Reading Time: 8 minutes

Proactive vs reactive cybersecurity

Security vulnerabilities are a serious challenge for a lot of organizations these days. Now that security resources are increasingly limited in most organizations, rapidly expanding and evolving networks can pose a challenge in itself. 

If you’re part of an IT department in any organization, then you’ve likely dealt with a barrage of network defense mechanisms. You’ve likely set up some tools that can spot rogue insiders, and added various filters and blockades to stop employees from clicking on suspicious links.

But in case something goes wrong, you have a proper action plan in place to deal with the threat. You know exactly what procedures to follow and who to contact for disaster recovery. Once the threat has been dealt with, you and other members of the IT team are ready to run a forensic investigation of the matter.

In retrospect, to sum it up, you had proper defence mechanisms in place, you were able to detect the threat once your network was compromised and you neutralized the threat afterwards. This approach is purely reactive. The majority of organizations today work on the reactive cybersecurity model. This type of approach basically involves reacting to a threat once the alarm bells go off. 

But the major question is – Does reactive cybersecurity even work these days?

Well in all honesty, yes! 

Multi-factor authentication, antivirus programs, firewalls, and threat prevention programs are all designed to deal with security threats once they arise. If you purposely make your security layers weak, you’ll be surprised by how quickly everything can go wrong. 

When dealing with known threats that unfold in predictable ways, reactive security strategies can be more than adequate. But for zero-day vulnerabilities, new emerging cybersecurity threats, and ever-evolving threat landscape, proactive cybersecurity is the right approach. 

But that’s just my opinion based on my experience in the cybersecurity industry. In order to get a much wider perspective on the matter, I’ve collaborated with cybersecurity experts to help you understand the advantages of proactive vs reactive cybersecurity.

In this article, you’ll be able to learn the differences between proactive and reactive cybersecurity approaches and the opinions of experts from the cybersecurity industry.

Choosing between Proactive & Reactive Cybersecurity

According to a 2018 report, 67% of small businesses were targeted by a cyberattack at some point in time. The average cost of these attacks was way over $380,000. Fast forward to 2020 and the average cost of a data breach is expected to reach 150 million according to Juniper Research.

That’s all quite alarming statistics.

At the end of the day, it all comes down to what approach is better for your company. Should your company choose proactive or reactive cybersecurity?

Well, as I mentioned earlier, reactive cybersecurity is still important. Even if you consider the fact that there is a hacker attack every 39 seconds, a reactive approach is still a viable solution. But you can’t also undermine the importance of proactive cybersecurity to deal with emerging threats.

So the short answer is – your organization should aim for both. To ensure your company is prepared to effectively handle cybersecurity risks, a combo of both proactive and reactive cybersecurity is necessary. Here are the major differences between the two approaches.

Reactive Cybersecurity

As I mentioned earlier, most companies nowadays are already using reactive cybersecurity. Reactive cybersecurity basically involves implementing defence mechanisms to counter common attacks and hunting down hackers that have compromised your network security. Generally, a company’s reactive cybersecurity arsenal is comprised of:

  • Antivirus software
  • Firewalls
  • Password protections
  • Spam filters
  • Ad-blockers

The reactive approach is great. It can prevent malicious entities from causing too much damage. However, the problem is, most companies rely solely on reactive strategies as a means of primary defense mechanism. But in our ever-evolving technological landscape, that’s not enough. This is where proactive cybersecurity plays its role.

Proactive Cybersecurity

Compared to reactive cybersecurity, a proactive cybersecurity approach prevents an attack from ever happening in the first place. When you adopt the proactive approach, your business can effectively identify the vulnerabilities in your system before anyone can exploit it. Typically, a business following the proactive strategy implements the following SOPs.

  • Bug hunting
  • Extensive network monitoring
  • Ethical hacking
  • Employee training
  • independent security audits.

In a real-world example, proactive cybersecurity can be compared to being aware of your soundings when going outside. You need to be on the lookout for anyone who can harm or rob you. Focusing on someone’s body language can help you understand the intent of the people around you.

