General security

Reactive vs. proactive security: Three benefits of a proactive cybersecurity strategy

Susan Morrow
October 22, 2020 by
Susan Morrow

I’ve been writing cybersecurity articles for many years, and in that time, I have only seen increasingly complex security threats. Cybercriminals take their craft seriously. They treat cybercrime as a business, looking for ways to maximize profit while seeking innovative methods to circumvent our efforts to protect our businesses.

The figures speak for themselves. A McAfee report found that the average enterprise has 14 misconfigured IaaS instances resulting in an average of 2,269 misconfiguration incidents per month. The result of the myriad of security vulnerabilities is that in Q1 of 2020, alone, 8.4 billion data records were exposed.

An organization has a choice. Cybersecurity threats can be tackled using a “proactive security” and/or a “reactive security” approach. But what do these terms mean and is one approach better than the other?

Findings on proactive security from the CRAE Report

Proactive security was given the thumbs up in the Q2 2020 Cyber Risk Alliance, Cybersecurity Resource Allocation and Efficacy Index (CRAE) report. Researchers found that organizations with 500 or more employees in North America and Europe emphasized proactive security measures to protect assets and detect breaches, as opposed to a purely reactive security approach. What makes this report even more interesting is that the data was collated during the COVID-19 pandemic. The results demonstrate the confidence that organizations have in a proactive security approach.

It is also worth remembering that cybercriminals do not care what area a business operates in or what size a company is. Often, the smaller organization is a target simply because it will not have the resources to fight cybercrime. According to a 2019 Ponemon Institute study, 76% of US SMBs have been a target of a cyberattack. However, 88% of those SMBs spend less than 20% of their IT budget on cybersecurity. The CRAE report found that organizations that spend more on cybersecurity also express increased confidence that measures are effective.

Both SMBs and larger enterprises need to decide how best to tackle cybersecurity threats. The CRAE report shows that proactive security is important. But does the decision come down to being proactive or reactive?

Being reactive can be a useful strategy under certain circumstances. Deciding between proactive versus reactive may come down to a cost/benefit analysis. Reacting to an event means dealing with it during or after the event has occurred. Being proactive means preventing the event from happening in the first place. However, sometimes being reactive can work out well: for example, reacting to a rare situation that would otherwise be costly to proactively protect against. As a general strategy, being proactive can offer a higher degree of control. When it comes to costs, do you pay up front to prevent an attack or pay for clean-up costs once an attack has happened?

What is reactive security?

Reactive security requires that measures are put in place to spot the tell-tale signs of a breach and react to it, as it happens, or during a prolonged attack. The problem is that once an attack has happened, the clean-up operation can be costly and take time. The Ponemon “Cost of a Data Breach Report” for 2019 determined the average cost of a data breach is $3.92 million per incident. Reactive security requires that certain measures are used to help prevent an attack or spot an attack as it occurs. Examples of reactive cybersecurity measures include:

  • Cybersecurity monitoring solutions: These solutions monitor a network looking for possible attacks as they happen.
  • Forensic analysis of security events: It is extremely useful to understand the methods used in an attack to help make cybersecurity policy decisions.
  • Anti-spam/ anti-malware solutions: Important, but can fail when new malware enters the landscape (e.g., fileless malware)
  • Firewalls: Important, but configuration issues can leave organizations vulnerable

As such, reactive security measures are not wasted. However, if a cybersecurity event is missed, the measures fail. This is why proactive security is a next step on from reactive security, building on the positive aspects of a reactive security measure.

What is proactive security?

Proactive security is a more holistic approach to securing IT systems. It focuses on prevention rather than detection and response. Proactive security is about adding enhancements to existing reactive measures and taking on new ones to complement these. 

A proactive security approach is about understanding your organization, your system, applications and developers, as well as your user base. Proactive security allows an organization to understand where vulnerabilities lie so they can be mitigated.

Proactive security measures include:

  • Security awareness training: Preempting a social engineering or other phishing attacks by ensuring a user base knows how to spot the tell-tale signs and tricks of fraudsters. The CRAE report found that phishing was the biggest concern for 59% of US and 68% of Canadian respondents.
  • Penetration testing: Using white-hat hackers to test IT systems to find exploitable vulnerabilities. Penetration tests will produce a report that can be used to close off potential exploits.
  • Proactive endpoint and network monitoring: New technologies, such as machine learning, are helping to make reactive measures more proactive by reducing false positives and negatives.
  • Threat hunting and threat intelligence: This is a set of complementary tasks performed by internal or external skilled staff. These tasks can be thought of as proactive digital forensics. An organization will engage an internal or external Red Team to hunt for vulnerabilities. These gaps in security can then be hardened against real attacks in a proactive way.

An important thing to note is that data protection regulations often mandate a proactive approach to security. The EU’s GDPR, for example, requires a “Privacy by Default and Design” approach to data protection, expecting data protection to be baked into a system.

Three major benefits of using a proactive approach to security 

  1. Proactive security works: The CRAE report found that those organizations that emphasized a proactive approach to cybersecurity felt more confident that measures worked. The use of the proactive security guideline in the NIST cybersecurity framework was cited as worth investing in. This framework looks at ways to balance “proactive measures whilst preparing for worst-case scenarios”.
  2. Actively prevent data breaches: A proactive security approach builds on existing reactive security measures. This holistic risk-based approach ensures that an organization has all possible barriers in place to prevent both vulnerabilities from being exploited and accidental data exposures occurring.
  3. Stay in compliance with data protection laws: Using a proactive security approach means that an organization has multiple layers of defense in place. To get to a proactive security posture, a company must understand risk levels, analyzing that risk and determining best practices to mitigate risk. This is in line with many data protection laws that require or mandate security and privacy by design.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Reactive and proactive security makes for active security

Proactive security builds on the reactive measures that traditional cybersecurity approaches take. But being proactive offers more control over an environment. Being proactive requires a deep understanding of your organizational IT systems, user base and cybersecurity threats. A 360-degree view of cybersecurity reaps benefits in a world where cybersecurity continues to challenge business and gives an organization an active way to mitigate cyberthreats.

Sources

Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.