OPSEC and Business Continuity

Operational Security (OPSEC) is the first consideration when preparing for adverse conditions.

In Canada, I always advise clients to read the Emergencies Act (R.S.C., 1985, c. 22 (4th Supp.)), Section 8  carefully before they take any action or commit to any preparations. The same applies to any individual preparations. Section 8 (1)(c) allows public officials carte blanche to loot your storehouse of supplies during a declared emergency. The provinces have similar legislation, for example, in Ontario it is the Emergency Management and Civil Protection Act, R.S.O. 1990, c.E.9. Politicians wrote all of these acts so that the government can always find a ‘legal’ way to do whatever it wants to do. This problem isn’t unique to Canada. During Hurricane Sandy, so called ‘First responders’ broke into Shore Army-Navy in Seaside Heights and looted it for supplies. During Hurricane Katrina, officials in New Orleans went further, and according to many accounts, committed armed robbery. In the face of armed troops or police, you will be helpless to prevent such looting. Of course, when government is the looter, they get a free pass from government lawyers and politicians.

Undertaking business continuity planning requires a very high degree of OPSEC given the propensity of governments, rioters, and criminals to take what they want. This leads to the question, what are the OPSEC requirements of business continuity planning?

I always advise that all business continuity (BC) assets be separated geographically, and in other ways, from the business they serve. Transfer ownership of BC assets to  obscure sole-purpose subsidiaries. For example, one entity owns the BC site while another buys the supplies and equipment. Yet another entity takes delivery of the supplies at an unrelated location. Execute all the BC planning and implementation on a strict need-to-know basis. The quick dissemination of the BC plan during an emergency must occur on a need-to-know basis. The employees only get the information they need to accomplish their part of the plan. Large-scale rehearsals should not reveal the actual location of the real BC site. To reveal the location of the BC site to all those involved in the rehearsal invites the looting of the site long before it is needed. Experience dictates the use a rented property in the general area of the real BC site for rehearsals.

These considerations are not irrational paranoia for any business located in an area subject to catastrophic disruptions such as riots, protests, natural disasters, or terrorist attack. Discontinuing business activity during such an upheaval is surrendering to these adverse forces.