But in case something does happen, your priority would be to call up law enforcement and assess the damage. That’s basically what reactive cybersecurity is. So what we’ve figured out so far is that the best cybersecurity practice for any company is to adopt both proactive and reactive cybersecurity- not just one.

Proactive vs Reactive Cybersecurity – Expert opinions

To get a much broader perspective on the topic, I reached out to relevant industry experts to see what they had to share. So without further ado, here are the responses I recieved.

Nancy Sabino CEO and Co-Founder of SabinoCompTech

It is an absolute pain to brush, floss, mouthwash minimum of two times daily and sees the dentist every six months but it’s absolutely necessary unless you want to deal with cavity pain and pay for the remediation of it. Cyber-security is the same. It’s a pain to be proactive about it but it is absolutely necessary to minimize risk and avoid or lessen the kind of pain that comes with systems being invaded, sensitive information being stolen, reputational damage control, and financial losses from lawsuits or regulatory fines.

There are so many different tools available now to be proactive about cyber-security that it’s no longer an excuse. Utilizing the right tools to put blocks, locks and other safety mechanisms in place will not only lower risk of exposure but it will also make sure that you are complying to what cyber liability policies ask of you to be responsible for in order for their policy to cover you. What it comes down to is being proactive in cybersecurity practices is not just business smart but a responsibility.

Brad Snow Co-Founder Tech Exec Roundtable

Here’s what Brad, a cloud computing specialist has to suggest. If your strategy is reactive cybersecurity it’s not security, that would be data recovery. Effective cybersecurity is implicitly proactive. If it’s reactive you are now talking about approaches to recovering data or making calls to your cyber liability insurance company to make sure you’re covered from the inevitable financial losses.

Braden Perry Partner KENNYHERTZ PERRY, LLC

Braden, who is a Cybersecurity Attorney has to this to say about proactive and reactive cybersecurity. If the forest becomes too dense to see the trees and the tone at the top (i.e. the CISO) allows the company to become reactive, meaning that they do not anticipate issues but wait for issues to arise and then act or react. This leads to short-sightedness, looking at the near-term, and not focused on long-term goals. This is opposed to the proactive approach and forward-looking, not only in anticipating issues that might arise but in having clear directions and goals.

Sounil Yu CISO-in-Residence at YL Ventures

Good proactive security is like brakes on a car. Good reactive security is like airbags. However, if you don’t have brakes on a car, you’re going to need a lot of airbags.

Trish Stukbauer Founder of CCCS 

Trish, who is the founder of a crisis communications firm had this to say. We always tell clients it’s a matter of when – not if – their organization will fall prey to a cyberattack. How they are perceived to react to that attack makes all the difference in how quickly – and even whether – they recover the confidence of clients, donors, the public, and media. 

The key to surviving a potential media and customer onslaught is to take a proactive approach and have a crisis communications plan in place. We live by the old military adage: Proper planning prevents poor performance. Having a communications plan in place prevents a random executive or employee from leaking sensitive information or just saying something that inadvertently makes the situation worse.

Nick Santora CEO and Founder of Curricula

Nick spent nearly seven years working as a cybersecurity specialist for Critical Infrastructure Protection (CIP) for the North American Electric Reliability Corporation (NERC). He’s also a Certified Information Security Auditor (CISA) and a Certified Information Systems Security Professional (CISSP). 

Here’s what Nick has to say. The problem is that most security awareness training is packed with technical terms, legal language, and boring dry content. Think of the last ‘death by PowerPoint presentation’ you had to go through. Most employees tune out and try to simply complete their required training as quickly as possible. That’s not very helpful when you’re relying on them to help protect your organization from cyber-attacks. Why have a security awareness program if it is not effective?

So the problem isn’t a lack of information on the subject of cybersecurity, but how can technology leaders change the perspective of this information so your employees actually learn from the training. How can you make training fun, relatable, and have employees apply critical thinking?

