DORA: A blueprint for cyber resilience in the U.S.
In today’s post-pandemic world, businesses are looking to shift back into the office while leveraging the learnings from the pandemic. Digital operations are going to be the new normal. With business innovations increasingly helping enterprises provide faster and easier-to-consume services to customers, the digital way of business is continuously creating a much larger digital footprint than ever before.
However, continuously increasing digital footprint also means possible targets of cyberattacks are also increasing equally rapidly. What is interesting to note is while investments in cybersecurity are increasing, so have the cyberattacks. According to CrowdStrike, attackers are moving faster within enterprises after an initial breach, with the average time it takes to hit patient 1 after patient 0 (the typical indicator of lateral movement) falling from 84 minutes to 62 minutes in the last year. Unfortunately, while many enterprises are continuing to invest in cyber security, far few invest in cyber defense, yet everyone wants the assurance of cyber resilience.
With the role of cybersecurity leaders increasingly being the focus of Laws and Regulations, we have a precedent that CISOs could go to jail. Therefore, it is absolutely critical that businesses build a stronger cyber defense strategy to anticipate, model, defend, withstand, thrive, and recover from cyberattacks and become breach-ready. And we should have started yesterday.
Without being breach-ready, organizations suffer from decision freeze during crucial initial moments of a cyberattack, which can give attackers an even larger window of access to critical systems and data. Organizations need to limit an attack from spreading laterally while ensuring critical business operations continue to thrive, building operationally resilient organizations. Regulatory focus on operational resilience has been around for a long time, but now it is imperative to ensure the operations of the digital business.
Enter DORA – The Digital Operational Resilience Act
Regulatory authorities are treating this as a matter of priority across all EU member states and have formally adopted DORA as of November 2022. DORA establishes the expectations for the ICT capabilities of financial entities and their supply chains. EU-based financial entities and third-party ICT service providers have until January 17, 2025, to comply with DORA before enforcement starts.
Notably, DORA also applies to some entities typically excluded from financial regulations. For example, third-party service providers that supply financial firms with ICT systems and services—like cloud service providers and data centers—must follow DORA requirements. DORA also covers firms that provide critical third-party information services, such as credit rating services and data analytics providers.
DORA makes an entity's management body, including Board members and executive leaders, accountable and expected to define appropriate risk management strategies, actively assist in executing them, and stay current on their knowledge of the ICT risk landscape. Leaders will also be held personally accountable for an entity's failure to comply. To comply, entities would be expected to understand the impact of the unavailability of critical digital businesses. Business leaders need to know how secure their digital operations are, whether their security investments can defend against potential cyberattacks and whether their digital operations can continue to thrive when faced with digital disruptions.
Other nations that are typical targets of digital disruptions like cyber attacks could actually benefit by legislation similar to DORA that hold leaders more accountable for protecting digital business operations. This would help comprehensively address risk management across industries and harmonize existing state and federal cybersecurity regulations, among many other benefits.
From Cyber Secure to Cyber Resilient
DORA seeks to establish a comprehensive approach towards ICT risk management within the financial services sector while harmonizing existing regulations across EU member states. Under DORA, covered entities are mandated to develop robust ICT risk management frameworks, conduct continuous risk assessments, and diligently document cyber threats and incident response protocols. Moreover, adherence to stringent reporting requirements and the execution of digital operational resilience testing are integral facets of DORA compliance. In an era characterized by escalating cyber threats and heightened digital interconnectivity, the importance of digital operational resilience cannot be overstated.
Traditional cybersecurity measures that are targeted to solve the initial access of the cyber attackers, such as MFA, firewalls, and EDR, are essential but often fall short of providing holistic protection against sophisticated threats because of challenges of configuration errors, unmanaged changes, delay in patching exposed systems, and even human error. Security teams should assume that every cyberattack will result in a breach. As a result, businesses should proactively prepare with a cyber-defense strategy rooted in the Zero Trust security models so they can ensure digital operational resilience even in the face of increased cyberattacks. Removing implicit trust and access permissions wherever possible to prevent lateral movement will keep the digital operations across IT networks, Cloud Infrastructure, OT/ICS/IoT systems.
Agnidipta Sarkar is VP CISO Advisory of ColorTokens.