DDoS attacks increased in Europe by 73 percent this year – and in 50 percent of the cases, financial services companies were the target. With this steep rise in DDoS attacks, what can financial services organizations do to achieve business continuity? And how does this relate to the EU’s new Digital Operational Resilience Act (DORA)?
We explored these questions in MazeBolt’s latest webinar with Jelena Matone, CISO at the European Investment Bank, and Amit Morson, VP of Services at MazeBolt. Here are some of the top takeaways from the webinar.
Where We’re At
The current increase in DDoS attacks in Europe comes at a time when there’s increased pressure on financial organizations resulting from DORA, which is coming fully into effect on January 17, 2025. With pressure coming from so many other directions, it’s hard to prioritize DORA readiness. Based on a live poll on DORA readiness that we conducted as part of the webinar:
- 27% of our participants have not started preparing for DORA
- 59% are in progress
- 5% are compliant
- 9% don’t know
Amit emphasized that, “We know that there are a lot of organizations that have around 20-30% DORA readiness coverage. And then, there’s a lot of work to be done. It’s time to start.”
Strengthening Security Posture
By regulating ICT risk management, DORA aims to enhance security and resilience, reduce risk to critical infrastructure, protect sensitive data, and push businesses to align with cyber insurance guidelines. DORA emphasizes:
- Continual risk assessment
- Operational resilience
- Timely detection and mitigation
According to Jelena, “DORA is part of a broader effort to strengthen the EU’s financial regulatory framework, particularly in response to the increasing digitalization of financial services and growing cybersecurity threats, especially in financial institutions.
“It’s definitely a lot of work…to comply with it. But at the same time, as a practitioner, this is very much welcomed and something that we need to strengthen our security postures.”
Going Beyond “Just” Compliance
As a financial sector cybersecurity regulation, DORA is designed to curb disruption to financial stability. It primarily impacts Information Communications Technology (ICT) providers that serve the Banking, Financial Services and Insurance (BFSI) organizations. Compliance with DORA will be crucial to avoid penalties, fines, and reputational damage, in case of a cyberattack.
Jelena pointed out that, “DORA encourages organizations to adopt what I would like to call it a ‘Breaking Bad’ mentality, but in a good way! Where ethical hacking, i.e., deliberately probing one’s own organizations for vulnerabilities and resilience, is not just acceptable but in fact even encouraged.
“For me, that’s something new. It’s not just checking off your compliance, it’s making you check what you said – that you have the controls on in real time, and that you probe your own network and systems.”
Amit added, “We see with other regulations that companies will acquire some kind of solution, they check the checkbox. ‘I have the solution, it’s installed somewhere in the network on some server, and that’s it, I’m done.’ But what DORA is doing is making you check that these services actually work. This is one of the things that I’ve noticed that is different in DORA than a lot of other regulations.”
Reporting Requirements and Third-Party Risk Management
According to Jelena, “DORA mandates the enhanced incident reporting and notification requirements for financial institutions in the EU. It includes reporting significant cyber incidents to regulators and other relevant authorities, as well as notifying the affected customers and shareholders in a timely manner. That’s something new that was not set in stone with other regulations.
“Then we have third-party risk management. DORA places much greater emphasis on managing risks associated with third parties or service providers, including cloud service providers, etc. Financial institutions are required to assess and monitor the operational resilience of their third-party vendors, ensuring they meet certain standards.”
Current DDoS Protection Solutions Are Not Up to the Task
DORA aims to standardize ICT risk management through five pillars:
- Resilience testing – Testing and challenging ICT resilience proportionate to the organization’s size and risk profile
- Risk management – Continuous identification of risk from a diverse range of sources, to ensure fast detection and response of suspicious activities
- Reporting – Use of a standard template for incident reporting; and development of a process to monitor and log ICT-related incidents
- Third-party risk – Monitoring and transparency in service provider contracts, to manage third-party risk
- Information sharing – Collaborating within trusted communities
MazeBolt’s Always-On Approach Eliminates Downtime
The legacy approach to proving compliance typically involves manual red team testing – i.e., red team testing leading to the receipt of a certificate, which states a business could withstand an attack. The process tends to involve testing resilience once or twice a year with an intentional attack of the network. This type of approach results in downtime for online services. Moreover, according to our research, it is not sufficient to protect a business.
MazeBolt research shows that even organizations that deploy DDoS protection solutions experience up to 75% vulnerability exposure of their online services.
While legacy approaches to red teaming may cover between 10 and 15 methods of attack on a singular domain, MazeBolt has more than 150 types of attack vectors listed in our knowledgebase, allowing thousands of simulations to be run. Our always-on technology, RADARTM, ensures full coverage against all DDoS attack types and trends – all using a non-disruptive methodology that completely avoids disruption to business continuity.
Want to learn more about how we can help your business achieve business continuity? Watch our webinar today!
