This directive, issued as the Removal of Direction Signs Order, 1940, instructed local highway authorities, county councils, and police forces to begin work immediately. The operation targeted not only road signposts, but also milestones, often buried or partly obscured, and railway-station direction boards.
The reason: in 1940, just as the Dunkirk evacuation was under way, Britain faced the imminent threat of a German invasion (Operation Sea Lion). This measure formed part of a wider defensive strategy anticipating that possibility.
The goal was simple yet strategic: to disorient any invading forces and deny them access to navigational aids, turning Britain’s familiar roads and towns into a confusing, landmarkless maze.
Relevance Today
What happens on the strategic level is often mirrored on the tactical one. Sometimes, the smallest, most ordinary things can prove critical, like road signs.
The UK once removed physical way-finding signs to slow a potential invader, a silent war fought with absence and omission. Today, our “signposts” are mostly digital, shared voluntarily through social media, apps, and online platforms. In the language of Operational Security (OPSEC), managing what you publish, and when, is a first-line defensive measure, protecting critical information from those who might exploit it.
We’ve seen in today’s wars that GPS systems can be jammed or manipulated to give false or mixed coordinates, disrupting everything from navigation to targeting (where GPS guides rockets and drones).
The tools may have changed, but the logic is the same: control the flow of information, and you control access, and by extension, safety.
Practical OPSEC Measures:
People & Communications
- Freeze live-location and geotagging across staff devices and brand accounts.
- Schedule posts or updates to delay 24–48 hours after mission completion, ensuring that live operations or sensitive movements cannot be inferred in real time.
- Consider using secure, privacy-focused communication apps.
- Institute a “need-to-share” policy for itineraries, rosters, and venue names.
- Train staff to avoid posting uniforms, badges, car plates, building access points, and route details.
- Use scenario-based exercises to identify OPSEC risks and follow up with periodic reminders.
Systems & Data
- Secure public calendars, meeting links, and Wi-Fi networks that display client or suite information.
- Strip EXIF/metadata from media before posting; standardize via a pre-publish pipeline.
- Turn off directory browsing on web servers, and restrict access to /status, /admin, and /metrics pages so only users signed in through SSO or a VPN can reach them.
- Review domain, subdomain, and DNS records for over-exposed info (TXT records, staging hosts).
Facilities & Movement
- Rotate pickup & drop-off points, keypad codes, and radio call signs; avoid fixed time and route patterns.
- Control temporary signage at events (arrows, “VIP,” company logos). Use neutral labels and remove immediately after use.
- Keep vendor/provider identifiers non-descriptive (no client names on work orders, labels, or crates).
Detection & Red-Teaming
- Run a quarterly OSINT sweep on your organization, principals, and sites (web, socials, WHOIS, satellite/Street View, job posts).
- Task a red-team to navigate with only public “signposts”. The rationale is that if they can reach your people or assets, so can so can anyone with access to that same data.
- Maintain an incident log of data points removed (the “de-signposting ledger”) and review changes monthly.
#SecurityOperations #OPSEC #InformationSecurity #RiskManagement #ProtectiveIntelligence #Leadership #OperationalExcellence
