OPSEC

OPSEC basics for small businesses and solo operators

Practical operational-security habits that reduce risk without requiring an enterprise budget or security team.

Operational security — OPSEC — is the discipline of protecting information that could be used against you. For small businesses and solo operators, it usually means managing credentials, devices, communications, and public information so attackers have fewer ways in.

1. Separate work and personal accounts

Use distinct email addresses, browsers, and password managers for business and personal life. If one account is compromised, the blast radius stays smaller. A password manager is non-negotiable.

2. Enable multi-factor authentication everywhere

Passwords alone are not enough. Use an authenticator app or hardware security key for:

  • Email
  • Banking and payment processors
  • Domain registrars and DNS hosts
  • Cloud services and SaaS tools
  • Social-media accounts tied to your brand

Avoid SMS-based MFA when possible; it is vulnerable to SIM swapping.

3. Know what you are exposing

Search your business name, domain, key employee names, and common usernames. Look at:

  • Company website metadata and team pages
  • LinkedIn and other professional profiles
  • Public records and business filings
  • Customer testimonials that reveal internal tools or processes

Attackers use this information to craft convincing phishing and pretexting attempts.

4. Secure your domain

Your domain is a high-value target. Protect it with:

  • Registrar lock
  • MFA on the registrar account
  • DNSSEC, if supported
  • Limited access to DNS management
  • Monitoring for unauthorized changes

5. Be careful with collaboration tools

Slack, Teams, Discord, and similar platforms are common targets. Configure them to:

  • Require MFA
  • Limit guest access
  • Disable automatic file downloads
  • Review public or discoverable channels
  • Avoid sharing secrets in chat

6. Plan for compromise before it happens

Have a short incident checklist ready:

  1. Contain: disable compromised accounts, revoke sessions, change passwords.
  2. Preserve: take screenshots and save logs before they rotate.
  3. Assess: determine what data or systems were involved.
  4. Notify: inform affected parties according to your legal obligations.
  5. Recover: restore from known-good backups, reset credentials, close gaps.

OPSEC note: Good OPSEC is mostly boring habits, not expensive tools. The biggest returns come from password hygiene, MFA, and knowing what information you expose to the public.

Start with one change

If this list feels overwhelming, pick one item and implement it this week. Security is a process, not a purchase.