Ilia Sotnikov Vice President of Product Management at Netwrix

Ilia Sotnikov who is an accomplished expert in information security had this to say. A reactive approach to cybersecurity means that you mainly focus on measures that help you protect your IT environment against security incidents. Although it is an essential part of any security strategy, I am sure that protection is not your main goal. More importantly, you need to link your security practices to organizational risks and choose measures that will keep your business going despite adverse cyber events. And proactive security will help you with that.

A proactive approach means that you know exactly which hacker activities pose the biggest threat right now, which systems and data are most critical in your organization and which assets require the strongest security measures. Moreover, it means that you focus equally on protection, detection, response, and recovery capabilities, which makes it easier for you to adapt your IT security strategy to changing cyber threat landscape. As a result, you can stay ahead of hackers, deal with cyber threats more effectively, and ensure business continuity no matter what.

Heather Paunet Vice President of Product Management at Untangle

When it comes to network security and remaining proactive against cyberattacks, creating a standard checklist for monthly maintenance can ease the in-depth audit conducted annually. Each month, network administrators should routinely back up all data, keep software plugins and patches up to date, encourage employees to change passwords regularly, and monitor devices and applications, keeping track of data usage or bandwidth pain points.

For those companies who find themselves on the reactive end of cybersecurity, there are some key first steps any IT team can implement. The first step is to make sure all employees change their passwords to business-critical accounts. This will create a clean slate of access and will be able to deter any unauthorized access from getting further into the network. The next step will be to begin segmenting network access based on either department, title, or other information. Many companies inadvertently leave critical files open to all employees, and this can be a quick misstep down the data breach path. When reacting to a cybersecurity threat or breach, it is especially important to clearly communicate the benefits of these cybersecurity policies and ensure employees practice safe cyber hygiene as the IT team addresses any vulnerabilities.

Courtney H. Jackson Founder/CEO at Paragon Cyber Solutions, LLC

The advantage of proactive versus reactive cybersecurity is often the difference between keeping your data safe versus being hacked.  A lot of companies do not invest in cybersecurity as they should until after they have fallen victim to a cybercrime, which is too late. By taking a proactive approach, companies are performing the necessary due diligence to protect their data, identify potential threats and vulnerabilities, and implement proper controls to address those items which significantly reduces their risk of exposure.

Michael Oh President at TSP LLC

The biggest benefit of proactive cybersecurity is that in many cases, if you’ve been breached, then it’s a race against time for the attacker to gain a more substantial foothold or get valuable data from your network. If you have prepared playbooks on reacting to a cyber breach, people understand their roles in mitigating a breach, and you’ve already rehearsed or drilled for such an event, you’re more likely to be able to fend off an attack before someone can do significant damage to your business.

Erik Kangas CEO, Lux Scientiae

Proactive cybersecurity focuses on closing gaps and weaknesses in systems before they are exploited; reactive focus on responding to security incidents after they occur. The cost of proactive security is vastly smaller than the cost of managing breaches and issues. Proactive security also works on your time schedule, vs reactive security where you are to drop everything and work under great time pressure on the schedule of the attackers.

Uri May Co-founder and CEO of Hunters

Today’s landscape of threat detection & response knows various challenges:

  • Attack surfaces are multiplying as attackers utilize various IT environments and organizational platforms
  • Detection is a human-led, flawed process, which does not scale to overtake today’s attacks: SOC analysts who use SIEM solutions are limited in their ability to pick up weaker signals, or attackers who try to blend in the noise (and this is mostly what they do today). Specifically, it makes detection of attacks that look like benign activities really unscalable, because it creates a lot of false-positives. Together with the variety of data sources, and volumes of alerts, SOC teams are left overwhelmed. 
  • In addition to that, cybersecurity human talent is very scarce. Even when talented people are hired and retained, they are still people, who go on Christmas breaks or have to work remotely during a worldwide pandemic. Moreover, they lack comprehensive domain expertise and are unlikely to master all attack surfaces: cloud, network, endpoints. Each requires its own domain expertise and is used differently by attackers.

