When you return one day to find your house has been broken into, your first question is always, “How did they get in?” And when the doors and windows are all still closed, yet your valuables are gone, you’re sure those things didn’t just walk off on their own. Similarly, in the event of a data breach, your first question is inevitably, “How did this happen?”
There’s a misconception in the popular imagination that cybersecurity is a technology-driven discipline. It is technological, of course, but cybersecurity policies are arguably just as important, if not more so, than the hardware and software elements they govern. Policies, or rules, determine how security technology is to be deployed by affected teams. A firewall may prevent unauthorized entry, for instance, but it is useless if there are no rules governing who is allowed to modify its settings.
Organizational security often begins with password management. Even the most basic of organizations use passwords to protect email accounts and document management solutions, while larger organizations may need to worry about HIPAA compliance, protecting industrial control systems, and more. Ensuring security with robust password management policies is key, and utilizing enterprise password management software, such as the WALLIX Bastion Password Manager, significantly simplifies this daunting task.
You can’t spend your way into a strong security posture. Being secure involves integrating tools, policies, people, and budgets. Getting secure will absolutely require some expenditure of cash. How much is the right amount? The answer depends on each organization’s unique security needs. In general, though, the best practice is to assess the potential financial impact of an incident (data breach cost) and weigh it against the cost of staying secure through breach prevention. Figuring this out can be a bit challenging, but it can be done.
The IEC 62443 standard is a sprawling, highly complex collection of cybersecurity standards addressing the unique needs of Industrial Automation and Control Systems (IACSs). It covers the full spectrum of security, from risk analysis through the definition and implementation of security policies for IACSs. As with most security standards, the issues of user access control and identity management are critical to success. In particular, an organization seeking to be certified for complying with the IEC 62443 standard should address the matter of Privileged Access Management (PAM). PAM relates to administrative, or privileged, users who can set up or modify the IACS elements that are being secured through the standard.