By Christos Flessas
As advanced cyberattacks
become more frequent and intense and aim at a broader range of sectors and
industries, public and private businesses try to better prepare themselves to
mitigate cyber threats and cope with a possible cyberattack that will impact their
revenue and damage their reputation.
Back in 2020, Cybersecurity
Ventures reported that "cybercrime represents the greatest
transfer of economic wealth in history" and highlighted that cybercrime will
cost companies worldwide from $3 trillion in 2015 to an estimated $10.5
trillion annually by 2025, with the cybercrime yearly growth rate touching a
whopping 15%.
Within such a gloomy
future, and in their quest to find the holy grail of cyber defense, businesses arrive
at a crossroads where they must decide whether to implement a proactive or a
reactive cybersecurity approach. Which one is the most efficient? Being
proactive or reactive? Or their balanced combination will give better results
and cybersecurity coverage, considering factors such as agility, variability,
and high transformation of the environments that need to be protected.
The proactive and reactive approaches
Inspectorio highlights that according to the 1/10/100 rule in quality
management: "the cost of preventing quality defects is lower than the cost of
correcting defects, which in turn is cheaper than the cost of letting defects
reach your customers." In other words, $1 investment in prevention is less
expensive than $10 in correction, and $10 in correction is cheaper than $100 to
deal with the failure. Regarding cybersecurity, one could say that being
proactive is cheaper than being reactive. But is it the best solution, as many believe, or do businesses tend to focus more on the reactive part?
A proactive approach
involves much effort in the planning phase of a cybersecurity program and an
initial investment for procuring advanced tools or contracting with external
service providers. Being part of risk management, a proactive cybersecurity
approach preemptively spots flaws and introduces processes to identify threats
before they occur. Some key features of that strategy may be:
- Disk encryption and physical
protection to enhance data security.
- Managed SOC that centralizes threat
monitoring.
- Multi-factor authentication to
ensure proper access control.
- The use of firewalls and strong
passwords.
- Cybersecurity risk assessments.
- Penetration testing.
- Security training to keep insiders
aware of the evolving threats, and best practices to avoid them.
- Specialized vulnerability scanning
software to inspect the exposed surface and detect gaps in the cybersecurity
perimeter.
- Data Loss Prevention (DLP) tools and Data Detect and Response (DDR) solutions.
On the other hand, the reactive
approach deals with the aftermath of an incident; when a cyberattack will
succeed in reaping a business's defenses. A reactive approach is oriented toward
responding to incidents after they occur and primarily focuses on addressing incidents
immediately to prevent further escalation. Within a reactive toolbox, one can
find:
Benefits and drawbacks
Although proactive
seems a better solution than relying on damage control of a reactive solution,
both approaches have pros and cons, and sometimes the choice is driven by the management style of business executives.
Some advantages of a
proactive approach are the cost of creating a proactive plan, compared to the expenses
required to return to normal operations after a cyber attack, the theoretical
less involvement in crises, early detection and prevention of threats from
insider actors, and potential flaws. Furthermore, a
proactive approach ensures compliance with security regulations, as it
implements all standards' prerequisites in advance.
However, a proactive
approach faces several challenges. Firstly, it requires a significant
investment in technology, personnel, and processes to be implemented. Secondly,
proactive policies may generate a high volume of alerts - as they try to
anticipate every possible situation - many of which may be false positives, and
create alert fatigue. Last but not least, it can raise privacy and ethical
concerns, as it involves monitoring and analyzing user behavior and data, and organizations
shall take into account and comply with legal and ethical standards and privacy
rights seriously.
On the other hand, reactive
cybersecurity measures are essential because they can help organizations
minimize cyberattack damage and get back to the status quo ante as quickly as
possible. In addition, reactive measures can help organizations learn from
their mistakes and take all necessary steps to improve their cybersecurity
posture in the future. In a way, the reactive cybersecurity approach improves
proactive cybersecurity by feeding the latter with hands-on experience and
lessons learned.
A significant drawback of the reactive
approach is that the damage of an attack is not known in advance, nor is the
amount of effort and expenditure required to respond to an incident. It is also
difficult to predict the success of incident response in the future. Finally,
exclusively reactive security can create a false impression of a company's high
hierarchy as being the "savior of life" and thus mistakenly relies on
it alone.
And the winner is...
As the debate on which of the two cybersecurity approaches is the most
efficient goes on, and whether being proactive is better than reactive and vice versa, one shall consider that both
strategies are interconnected. Each of them must be a part of the more
extensive defense a business must have in its holistic cybersecurity plan. A
plan can't be considered proactive if a reaction is not foreseen. Cyberattacks
are a matter of "when" and not "if"; effective cybersecurity requires a balance
between proactive and reactive measures to protect businesses against cyber
threats and incidents.
Remember that
cybersecurity is a continuous process that needs constant assessment and
modifications to remain effective against ever-evolving threats. As so, organizations
can avoid possible risks and lessen the harm caused by being alert and proactive
but also aware and trained from lessons learned and incidents' experience.
##
ABOUT THE AUTHOR
Christos Flessas is a Communications
and Information Systems Engineer with more than 30 years of experience as an
Officer of the Hellenic Air Force (HAF). He is an accredited NATO tactical
evaluator in the Communication and Information Systems (CIS) area and the
National Representative (NatRep) at Signal Intelligence CIS and at Navigation
Warfare (NavWar) Wrking Groups. Christos holds an MSc in Guided Weapon Systems
from Cranfield University, UK. He has also attended numerous online courses
such as the Palo Alto Networks Academy Cybersecurity Foundation course. His
experience covers a wide range of assignments including radar maintenance
engineer, software developer for airborne radars, IT systems manager and
Project Manager implementing major armament contracts.
Christos is intrigued by new challenges, open
minded, and excited for exploring the impact of cybersecurity on industrial,
critical infrastructure, telecommunications, financial, aviation, and maritime
sectors. He
is also a regular writer for Bora.