The average data breach costs businesses a huge £3.5 million, and the risks continue to increase. From January next year, the Digital Operational Resilience Act (DORA) will come into play. It aims to ensure a comprehensive approach that aims to fortify digital infrastructures. Tim Freestone, Chief Strategy and Marketing Officer, Kiteworks, explains more.
Unfortunately, ICT-related incidents remain rampant globally. This year, millions of records will once again be affected by data breaches, with the average breach costing businesses a staggering £3.5 million. In light of these risks, Digital Operational Resilience Act (DORA) compliance is more important than ever.
Coming into play from the January 17, 2025 and enacted by the European Parliament, DORA’s scope extends across a broad spectrum of financial entities, from banks to investment firms, as well as any service provider offering IT and cybersecurity services to those entities. By casting such a wide net, DORA ensures a comprehensive approach that aims to fortify digital infrastructures throughout the industry. DORA will act as a guiding framework to help financial entities navigate new challenges, with the need to maintain robust cybersecurity measures at its core. So, what do businesses need to do to ensure they stay protected?
Secure the data supply chain
It is important for businesses to analyse whether their entire data supply chain is secure. By setting out strict requirements for contracting, managing and reporting, DORA is making it essential for businesses to use DORA-compliant content communication tools.
This is often easier said than done. Third party tools, solutions and partnerships play an integral role in any organisation today. They can help staff communicate with other team members, safely access sensitive information and streamline project management tasks. However, they also introduce inherent risks that can compromise a business’ security posture.
It is important to not only enhance the resilience of your own business’ externally provided software, but also what your partners are using to communicate, collaborate or share content with you. Are the emails sent between the business and the supply chain secure? Are the business’ tools or that of its partners introducing undue cyber-risks? Is any file sharing tool being used compliant and can ensure that any data sent is not to an unsafe third party environment?
Know what to look for
Third party vulnerabilities could be due to inherent weaknesses in infrastructure, a lack of contingency plans for service disruptions or inadequate contractual provisions addressing cybersecurity standards. It is important to know what to look for. By identifying these vulnerabilities early on, the business can take proactive measures to mitigate risks and strengthen its overall third party risk management – enhancing overall resilience and ensuring DORA compliance in the process.
Get early buy-in
Achieving compliance with DORA requires buy-in from all stakeholders within the organisation. To streamline the compliance process and foster a culture of resilience, it is essential to secure support from key decision-makers early on. Engage with board members, executive leadership and relevant departments by communicating the importance of DORA compliance. Clearly articulate the benefits of proactive compliance efforts and the ramifications of non-compliance.
By involving stakeholders from the outset, it is far easier to secure the necessary resources and facilitate smoother implementation of DORA compliance measures. This collaborative approach not only strengthens the business’ overall resilience but also reinforces a shared commitment to cybersecurity excellence from top to bottom.
Use the right tools
Effective incident reporting and management is at the heart of DORA. To ensure ICT risk management reporting is as effective as possible, it is important for the business to ask itself whether existing reporting processes capture all relevant information accurately and efficiently. Whether reporting processes enable swift detection, containment and resolution of cybersecurity incidents. And whether the business conducts regular post-incident reviews to identify areas for enhancement.
Continually assessing and refining incident reporting and management processes can help an organisation bolster its resilience against emerging threats, safeguard critical information and demonstrate its compliance with DORA’s requirements.
For best results and to improve visibility, use a single platform to manage all communication channels. Look for solutions that offer comprehensive logging and reporting capabilities against all activity. This should include data access, file transfers, logins and more. Only then can the business record all its content communication and, as a result, evidence compliance against DORA.
Adopt automation
Automation has emerged as a powerful tool for enhancing operational efficiency and resilience throughout business. By embracing automation, organisations can not only enhance their operational resilience but also optimise resource allocation and demonstrate compliance with DORA’s requirements.
To get started, consider adopting automation tools to streamline key processes and mitigate operational risks. Explore opportunities to automate routine tasks like threat detection, incident response and compliance monitoring. With advanced analytics and Machine Learning algorithms, automation tools can also help the enterprise detect and respond to cybersecurity threats in real-time to protect vital information.
Document actions taken
It is important to prioritise the thorough documentation of any actions taken to meet DORA compliance and enhance operational resilience. These could include the detailed records of any risk assessment, incident report and any remediation effort taken. Not only will this help the organisation demonstrate its compliance efforts but will also provide the perfect opportunity to create and maintain comprehensive documentation of the organisation’s policies, procedures and protocols related to any digital operations and cybersecurity efforts.
The journey towards DORA readiness
As organisations continue to navigate the complexities of the digital landscape, achieving DORA compliance is essential for maintaining data integrity, cybersecurity and regulatory compliance.
Now is the time to begin enhancing your business’ readiness for DORA compliance, protecting sensitive data against evolving cyberthreats and upholding trust among stakeholders in the process.
The importance of ensuring compliance with DORA must not be overlooked. With severe penalties facing those who are found to be non-compliant and continuous risks threatening to gain access to sensitive information, DORA compliance can help strengthen resilience with standardised, and documented, practices.
To help on the journey towards DORA readiness in time for January 2025, make sure to look for content communication solutions that reflect the DORA regulation and vendors that are promoting DORA compliance. It is also a good idea to search for solutions that follow industry best-practice cybersecurity, such as the NIST cybersecurity framework.