Reactive security is when an incident has happened, it’s now trying to figure out how to recover from it. This isn’t great as severe damage can happen.
Figuratively, your house is built out of whatever, and a massive storm hits it. Whatever damage just happened, you’re going to try and recover and rebuild it.
You can see why proactivity is the obvious choice.
However, to your possible shock, small organisations mainly use this approach, despite it’s dangers.
Why?
It’s because of one primary reason: Cost. They just cannot afford to implement a proactive approach. Which leads to more security incidents where they fall for phishing extremely easy.