Industry Trends

Reactive vs. Proactive Cybersecurity: Which Strategy is Best?

By Dr. Jamie Graves | February 22, 2019

Security sprawl is a real challenge for most organizations, especially now as networks continue to rapidly expand and evolve while security resources remain increasingly limited. If you’re like most companies, you’ve loaded your wiring closet with a hodge-podge of perimeter defenses over the years. Most of these tools operate in isolation, watching a particular gateway looking for specific types of threats. You try to keep your antivirus and antimalware systems updated, patch and update your systems with some regularity, and try to stay in the know about active threats. You’ve also likely added some rudimentary tools to try and spot rogue insiders, and added various filters and password protections to stop your employees from clicking on things they shouldn’t.

If something nasty does get through, you have a plan in place to deal with it, you know who’s responsible for what in terms of isolating and restoring damaged systems - and you’re all geared up for forensic investigations and learning lessons from what just happened to keep the security lifecycle rolling along.

Reactive vs. Proactive Cybersecurity: Which is the Best Option?  

The situation illustrated above is the definition of a purely reactive security strategy. It relies almost entirely on being able to shore up your defenses before cyber criminals can target and exploit a new vulnerability, or responding to an alarm that indicates that your network has been breached. Such an approach to cybersecurity keeps you and your security team in constant firefighting mode. Still, it’s the way the majority of organizations implement and maintain their security posture.

While a reactive security strategy centers on resolving a security issue after it has already occurred, a proactive security strategy includes identifying weaknesses and possible threats beforehand and adding measures to prevent the risks from ever happening in the first place. By getting ahead of threats, organizations can avoid having to play catch up in the case that an attack occurs. Of course, NGFWs, antivirus, spam filters, multi-factor authentication, and a comprehensive breach response plan all have an important job to do. Turn off your traditional Layer 2-3 firewall and see how long it takes for your network to catch on fire. Ultimately, the issue rests with what’s missing.

4 Signs It’s Time to Move from a Reactive Security Strategy to a Proactive One

When addressing threats that are already on the blacklist—those that have been encountered previously and that act in a predictable way—reactive security strategies can be enough. But for expanding threat vectors, emerging attack strategies, sophisticated cyber criminal communities, previously unseen malware, and zero-day vulnerabilities and exploits—along with insiders capable of bypassing your edge-based protective measures—reliance on reactive security alone can leave you exposed.

Here are some of the ways to tell that a shift from a reactive security strategy toward a proactive one might be needed within your organization:

1. You’re Constantly “Cleaning Up on Aisle 9”

You may be confident that your perimeter defenses are robust enough to pick up on most threats while also estimating that in any event, the risk of being targeted is low and the loss to your business will be manageable. When viewed in this way, a purely reactive security policy may make perfect sense. After all, why waste resources on active threat hunting when you can take in stride any threat that comes along?

The reality is, we’re long past the age when being hit with a cyberattack was a once-in-a-blue-moon event or a case of bad luck. Now, nearly half of all organizations have experienced a cyberattack within the last year. Smaller businesses, which typically have smaller budgets and staff, had it even worse, with 67% of SMBs experiencing a cyberattack in 2018. These breaches forced 60% of small businesses to close within six months of an attack.

According to FortiGuard Labs researchers, unique malware variants grew 43% in Q3 of 2018 alone, while the number of unique daily malware detections per firm rose 62%. Even worse, the average time to identify a breach is 197 days, with the average time required to contain a breach after detection is still a whopping 69 days. Most concerning is that according to one report, 73% of organizations have self-reported that they are unprepared for a cyberattack. Clearly, a reaction-based security strategy simply doesn’t work.

Of course, you could sit back and hope that your perimeter defenses catch those threats - but it’s increasingly likely that they won’t. In this case, organizations could find themselves in a constant cycle of clean-up and damage control, which is a strategy that can quickly drain time, money, and resources. The more sensible approach is to adopt a more proactive, zero-trust strategy that starts with an assumption of compromise. If you knew that your network had already been breached, what would you do differently than you are doing now? What resources would you isolate? What control measures would you put in place? Those are the things you should be doing now.

