Close protection operatives (CPOs) have all come across the acronyms PERSEC (Personal Security), OPSEC (Operational Security), and COMSEC (Communications Security). But all too often, operatives fall foul of the exact reasoning behind the requirements of PERSEC, OPSEC, and COMSEC.
Operational Security and Close Protection
Many operatives will adhere to any OPSEC requirements because the assigned task or client has a non-disclosure agreement (NDA) and a confidentiality agreement in place. These agreements bar staff members from discussing the client’s personal circumstances, associates and private life. A CPO failing to comply with OPSEC when on task is usually swiftly dismissed. Breaching OPSEC may lead to the operative being labelled as a liability towards a task or a principal.
What is Operational Security (OPSEC)?
Operations security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary… Wikipedia.
OPSEC will cover such details as, but not limited to, principal movements, timings or locations. Revealing such confidential information is detrimental to the safety and security of a principal. Giving away or innocently letting information slip out ultimately risks details finding their way into the wrong hands. Leaks can subsequently aid potential adversaries to formulate a plan of attack. Such attack could range from verbal, physical, cyber, robbery up to a kidnap or assassination attempt. Any information leaked regarding a task or principal can and will be used against them.
Common Personal Security Failings
Personal security (PERSEC) is an elementary criterion of the CP job role. However, PERSEC is sadly often overlooked or not even considered, even when the CPO knows better. How many operatives can genuinely claim that they take a different route to work each day or vary their departure times? Do they do the same once they arrive at the principal’s residence, coming from different directions or using different transport modes? Variation of arrival direction and times is a fundamental factor in maintaining PERSEC, making it more difficult for anyone to carry out hostile surveillance on the CPO or their principal.
Watching arrivals and departures from a principal’s residence allows those intending to cause harm or harassment to create a picture of the security teams size, strength, rotations, and timings. A principal may live on the most secure street in the city with unlimited resources. Still, security is only as strong as the weakest link. It is often down to operatives not carrying out their own basic PERSEC procedures and being blasé about the threat and risks.
Another example of weak PERSEC we see all too often is that of a complacent residential security operative or residential security team (RST). Confident that the property is secure and that shift handovers and patrols are being carried out at random times, operatives settle in comfortably for their long twelve-hour shift. All the planning and procedures are then compromised by someone’s takeaway food order being delivered at 21.00hrs on the dot every night. That operative may believe ordering takeaways from different sources is sufficient. However, they have set a routine which an adversary observing the property for all deliveries, the delivery times, and procedures, etc. could compromise.
Only a basic understanding of surveillance is required to obtain the UK Security Industry Authority (SIA) close protection licence. Many courses do not spend enough time on teaching students the knowledge necessary to enable them to carry out anti-surveillance drills correctly. Such exercises are essential for a CPO to detect if they are being surveilled.
Close protection operatives should be carrying out anti-surveillance drills every day of their life on and off duty so that it becomes second nature.
Personal Security and Social Media
Social media use by both principals and close protection operatives is often the most significant clear and present danger to PERSEC.
Social media is a big part of people’s lives. People may earn a living from various forms of social media. Many Principals require social media to remain in the public gaze, but close protection operatives do not and should not!
All too often, CPOs post images of themselves next to the principal’s private jet, their homes, or luxury cars. Worse still, posting an actual location where they are. They may not post images or mention their principal by name. Still, the public information helps build a picture for those looking to harm the principal or CPO. Those who post photos forget that metadata within digital images can pinpoint where the picture was taken, and when, even the type of device used and its settings.
Just having a social media presence makes an operative more recognisable. Being publically recognisable is not a positive achievement for a CPO. Suppose an unrecognisable business executive employs a recognisable CPO. In that case, they will highlight that they are someone of interest and most likely of high value.
Many operatives fail to believe that they could be a target or person of interest and that their information can be obtained and used against their principal. Many egotistical security company directors also fall foul of the above by posting their location and pictures, especially in luxury locations, and boasting about their clients as some sort of badge of honour.
Imagine if a client has, over the years, used many different companies and operatives, as is often the case. By posting something linking themselves to a principal, a CPO or CP company shows any previously disgruntled ex-employees where to find their former employer/principal.
Social media anonymity, should you be concerned about your social media security? The answer is a resounding yes. Social media platforms such as Facebook make their money by harvesting personal data and online activity, then using it to target marketing. History shows that this personal data is available to third parties and possibly even questionable entities.
LinkedIn is another platform that many security companies and operatives are now using. LinkedIn is a platform for ‘business and networking’. However, too many operatives and security companies use it as a bragging platform. Security companies and individuals should promote their business but not by using images of their principal’s cars, yachts, or private jets!
