INVITATION TO CYBERSECURITY 114 one that has to worry about securing access to their web servers. But just because a third party hosts an organization’s data does not necessarily make cybersecurity incidents less likely, nor does it remove all liability from the customer. Exactly which party is responsible under what conditions is outlined in the cloud computing contract. The more risks the cloud computing provider accepts, the higher the costs for their service—again, there is no free lunch! Many cloud providers store data for their clients in encrypted format and do not have the ability to decrypt it. Only the customers hold the necessary keys. This is a way that cloud providers can avoid risk. Encrypted data is worthless to cyber attackers. Cloud providers forego the ability to do data mining and other revenue generating activities based on customer data, but they also reduce their risk. 5.3.5.3 Mitigating The most natural reaction to a cybersecurity risk is mitigating it. Mitigating a risk means reducing the risk. Cybersecurity risks are mitigated through the use of controls. There are many different categories of controls. In this chapter, we will cover only preventative, detective, deterrent, and corrective controls. Controls are implemented in the categories that are the functional underpinnings of an organization: people, processes, technology, and facilities. 5.3.5.3.1 Preventative Preventative controls are measures taken to prevent a risk from being realized. Examples of preventative controls in physical space include locks, safes, and fences. These controls are designed to prevent unauthorized access to physical spaces. Physical security is also relevant for cybersecurity because of the risk of a threat actor gaining physical access to and tampering with computers. For such a risk to a company’s servers (a valuable cyber asset), a preventative control would be an access control system for the server room. This is a facilities-focused control designed primarily to mitigate the risk of unauthorized access by preventing it. Mitigating does not mean eliminating. Even with the access control system in place, it still may be possible for a person to gain unauthorized access to the server room, but the control reduces the likelihood of this occurring. As we saw above, there are cost tradeoffs for an organization to consider when evaluating controls. Access control solutions could be as simple as a bolt lock with a physical key or as complex as multi-factor authentication with a digital keypad and biometric scanner. The various options would have different costs of implementation, maintenance, and productivity, and some solutions would mitigate more risk than others. Should a company pay 50% more for a product that mitigates 10% more risk? Maybe. This is why either formally or informally, organizations need to conduct a risk assessment and a cost benefit analysis to determine the right options for them.
RkJQdWJsaXNoZXIy MTM4ODY=