2. Threat Actors Are Always One Step Ahead

Cyber criminals have long known how reactive cybersecurity tools work—and they make it their mission to circumvent them. On the one hand, we have polymorphous malware to deal with: malicious code with the ability to constantly change to evade antivirus (AV) detection. Even by blending malware with seemingly innocuous code, it can become possible to bypass an AV solution’s methodology.

And while malware-for-hire is readily available to multitudes of relatively unsophisticated end-users over the dark web, the actual producers of those scripts tend to be much more professional. When a business gets an update from its AV provider informing it of the latest batch of identified malware variants, it’s a safe bet that the authors of that malware are signed up to the very same update. It’s their cue to launch their ‘new and improved’ version designed to evade detection. With purely reactive security measures in place, businesses constantly find themselves one step behind the criminals.

3. There is a High Risk of Insider Attacks 

Half of all data breaches originate from insiders - whether through accidental or malicious actions. Such breaches also tend to be among the most difficult and costly to rectify.

You most likely have some protective measures in place to tackle the insider threat. Usage policies set out what behaviors are and aren’t acceptable, while solutions such as file fingerprinting and usage monitoring provide visibility into what’s happening across your IT estate.

Unfortunately, one of the biggest problems you face comes in the form of privileged users. These are the people who know precisely what reactive measures you have in place. They not only know how to cover their actions without triggering a reaction, but they also know where your most valuable data resides. When one of those actors becomes rogue, it can be impossible to respond effectively when your security defense system is built around a reactive model.

4. It is Nearly Impossible to Meet Data Compliance Requirements

With GDPR about a year old, and similar legislation in place or on the horizon around the world, CISOs are facing a completely new data protection framework—including severe fines for the most severe non-compliance violations.

A data privacy breach resulting from a security compromise doesn’t automatically lead to a sanction. What happens depends on the account that you are able to provide to the investigating regulator.

Were the reactionary security solutions you had in place reasonable and adequate? Did you regularly stress-test your security infrastructure? Compliance isn’t a one-off exercise—staying compliant demands that you invest sufficient resources to meet an increasingly complex threat landscape. Sticking to your current reaction-oriented security framework that only responds after an update or event occurs is not a promising strategy.

Achieve the Benefits of a Proactive Security Strategy

Research conducted by The Economist Intelligence Unit suggests that those firms that have a proactive security strategy in place, backed by a fully-engaged C-suite, tend to reduce the growth of cyberattacks and breaches by 53% over comparable firms.

So what does a proactive strategy actually look like? Proactivity involves identifying and mitigating those hazardous conditions that can give rise to all manner of “nasties” cropping up - in whatever form they may take. For instance, take the example of the malicious insider, whose intention is to steal and exploit some of your most valuable data. While they still haven't decided precisely how they are going to do it, they have numerous extraction options open to them. If you are lucky enough, your reactive security measures might pick up on a one-off illegal action - but the chances are that the insider will be able to bypass them.

A proactive approach involves identifying the hazardous conditions that tell you something’s afoot: How has this individual’s behavior strayed from the norm recently? Has he been moving files to new servers? Is he logging in to resources he previously rarely accessed? Is data moving in unexpected ways?


Getting out of the trap of reaction-based security requires organizations to rethink both their networking and security strategies. Organizations need to begin by anticipating attacks by implementing zero-trust strategies, leveraging real-time threat intelligence, deploying behavioral analytics tools, and implementing a cohesive security fabric that can gather and share threat intelligence, perform logistical and behavioral analysis, and tie information back into a unified system that can preempt criminal intent and disrupt criminal behavior before it can gain a foothold.

Read our Q4 Threat Landscape Report to find out how to protect your business from bad actors. 

Read more about the Fortinet Security Fabric and how Fortinet is delivering solutions for the Third Generation of Network Security.