Proactive vs reactive cybersecurity: choosing the sustainable option

Tedel Baca

Security Engineer

People in an office

“We brush our teeth daily to prevent various dental problems through good hygiene. It wouldn’t make sense to wait for your teeth to develop cavities before beginning good hygiene practices, right? This is called a reactive approach.”

Tedel Baca

Just a couple of months ago, Apotheka – the biggest pharmacy chain Estonia – informed its 700 000 customers that their data – including personal identification number, purchase information and contact details – has been leaked by cyberattackers. To put things into perspective, that's concerning over half of population’s personal and/or sensitive data.
This added one to many of other cyberattack cases in Estonia and worldwide such as the RIA data breach, Equifax data breach, or Iranian attack against Albanian government just to name a few. All these cases outline how imperative it is to have a good cybersecurity posture before any incident actually happens.

It never happens to you… until it does

Many organisations still have misconceptions about proactive cybersecurity, such as:

  • Proactive security is expensive and time-consuming;
  • Proactive security is only for large companies because of compliance requirements;
  • They do not feel as vulnerable as large companies.

Contrary to these beliefs, proactive security allows organisations to save time and money compared to tackling a cyber incident from zero.

Let's illustrate this issue with dental hygiene and dental issues – something a majority of people are familiar with. We brush our teeth daily to prevent various dental problems through good hygiene. It wouldn’t make sense to wait for your teeth to develop cavities before beginning good hygiene practices, right? This is called a reactive approach. Even if the cavity might not cause you any pain or even look malicious, the infection can spread quickly and soon enough, your real teeth have to be replaced with costly implants. In hindsight, just having appropriate hygiene from the get-go would've saved you time, money and the well-being of your oral health.

Proactive and reactive cybersecurity have the same principles as the example above. If an organisation is prepared proactively by:

  • Monitoring its traffic in order to improve threat intelligence through intrusion detection and prevention systems – now, especially with AI advancing these tools;
  • Training employees for cyber hygiene. A recent Stanford report shows that 88% of data breaches are caused by human errors;
  • Regularly performing proper penetration testing and red-team engagements. Not just for compliance requirements, but to clearly define the organisation’s critical assets and test their security as much as possible. It’ll be harder for attackers to find vulnerabilities and/or exploits which can be discovered beforehand by penetration testing and/or red-team engagement. In addition, red-team engagement can also include phishing attacks which complements the second point of cyber hygiene. If weaknesses caused by human errors are discovered, it is easier for the IT staff to prove how investment in proactive cybersecurity is crucial;
  • Conducting risk assessment on organisation’s assets such as hardware, software and data;
  • Regularly updating organisation software and systems, as well as developing and implementing a proper cybersecurity policy. If the organisation is too small to have an in-house CISO, this can also be done by hiring a CISO-as-a-service;

then in case of a cyber incident, damage, incident response and disaster recovery process will be quicker and more efficient.

An important aspect of the proactive approach is the organisation's motivation to implement proper measures described above. If penetration testing is implemented only for compliance matters, more often than not, its quality is low due to automated processes. This, in turn, results in wasteful use of time and resources, as such measures do not offer actual protection.

Why only automated tools are not enough

Using automated tools for penetration testing can be tempting, especially for smaller companies, as it requires little intervention from the organisation's employees and is cheap. Unfortunately, there are many crucial moments where automated tools are not enough – the cornerstone being the inability to tackle human errors. Therefore, the time and resources spent on such solutions are wasteful and offer a deceitful sense of security. Below is a quick case study that outlines what kind of risks still persist when using automated tools.

Let us say that a web application has proper input validation in place, but there are certain access control issues – e.g., a low-privileged web user can perform administrative functionality such as adding/removing users in the web application.

Cheap service providers usually perform an automatic scan (e.g., Nessus or Burp Automatic Scanner), add a miscellaneous vulnerability of low/informational risk level (e.g., using ASVS standard) not related to the access control issue, and based on that, create a report with recommendations for the organisation.

The organisation thinks those are the only security issues, but the cyberattack risk remains: the attacker can gain access to a low-privileged web user’s account (e.g., through phishing means = human errors), leading to exploitation of the user’s administrative functions and data theft. Moreover, the stolen data may be sold on the dark web.

This case illustrates how the resources invested in an automated penetration testing results in the low quality of engagement. Due to that, a cyberattack may still have a big impact on the organisation’s security and reputation. Additionally, it may pose further repercussions such as fines.

Thus, it is advised to invest in a reputable service provider to perform a properly defined penetration testing and/or red-team engagement, which in this case would’ve discovered and remediated the access control issue. Even if the attacker could’ve compromised the low-privileged account from our case, the measures taken by a reliable service provider could’ve prevented the escalation of the account’s privileges, keeping the organisation’s data safe.

To conclude, cyber space and its security is intertwining with physical security more and more daily. Therefore, it is imperative for the sake of an organisation’s future to invest in quality resources by enhancing their proactive security, rather than waiting and responding reactively only when an cyberattack has already created havoc.