 The only way to not only match, but overtake attackers, is to be proactive – we cannot afford the wait of being reactive. Attackers are never reactive.

But being proactive is an understatement; in order to succeed, detection needs to be proactive in a fast and scalable manner. The only way for doing so is by using machine power and every bit of organizational data interconnectedly, just like an attacker does.

Chelsea Brown CEO & Founder, Digital Mom Talk

When a cyber-attack happens, in 6 months 60% of businesses file bankruptcy. This isn’t due to the cost of fixing or repairing and increasing digital security. Business file for bankruptcy because of the other consequences associated with cyberattacks they don’t anticipate and aren’t prepared for. Most companies that suffer a cyber attack face lawsuits, state and federal fines, reputation damage, and loss of business as a result of cyberattacks. These costs add up to more than the cost of installing and keeping security practices, procedures, and devices that are up-to-date.

Michael Rotondo Founding Partner, Silent Sector

Cybersecurity is often defined with two options. You can either maintain a proactive defence that is heavily risk-based and designed to prevent bad things from happening or a reactive defence which relies on the belief that bad things will happen and we better have a way of dealing with it. While both have their merits, in reality, the best solution is a combination of the two methodologies. Most security decisions, like IT, decisions, are generally based on 3 factors. These are budget, understanding of the subject matter, and resource availability.

The question is not, Can you contrast proactive vs reactive cybersecurity. Rather the question is, What is the balance of reactive and proactive measures are required to keep the enterprise safe?

A combination of the two methodologies is required for a complete defence posture. Proactively you’ll need process, policies, and standards to ensure that you are secure and compliant, but to have a complete security posture you need to ensure that you have reactive capabilities when malicious activity occurs. For example, you might have an endpoint solution that automatically sandboxes a user’s computer when they click on a phishing email or download malware. As for those who think they don’t have anything someone would want to steal, we will continue to say a prayer, light candles, and hope for the best.

Itay Yanovski SVP Strategy & Co-Founder of Cyberint

In essence, being proactive about cybersecurity means that you mitigate the threat rather than react to the incident. To be able to act upon the threat you need threat intelligence, which ultimately drives the difference between being reactive and proactive. A good example of assuming a proactive approach to secure your organization’s systems is building upon threat intelligence data for threat hunting. 

Threat hunting is the process of actively looking for signs of compromise within the enterprise systems. To be effective, you need to focus on the threat hunting on the tools, tactics, and procedures (TTP) attackers will use. This hypothesis-based hunting requires a deep understanding of both the TTP and your specific threat landscape, essentially identifying who will attack you and how. Including proactive intelligence-led threat hunting in your cybersecurity program can improve your chances of avoiding breach and minimizing time-to-detect and time-to-respond, should a breach occur. Failing to assume a proactive approach can prove — should a breach occur — costly financially and negatively impact brand reputation.

Daniel William Carter Cyber Security Consultant at IDStrong

To implement a comprehensive cybersecurity strategy, you need both. In comparison to the reactive one, a proactive cybersecurity strategy helps you to prevent and/or be more prepared once the hacking occurs. This way you ensure you are more prepared. Also, while dealing with a proactive strategy, your staff members are more educated about cyber hygiene. You can be sure the hacking doesn’t happen while working with highly competent employees.

High risk and weak areas are more apparent for business owners. Real-time monitoring gives a complete view of possible threats. The proactive approach strengthens the company’s defence, and also increases the chances of a zero-day attack. To work effectively, it needs a long-term commitment. For big companies safeguarding substantial, valuable, and continuously growing data sets, the prospect of proactive cybersecurity is increasingly attractive.

Chase Norlin CEO of Transmosis

A proactive vs reactive approach is increasingly valuable as technology, in particular, A.I. enables cybersecurity companies to engage in active threat hunting based on unusual behaviours. This is markedly different than
reacting to an alert. In a proactive stance, cybersecurity analysts can mitigate potential threat scenarios long before they happen, as more cyber attacks have longer durations and are strategic in nature.