Cybersecurity is often defined as a binary choice between proactive defense, which is heavily risk-based and designed to prevent bad things from happening, or reactive defense, which relies on the belief that bad stuff is going to happen, and we better have a way of dealing with it. While both have their merits, RITC Cybersecurity believes the best solution is a hybrid of the two methodologies. We know that most security decisions are generally based on multiple factors, namely budget, staffing, and risk. The question is not simply which solution is better—proactive vs. reactive cybersecurity—but rather: As the cybersecurity landscape evolves, what can I do reactively and proactively with the technology, staff, and budget I have to keep the enterprise safe?
The extremes based on personal experience:
Proactive: Acting in advance to deal with an expected difficulty; anticipatory.
Proactive cybersecurity is risk- or compliance-based and driven by the goal of reducing enterprise risk, limiting liability for the company, and preventing bad things from happening to the enterprise. Proactive cybersecurity, aside from the technology, tends to focus heavily on process and procedure, which can often sacrifice usability, speed, and efficiency for security. This can frustrate your IT staff, your users (especially sales), and require more hours to implement and maintain.
When cybersecurity programs are driven by compliance requirements, you are locked into certain requirements to maintain compliance. For example, entitlement reviews should be completed quarterly, ideally, but at least annually for HIPAA. Staff HIPAA and security training needs to be completed annually, preferably quarterly. Proactive cybersecurity will include offensive security measures, vulnerability management programs, detailed change management processes, scanning, audits, penetration tests, and more, but the end goal is to reduce risk by eliminating attack vectors and, of course, make the auditor happy.
Reactive: Tending to be responsive or to react to a stimulus.
The worst kind of reactive cybersecurity we have seen is from those who don’t think a cyberattack will happen to them, don’t have a clear view of the ever-changing risks in the cybersecurity world, and have no plan for when something happens. Anyone who has been a consultant long enough has heard someone in a meeting say, “We don’t have anything someone would want to steal, so we’ll just deal with an attack if it happens,” or “So, our stock price will dip for a quarter—we’ll make it back.” Yes, I have heard those exact words in my long career as a consultant. The problem with those statements is that you don’t know what the cybercriminal is after. Sometimes it’s literally just to add another attack to their hit list so they can brag about it or damage your reputation for reasons only known to them.
I know those are extreme but, sadly, real examples. Reactive cybersecurity measures are important when you are attacked by cybercriminals or, as is often the case, when one of your users makes a mistake—doesn’t change their password, clicks on something they shouldn’t, or IT staff leaves unknown attack vectors open or, worse, unknowingly damages the environment. It is important that you have a plan on how you are going to address any adverse situation. The plan needs to be complete, tested, and ready to implement when, inevitably, an adverse event occurs. Your security team or IT staff needs to know, in the case of malware, how to contain the issue, disconnect infected devices, identify the symptoms of infection, and how to deal with them to mitigate the damage to your environment. Purely proactive measures won’t always provide for these contingencies.
Having only a proactive or only a reactive cyber defense is not the answer to securing your cybersecurity environment. You need a hybrid of the two philosophies. Proactively, you need technology, processes, and policies to ensure that you are secure and compliant building the walls and filling the moat around the castle. To complete your security posture, however, you need a plan in case the castle gets breached. Your information security policy, the blueprint of your cybersecurity program, needs to ensure that you have reactive capabilities for when bad stuff happens. An example would be an endpoint that automatically sandboxes a user’s computer when they click on a phishing email or download malware. You need a solid disaster recovery plan, business continuity plan, and incident response plan that are practiced and tailored to your environment. When all these measures are in place, you will be safer than most, but always remember that cybercriminals are out there, and the cyber world continues to evolve. In short, be ever vigilant and don’t get complacent.