Proactive cyber security measures are designed to prevent security incidents before they happen. These include secure coding practices, code reviews, vulnerability assessments, employee training, and regular software patching. They focus on reducing the likelihood of a successful attack by addressing potential weaknesses in systems and user behaviour. Reactive measures, on the other hand, are employed after a threat has been detected or an attack has occurred. These include intrusion detection systems (IDS), antivirus software, incident response plans, and forensic analysis. Reactive tools help contain the threat, assess damage, and recover systems. In a well-structured security strategy, both approaches are used in tandem. Proactive measures reduce the risk and surface area for attacks, while reactive tools ensure quick identification and mitigation of breaches. This layered defence strategy—often referred to as defence in depth—ensures that if one layer fails, others can detect or limit the impact of an incident, maintaining overall system resilience.

Zero-day vulnerabilities are previously unknown software flaws that attackers exploit before the developer becomes aware and can release a fix. These flaws are particularly dangerous because no patches exist at the time of exploitation, and traditional antivirus tools, which rely on known signatures, often cannot detect them. Prevention strategies like secure coding aim to reduce the likelihood of such vulnerabilities being introduced in the first place. However, since some flaws are subtle or complex, zero-day vulnerabilities can still occur despite best efforts. Mitigation relies heavily on anomaly-based intrusion detection systems, which can flag unusual behaviour patterns, and sandboxing, which allows the safe execution and observation of potentially malicious files. These tools help limit the impact of a zero-day exploit by detecting signs of compromise or isolating harmful processes. Organisations also implement rapid response protocols and threat intelligence sharing to quickly react to and contain such attacks once discovered, minimising long-term damage.

Logging is crucial in cyber security because it provides a detailed record of system and network activity, which can be used to detect, investigate, and respond to incidents. Logs help identify unauthorised access attempts, suspicious behaviour, policy violations, and system changes. In the event of a breach, logs enable forensic analysis to determine how an attacker gained access, what actions were taken, and whether data was compromised. Effective logging should include login attempts (successful and failed), file and configuration changes, application errors, network traffic, firewall events, and access to sensitive data. Logs from antivirus tools, IDS, and servers are particularly valuable. It’s also important to ensure logs are securely stored, time-stamped, and protected from tampering. Centralised log management systems and SIEM (Security Information and Event Management) platforms help correlate events across systems and automate alerting, enabling quicker responses to potential threats. Without proper logging, attackers may go undetected, and response efforts are hindered.

Configuration management ensures that systems are consistently and securely set up across an organisation’s infrastructure. It involves maintaining a known and approved configuration for hardware, software, and network devices, reducing the risk of misconfigurations that attackers could exploit. System hardening, a related concept, focuses on reducing vulnerabilities by disabling unnecessary services, removing default accounts, restricting user permissions, and enforcing strict security settings. For example, disabling unused ports, uninstalling redundant applications, and applying secure configuration templates are common hardening techniques. Both practices help enforce uniform security controls and minimise attack surfaces. Tools such as configuration management databases (CMDBs), automated deployment scripts, and compliance scanners ensure that systems remain in a secure state. If deviations are detected, alerts can be triggered, or corrections can be made automatically. By maintaining consistent, secure configurations and hardening systems, organisations significantly reduce the risk of both automated and targeted attacks exploiting poorly secured or misconfigured systems.

Network segmentation divides a network into separate segments or zones, each isolated from others using firewalls, VLANs, or routing rules. This structure limits communication between parts of the network, so if malware or an attacker compromises one segment, they cannot easily access others. For example, user workstations can be placed in one segment, while servers and critical infrastructure are kept in another. Segmentation prevents lateral movement—where an attacker moves across systems once inside the network—which is a common tactic in advanced persistent threats (APTs) and ransomware attacks. It also allows for tailored security policies per segment, such as stricter controls on sensitive data areas. When combined with monitoring tools, segmentation makes it easier to detect anomalies within each zone and respond quickly. For instance, unusual access from a user network to a server segment can trigger an alert. Overall, segmentation strengthens internal defences, reducing the impact of breaches and improving containment.