When it comes to securing your privacy and corporate data there are a lot of industry cybersecurity best practices that need to taken into consideration for implementation. Some will be implemented due to compliance requirements and others because they are easy to implement (known as ‘low hanging fruit’). But what about the best practices that are difficult to implement, seem redundant, or which would require changing or updating business models or practices? The great thing about best practices os that they are not “only practices”. They are just recognized as the best way to secure information given certain conditions (usually the condition being there are no compensating controls). For lower maturity programs it is very likely that some best practices will not have compensating controls implemented by the very nature of the architecture and/or business processes; however, some will have compensating controls. This means there is more than one way to ensure the integrity of your web application files is not compromised. personally, I like using orchestration that refreshes (replaces existing files with ‘known good’ back-ups) when a file integrity monitoring alert triggers. Best practices are not ‘only practices’ they are just the practices that are recognized as having the best easy-to-implement:provides-verifiable-security ratio in a vacuum without compensating control considerations. So, when evaluating best practices ensure you take a holistic view of your environment to determine the added benefit (there will always be a benefit), any gaps, pre-existing compensating controls, and all relevant costs (administrative burden, financial costs, org roll-out costs, etc.) because no security control lives in a vacuum.