/
Cyber Resilience

BT and Illumio: Simplifying DORA Compliance

Cyberattacks on European financial institutions doubled in 2023 — a stark reminder of how risks are growing in the sector. This surge makes it clear that the Digital Operational Resilience Act (DORA) is not just important — it’s crucial for helping financial firms defend against threats and recover swiftly.

In a recent webinar, Raghu Nandakumara, Illumio’s Senior Director of Industry Solutions Marketing, and Justin Craigon, BT’s Senior Consultancy Specialist, shared their expertise on managing ICT risks and preparing for DORA’s January 17, 2024, deadline.

Financial services leading the way

“The banking industry has always been at the forefront of security. Legislation like NIS2 and DORA are driving change and strengthening defenses,” says Justin.

Yet the mindset is shifting. Companies are acknowledging that breaches will happen. The focus is now: "When attackers get in, what do I need to protect most?" Prioritizing critical assets is key to limiting the damage.

“The days of the traditional perimeter defense are gone. The perimeter has shifted, and it’s no longer a simple bubble you can draw.” – Justin Craigon, BT

Recent attacks prove the need for resilience

Even the world’s largest banks aren’t immune. ICBC fell victim twice — in November 2023 and again in October 2024. “You will get hit at some point,” Justin states. The goal is not just stopping every attack but controlling the damage when it happens.

Raghu adds that the financial services industry is so interconnected that a breach in one organization can have a global impact. “When one organization is affected, it can create a ripple effect, spreading across borders and disrupting markets. That’s what DORA is designed to prevent."

From prevention to resilience

Companies must accept that attacks are inevitable and plan accordingly.

“As ICBC showed, if you’re hit once, it doesn’t mean you won’t be a target again,” says Raghu.

The shift is towards resilience. “Prevention is no longer enough,” Justin stresses. Businesses need solid incident-response plans. Recovering quickly is just as crucial as stopping the attack itself.

The 5 pillars of DORA compliance

To comply with DORA, organizations need to focus on these five key areas:

  • Risk Management: “It’s about being ready for anything,” says Justin. Clear crisis plans are essential.
  • Incident Management: When an attack occurs, containing it quickly limits the damage to critical systems.
  • Resilience Testing: “Don’t just hope you’re safe—test your systems,” Justin advises. Regular tests find weaknesses before attackers do.
  • Operational Resilience: Protect the most important parts of your business. “You can’t stop everything, but you can minimize the damage,” Justin notes.
  • Incident Reporting: Be transparent about incidents while safeguarding sensitive information.  
The five pillars of DORA

How DORA limits damage

“DORA helps limit the damage of a breach through both technical fixes and policy,” Justin explains. It pushes companies to adopt technical standards and best practices, reducing the impact of attacks.

“It’s like shutting the bulkhead doors in a submarine to keep water from spreading.” The goal is to contain the attack, stop lateral movement, and prevent supply chain issues from impacting you and your customers.

Prioritizing what matters

DORA emphasizes proportionality. "You're not expected to protect everything,” says Raghu. DORA lets companies prioritize what matters instead of requiring them to spread resources too thin.

Justin agrees: “It’s not like other frameworks where you either pass or fail. It’s about prioritizing. You have to know where your critical functions are.” DORA helps companies use their resources wisely.

Managing supply chain risks

Supply chain risk is another major concern DORA addresses. Businesses depend on third-party providers, which can become weak links. “If your supplier gets hit, that can impact you too, warns Justin. Regular checks and management of critical suppliers are necessary.

A key risk is over-reliance on a single provider. If all your eggs are in one basket, you’re asking for trouble,” Justin says. Companies should spread out their risks by using multiple providers.

Testing defenses

Regular testing reveals vulnerabilities in a company’s defenses. Assume breach—act as though attackers are already inside and see how far they can get, Justin advises. These tests highlight potential weaknesses.

In one case, BT’s penetration team breached 400 out of 800 servers due to poor segmentation. Regular testing raises awareness and strengthens defenses, helping to stop lateral movement and the spread of attacks.

Accountability at the top

DORA makes sure that responsibility for resilience doesn’t just sit with IT teams. DORA makes resilience a board-level responsibility.

“At the end of the day, the board is responsible for keeping the business running,” Justin explains.

This top-down approach ensures that resilience is integrated into the overall business strategy. With the board involved, resilience becomes central to operations — not just a compliance checkbox.

Key takeaways for DORA compliance

To meet DORA’s requirements, companies must:

  • Protect their most critical functions by focusing resources on what matters most.
  • Regularly test systems to find and fix weaknesses.
  • Manage supply chain risks by regularly checking third-party providers.
  • Involve the board in resilience planning to align with business goals.
“It’s not a matter of if a cyberattack will happen, but when. Companies must be prepared to stay strong and operational when that moment comes.” – Raghu Nandakumara, Illumio

Shaping the future of cybersecurity

DORA is reshaping how financial institutions and their suppliers think about security. Rather than only focusing on prevention, DORA encourages resilience. By protecting key systems, testing defenses, and managing supply chain risks, financial firms can be ready for the next cyber threat.

Watch the full on-demand webinar for more on how DORA is driving change in the financial sector.

Looking to dive deeper into DORA compliance? Download our eBook, Strategies for DORA Compliance: The Key Role of Microsegmentation. Learn how microsegmentation can be a game-changer for your organization’s security. Get your free copy now.

Illumio's DORA ebook cover

Related topics

Related articles

Illumio Expands in Latin America to Build Cyber Resilience
Cyber Resilience

Illumio Expands in Latin America to Build Cyber Resilience

Learn more about what makes the Latin American region a particular target of threat actors and how Illumio can help.

Industry Experts on the 3 Most Important Cybersecurity Best Practices
Cyber Resilience

Industry Experts on the 3 Most Important Cybersecurity Best Practices

Get top cybersecurity tips you need to be implementing now from leaders at Microsoft, IBM, Cylera, AWS, and more.

Learnings From MOVEit: How Organizations Can Build Resilience
Cyber Resilience

Learnings From MOVEit: How Organizations Can Build Resilience

Learn how to protect your organization from the new zero-day vulnerability in the MOVEit file transfer application.

Illumio and WWT Partner to Guide Your Zero Trust Journey
Partners & Integrations

Illumio and WWT Partner to Guide Your Zero Trust Journey

Learn how the Illumio and WWT partnership makes it easy to gain the benefits of a Zero Trust architecture with Zero Trust Segmentation at its core.

How to Achieve DORA Compliance With Illumio
Cyber Resilience

How to Achieve DORA Compliance With Illumio

Learn the three tools available in the Illumio Zero Trust Segmentation (ZTS) Platform that will help you build DORA compliance.

Preparing for DORA: Insights from 2 Cybersecurity Compliance Experts
Cyber Resilience

Preparing for DORA: Insights from 2 Cybersecurity Compliance Experts

Get insights from Tristan Morgan, managing director of cybersecurity at BT, and Mark Hendry, digital services partner at Evelyn Partners, on navigating DORA compliance.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?