INVITATION TO CYBERSECURITY 116 Threat actors can also be deterred by making them believe that attacking is not worth their time. For example, if an organization is believed to have a strong cybersecurity posture, then a threat actor may avoid attacking them in favor of an easier target. Ransomware threats can be deterred by convincing would-be attackers that the organization will never pay a ransom under any circumstances. 5.3.5.3.4 Corrective Corrective controls are measures taken to recover after a cyber incident. The next section reviews planning for failures in detail, but part of the process is to put measures in place ahead of time that will aid in the recovery of an incident. Data backups are an example of a corrective control. If data is lost due to a cybersecurity incident, it may be restorable through data backups. Contracting with an incident response company is another example of a corrective control. They can be hired ahead of time and put on retainer so that they can be activated quickly if they are needed. A retainer is a fee paid in advance to secure future services if and when they are needed. 5.3.5.3.5 Controls Summary Controls are not mutually exclusive. They work together to mitigate risks. For a given risk, there may be multiple controls from the same and different categories implemented in different areas across the organization’s infrastructure. While it is important to understand how and why a control can be effective, it is not really necessary to categorize them by type. Some controls act to mitigate risks in multiple different ways. Tables 5.6 and 5.7 provide examples of the four categories of controls and across the different areas of implementation. Controls should be selected based on a cost benefit analysis. They should also be tested and monitored to help ensure they are functioning as designed. Table 5.6 Example risk mitigations for each category of controls.
RkJQdWJsaXNoZXIy MTM4ODY=