BT and Illumio: Simplifying DORA Compliance
Cyberattacks on European financial institutions doubled in 2023 — a stark reminder of how risks are growing in the sector. This surge makes it clear that the Digital Operational Resilience Act (DORA) is not just important — it’s crucial for helping financial firms defend against threats and recover swiftly.
In a recent webinar, Raghu Nandakumara, Illumio’s Senior Director of Industry Solutions Marketing, and Justin Craigon, BT’s Senior Consultancy Specialist, shared their expertise on managing ICT risks and preparing for DORA’s January 17, 2024, deadline.
Financial services leading the way
“The banking industry has always been at the forefront of security. Legislation like NIS2 and DORA are driving change and strengthening defenses,” says Justin.
Yet the mindset is shifting. Companies are acknowledging that breaches will happen. The focus is now: "When attackers get in, what do I need to protect most?" Prioritizing critical assets is key to limiting the damage.
“The days of the traditional perimeter defense are gone. The perimeter has shifted, and it’s no longer a simple bubble you can draw.” – Justin Craigon, BT
Recent attacks prove the need for resilience
Even the world’s largest banks aren’t immune. ICBC fell victim twice — in November 2023 and again in October 2024. “You will get hit at some point,” Justin states. The goal is not just stopping every attack but controlling the damage when it happens.
Raghu adds that the financial services industry is so interconnected that a breach in one organization can have a global impact. “When one organization is affected, it can create a ripple effect, spreading across borders and disrupting markets. That’s what DORA is designed to prevent."
From prevention to resilience
Companies must accept that attacks are inevitable and plan accordingly.
“As ICBC showed, if you’re hit once, it doesn’t mean you won’t be a target again,” says Raghu.
The shift is towards resilience. “Prevention is no longer enough,” Justin stresses. Businesses need solid incident-response plans. Recovering quickly is just as crucial as stopping the attack itself.
The 5 pillars of DORA compliance
To comply with DORA, organizations need to focus on these five key areas:
- Risk Management: “It’s about being ready for anything,” says Justin. Clear crisis plans are essential.
- Incident Management: When an attack occurs, containing it quickly limits the damage to critical systems.
- Resilience Testing: “Don’t just hope you’re safe—test your systems,” Justin advises. Regular tests find weaknesses before attackers do.
- Operational Resilience: Protect the most important parts of your business. “You can’t stop everything, but you can minimize the damage,” Justin notes.
- Incident Reporting: Be transparent about incidents while safeguarding sensitive information.
How DORA limits damage
“DORA helps limit the damage of a breach through both technical fixes and policy,” Justin explains. It pushes companies to adopt technical standards and best practices, reducing the impact of attacks.
“It’s like shutting the bulkhead doors in a submarine to keep water from spreading.” The goal is to contain the attack, stop lateral movement, and prevent supply chain issues from impacting you and your customers.
Prioritizing what matters
DORA emphasizes proportionality. "You're not expected to protect everything,” says Raghu. DORA lets companies prioritize what matters instead of requiring them to spread resources too thin.
Justin agrees: “It’s not like other frameworks where you either pass or fail. It’s about prioritizing. You have to know where your critical functions are.” DORA helps companies use their resources wisely.
Managing supply chain risks
Supply chain risk is another major concern DORA addresses. Businesses depend on third-party providers, which can become weak links. “If your supplier gets hit, that can impact you too,” warns Justin. Regular checks and management of critical suppliers are necessary.
A key risk is over-reliance on a single provider. “If all your eggs are in one basket, you’re asking for trouble,” Justin says. Companies should spread out their risks by using multiple providers.
Testing defenses
Regular testing reveals vulnerabilities in a company’s defenses. “Assume breach—act as though attackers are already inside and see how far they can get,” Justin advises. These tests highlight potential weaknesses.
In one case, BT’s penetration team breached 400 out of 800 servers due to poor segmentation. Regular testing raises awareness and strengthens defenses, helping to stop lateral movement and the spread of attacks.
Accountability at the top
DORA makes sure that responsibility for resilience doesn’t just sit with IT teams. DORA makes resilience a board-level responsibility.
“At the end of the day, the board is responsible for keeping the business running,” Justin explains.
This top-down approach ensures that resilience is integrated into the overall business strategy. With the board involved, resilience becomes central to operations — not just a compliance checkbox.
Key takeaways for DORA compliance
To meet DORA’s requirements, companies must:
- Protect their most critical functions by focusing resources on what matters most.
- Regularly test systems to find and fix weaknesses.
- Manage supply chain risks by regularly checking third-party providers.
- Involve the board in resilience planning to align with business goals.
“It’s not a matter of if a cyberattack will happen, but when. Companies must be prepared to stay strong and operational when that moment comes.” – Raghu Nandakumara, Illumio
Shaping the future of cybersecurity
DORA is reshaping how financial institutions and their suppliers think about security. Rather than only focusing on prevention, DORA encourages resilience. By protecting key systems, testing defenses, and managing supply chain risks, financial firms can be ready for the next cyber threat.
Watch the full on-demand webinar for more on how DORA is driving change in the financial sector.
Looking to dive deeper into DORA compliance? Download our eBook, Strategies for DORA Compliance: The Key Role of Microsegmentation. Learn how microsegmentation can be a game-changer for your organization’s security. Get your free copy now.