Linking pictures and timelines enables adversaries to build an accurate picture of where you are and when you are or were there, especially if you are posting in real-time. To reiterate, this helps to build a bigger picture. Opensource information can be used in a negative way against CPOs or their principals.
Anyone using Facebook or LinkedIn needs to ensure they adjust their security settings to limit who can and cannot see certain information and posts. Social media users should scrutinise their contact lists and remove anyone who should not have access to their social media. Keep your personal life private and out of the public domain. When working as a CPO, private lifestyle or family images can and will be used against you. Generally speaking, keep Facebook for family and close friends. Use LinkedIn for colleagues and your wider work-related network.
CPOs are supposed to be the grey men/women, not in it for the glory of stardom. Some CPOs are naturally protective and security-aware. The role is very natural to them. These operatives often put their principals before their own families at home. The unfortunate reality is that social media has also created “celebrity bodyguards“. Rather than being bodyguards for celebrities, these are bodyguards who think they are celebrities! For the sake of their own lives and their principal’s, bodyguards should not want to become celebrities by choice.
Communications and Personal Security – COMSEC
Communications Security (COMSEC) can be defined as all measures taken to secure and prevent unathorised access to information that is transmitted, transferred, or communicated.
As previously mentioned above, most close protection companies will insist on security operatives signing NDAs and confidentiality agreements. But what about the methods of communication between management, principals, and the operatives? No one should send vital or personal data via any means of communication that is not encrypted and secure.
WhatsApp is an encrypted means of communication that uses wi-fi and mobile connections to enable users to send messages across the globe without incurring costs. Although there are currently more than 2 billion WhatsApp users, debates can be had over the platform’s integrity and security. After all, it is owned by Facebook. Other encrypted messaging platforms are available such as Telegram and Signal, all claim to be more secure than the next. Encrypted or not, there are still steps to be taken to ensure COMSEC and PERSEC:
- consider whether or not the information needs to be shared with everyone on a group chat;
- remove your profile picture – do not give your adversaries an easy head start of what the CP team members look like if they manage to intercept your communications;
- remove team members that have been removed or left the task from the group chat immediately;
- periodically close the group chat and delete it starting up a new one.
So, if there are pitfalls in messaging apps should we send all our private and vital information via email? Well consider that Google scans every email that you send and receive, Office 365 scans everything that you write and dropbox opens everything that you upload! Everything these days is monetised by targeted advertising, especially “free” email accounts. Users of technology nonchalantly agreed to lengthy terms and conditions. These terms and conditions are regularly updated. Cynics would argue that we give away more of our freedoms with each and every software update.
Professionals should consider using ‘zero knowledge’ based email platforms such as ProtonMail, Tutanota, or Spider Oak. All these systems claim that it is mathematically almost impossible to decrypt your emails in a timely fashion using existing technology without the necessary key. ProtonMail, for example, uses Pretty Good Privacy (PGP). PGP is a cryptographic method of sending encrypted messages that only the recipient can read. The message is sent over the internet unreadable until it reaches the chosen recipient.
As another level of protection, security teams should consider using Virtual Private Networks (VPNs). Using a VPN gives an additional level of online privacy and anonymity. Protection is achieved by creating a private network from public internet connections, securing the online traffic between your computer and servers. Your Internet Protocol (IP) address is also masked, hiding your location, online actions and making them virtually untraceable.
Most of us who use smartphones will have downloaded apps for various reasons, but do you check the app permissions before downloading a new app? Many apps will ask for access to your microphone, camera, images, and text messages, worse still your location. Check whether the access requests are required and if not, switch them off, and delete the app if you do not use it.
The only way we can remain completely anonymous online is by not going online at all. But that is unrealistic in this day and age. So, although we cannot be 100% secure, security-aware operatives can always do more to protect themselves and their principal.
Further Articles on Personal Security
Stay Alert, Stay Alive! Every week in London there are several moped enabled crimes committed: robberies, muggings, stabbings, acid attacks, shootings and murders! The Metropolitan police seem ineffective in dealing with this epidemic; how long will it be before there’s a moped enabled terror attack? Will the police start taking this problem seriously then and…
Continue Reading Personal Security & Awareness
Moped Gangs, Phone-Snatching, Acid Attacks and Knife Crime. London – like any other major, highly-populated city – is the scene for an array of different criminal activity. The risk to personal security is inevitable and often unpreventable. However, within the spectrum of crime that is committed, certain trends of activity develop, and an awareness of…
Continue Reading London’s Street Crime Epidemic
More than what meets the eye! For personal security, having a bodyguard, or close protection in London, is far more than just an accessory. Many of the reasons are more subtle than the obvious. Bodyguards are also more common than you might think, often double hatting as a PA, Chauffeur, Butler or Chef. They are…
Continue Reading Personal Protection in London
Personal Security Services
Westminster Security provides professional personal security protection services in London, the UK and worldwide.