolve a practice to address a fairly sudden new threat that was also evolving, as well as unconventional, and unpredictable. Similarly, to remain relevant and to maximize their respective opportunities for success, I believe that SMB’s need to, in some manner, introduce information risk and security management into their daily activities as well.
Do you think there is currently motivation, means, and opportunity to attack your business?