Sometimes you need a carrot and sometimes you need a stick. When it comes to testing for cyber resilience, the stakes are too high to rely on the former.
The Digital Operational Resilience Act ('DORA') is an important EU initiative to ensure that every in-scope entity has structures in place to prevent IT operational attacks, to withstand them, and to recover from them. But those structures need to be tested on a regular basis. Think of this as paying to install a fire detector in your house. It is only useful if you check the batteries on a regular basis. If a fire breaks out, it is a bit too late to do so…
Unlocking benefits through penetrations testing and vulnerability assessement
DORA, which comes into full effect in January 2025, does not leave anything to chance as the EU is well aware that not every company will see testing as a priority. In fact, financial entities which identified as ‘significant’ for the purposes of the advanced digital resilience testing will be required to undergo vulnerability assessments as well as threat-led penetration testing. The aim of both is similar: to ensure that the systems in place really do give the level of protection that a company was aiming for.
One of the things that bears repetition is that testing and assessments should not be seen as a burden to companies but rather something beneficial – for many reasons. The impact of an attack depends to a large extent on the risk appetite of the company involved, but the fact that we are talking about licensed entities means it could affect customers and their finances: there is no doubt that prevention is far better than cure from a security point of view, a reputational one, as well as a remediation one. And of course, attacks can affect not only the company directly but also others indirectly.
In addition, some companies will require the clean bill of health to meet quality standards, such as ISO 27001 which requires extended testing. The ability to pool information is more important than ever given the increasing sophistication of attacks. Criminals may be targeting multiple companies and even multiple countries with ransomware or cyberattacks and identifying this as soon as possible will have major advantages in terms of prevention and cure, as well as for providers working on solutions.
Determining optimal testing intervals
Another question that BDO faces on a regular basis is on the recommended frequency of penetration testing and vulnerability assessments. The latter should not be given any less importance: they have been around much longer and may be taken for granted, but DORA will ensure that these are not delegated to ‘afterthought’ status.
Clearly, any new systems should be subjected to testing and assessment before they go live. A company would also want to check its systems if it hears that other companies using them have been compromised. Given the cost of these tests, an annual schedule would be the most pragmatic, although the risk level of the company will ultimately determine this. Not all organisations would need similar levels of testing – although the fact that we are dealing with licensed entities implies that all have at least some level of risk with much more at stake!
A number of issues have yet to be determined by the European Supervisory Authorities and the EU, which will be published in technical standards in due course. One of these is the reporting hierarchy for companies which have to report attacks. The Malta Financial Services Authority has already done a considerable amount to help licensed entities prepare, and there are various initiatives – from webinars to podcasts – to act as reference guides and to assist companies.
Training for stronger cyber security
There is, of course, another element that needs to be highlighted: human error, which remains a worrying element for companies. Companies globally will spend over €10 trillion on cybersecurity by 2025, according to a 2022 McKinsey report – but, as the saying goes, any chain is only as strong as its weakest link.
We strongly urge companies to organise shorter and sharper cyber security training sessions, rather than having a quarterly or annual one; this ensures that the topic remains uppermost in your employees’ minds. Nothing can replace an alert employee when it comes to phishing attacks and ransomware, and companies can now monitor how many of them click on fake phishing emails. It is reassuring to see steady improvements: there may be more attacks, but fewer are succeeding.
The challenge now is overcoming procrastination and ensuring that companies get going with this as soon as possible. DORA may not come into force until 2025, but two years pass in a flash. There is much that needs to be done – not just to comply with the law, but because it's good practice.
How can BDO help?
At BDO Malta, our team of technical experts is dedicated to helping your company stay ahead of the curve with the new requirements introduced by DORA. Our comprehensive range of services includes expert guidance on DORA compliance, conducting thorough risk assessments and gap analyses, developing and implementing robust incident management and business continuity plans, and providing continuous support and monitoring. Navigate the complexities of DORA and ensure your company is prepared for success with BDO.