Cost: Reactive vs. Proactive Security

• By Stephanie Haldane
• Nov 20, 2025

Security breaches often happen despite the availability of tools to prevent them. To combat this problem, the industry is shifting from reactive correction to proactive protection. This article will examine why so many security leaders have realized they must “lead before the breach” – not after.

Why Proactive Protection is So Important
Proactive protection is especially important in industry sectors like healthcare, education and critical infrastructure.

Consider the case of a major metropolitan hospital that had identified several back corridors and pharmacy entry points without electronic access control. These areas relied on outdated push-button locks and basic metal keys — a known issue raised multiple times by security audits.

Plugging this vulnerability gap by upgrading to badge-based access was viewed as disruptive, despite its benefits. Pharmacy staff were already stretched thin, and facilities management was reluctant to “create friction” during a time of high patient volume.

Avoiding the pain of upgrading, however, led to an unauthorized individual gaining access to the hospital through an unmonitored stairwell. This individual entered the hospital’s pharmacy via an unsecured interior door and stole a quantity of narcotics. More critically, the perpetrator physically confronted a staff member, mid-theft. The employee was injured and required medical leave.

After the incident there was an internal investigation, law enforcement was involved, and the hospital completely redesigned pharmacy access protocols. Electronic badge readers and camera monitoring that had been budgeted but shelved multiple times were now installed within weeks. Had this been done before the incident, the hospital could have pre-empted both the theft and the injury.

Proactive protection is equally important for universities, which have often been using vulnerable 125-kHz proximity cards for decades. At one university, several departments had pushed to migrate to modern encrypted smart cards or mobile credentials, like many peer institutions had. But this was deemed too expensive after calculating the costs to rebadge tens of thousands of students and staff, updating readers across dozens of buildings and managing mobile onboarding. The costs of not migrating were even higher though.

A student used inexpensive online tools to clone several prox cards and gained unauthorized access to academic buildings after hours. After custodial staff reported unusual late-night activity, a student hosted private events resulting in multiple stolen high-value assets. The breach also compromised security of a lab, storage area, restricted research wing, and sensitive data.

The university scrambled to replace physical credentials for all residents in impacted dorms and add after-hours monitoring. Within days, it had greenlit a mobile access pilot that had sat idle for over a year and was now an emergency response rather than a thoughtful implementation. It took much longer to restore trust in campus security.

A third example demonstrates the importance of proactive protection for critical infrastructure. While electronic access control had been proposed for years at a water-treatment facility, security administrators had long relied on traditional metal keys that were viewed as “simple and reliable.”

This perception – plus decades of budget constraints and leadership skepticism – had stalled the transition to electronic locks. Facility managers assumed that only a few master keys existed, but when a routine audit flagged environmental anomalies tied to manual overrides, it became clear that a former, improperly offboarded contractor had used a copied master key to enter a secured pump house after hours.

The facility had to quickly re-key the entire site, notify oversight bodies, install electronic access readers, and install credential management for all sensitive zones.

A Better Way
As these examples show, the cost of reacting to an incident is more than often higher than preempting it, and the underlying risks are rarely invisible and often ignored. It is better to mitigate these risks before something goes wrong.

This is a call to every decision-maker, planner, and budget owner in our industry to adopt a proactive approach to security.

• Budget now for the upgrades you already know are overdue. They are a strategic investment.
• Build a roadmap that phases in modernization — proactively, not reactively.
• Evaluate your blind spots honestly. If your justification is “we’ve never had an issue,” you are already vulnerable.
• Treat physical access with the same rigor as cybersecurity. One unprotected door is all it takes.

For those unsure where to start, look for a partner who can help by providing a no-obligation security review to highlight risks and practical next steps.

As you embark on this process, identify trusted advisors and subject matter experts and are deeply embedded in your vertical market. Every sector has its own particular security requirements, environments, constraints and opportunities to address.

It is not enough to source products, you need strategic insight to help you plan, prioritize, and protect your people, facility and operations, with an emphasis on mitigating and preempting rather than just reacting to breaches and their risks. Do not wait for your breach to be the catalyst. Lead before the breach.

This article originally appeared in the November / December 2025 issue of Security Today.