Tag: Cyber Resilience Audit and Review (Consultancy)

Glen Williams at Cyberfort describes five ways to elevate security measures beyond the UK’s Cyber Essentials Plus security standard

While cyber-security couldn’t rank a higher priority in the boardroom, there’s potentially a greater risk on the cyber-security agenda. It seems friction amongst leadership is creating a divide in business between the lack of a CISO or cyber-security representative at board level and the high cyber-security risks. This cavalier approach may in itself weaken cyber-defences and leave companies wide open to successful breaches.

In fact, the UK Government’s cyber-security breaches 2025 report reflects board reduction in specialist cyber-security representation, to the extent that board-level responsibility for cyber-security at company-director level has decreased from 38% to 27% over the last four years. But with almost three-quarters (72%) of business respondents seeing cyber-security as a ‘high priority’, there is a clear disconnect between the board responsibilities required and cyber-security reality.

This is likely the reason for the low average CISO tenure being estimated at 18 to 26 months, according to the CISO Workforce and Headcount 2023 Report from Cybersecurity Ventures.

The UK Government cyber-security breaches report also tells us that current threat levels for UK businesses remain high, with as many as 43% of businesses and three in ten charities experiencing some kind of cyber-security breach or attack in the last 12 months. Being targeted is inevitable, and security teams must plan for a successful breach.

Cyber-security complacency at board level

With more CISOs stepping away from the boardroom, and in an increasingly active and intelligent cyber-threatscape featuring ransomware and highly targeted social engineering attacks, it’s likely that their board director peers aren’t qualified to step up to the ownership of cyber-security responsibilities.

There is clear evidence of the need for information security representation at board level. Research by the World Economic Forum shows that those organisations that have strong executive involvement in cyber-security are 400% more likely to repel or rapidly recover from an attack.

In fact, Cyberfort’s own customer research has highlighted an alarming complacency – that many businesses consider a Cyber Essentials Plus (CE+) certification sufficient to keep their organisation secure and fulfil board requirements. As high-profile breaches continue to dominate the media agenda, this is a high-risk strategy.

Limitations of CE+

Cyber Essentials Plus is a Government-backed certification scheme recommended as the minimum standard of cyber-security for organisations. Cyber Essentials launched in 2014 to offer a self-assessment process for adequate protection. The CE+ certification requires the same protections, along with vulnerability testing which requires external auditing before a pass can be achieved.

CE+ covers five basic areas, which might at one point have been sufficient to counter cyber-risks: patch management, access control, malware protection, secure configuration, and boundary firewalls.

Yet one of the greatest shortcomings of the CE+ strategy is the lack of information on real-time threat detection and response, an essential tool for the earliest threat detection. CE+ wasn’t designed to protect organisations against advanced persistent threats (APTs), targeted attacks, or any evolving techniques by criminal groups, which are so prevalent today.

According to the UK Information Commissioner’s Office (ICO), over 80% of successful cyber-security incidents begin with phishing, yet CE+ has no requirements around simulated phishing or awareness training beyond general advice.

Five ways to elevate cyber-security protection

In taking the following cyber-security measures, security leaders will have the best chance of being protected in the event of a cyber-attack: 

Real-time threat detection and response
The use of Security Operations Centres (SOC), Security Information Event Management (SIEM) platforms, and Endpoint Detection and Response (EDR) are the most effective ways to counter a cyber-attack.

Phishing and social engineering resilience
This is the only way of outsmarting social engineering attacks where emails are highly personalised and look like they are coming from a known person.

Cloud and hybrid environment protection
CE+ still assumes a traditional network perimeter, ignoring many risks associated with modern SaaS, IaaS, and BYOD environments. The complexities of growing ecosystems are allowing vulnerabilities to grow.

Business continuity and incident response planning
Most remarkably, there is no requirement under CE+ to prove you can recover from a ransomware attack or data breach. Planning for the worst to occur is essential to fully understand potential risk.

Third-party and supply chain risk
As seen in recent high-profile breaches, attackers often exploit third party vendors or contractors to access their targets. As CE+ does not assess or govern these relationships, it’s up to each business to connect with its supply chain on relevant risks.

Consequences of gaps in protection

There are some serious risks associated with investing in and relying on CE+ alone. To start with, there are hefty fines payable for non-compliance, with the average ICO fine for a serious cyber-incident in the UK being £153,722 in 2024.

Insurers are also increasing demands, with some underwriters insisting on evidence of 24/7 monitoring and incident response plans to stay covered. Business partnerships are also becoming dependent on a company’s cyber-security posture, with rising expectations of ISO 27001 or sector-specific certifications such as NHS DSPT or PCI-DSS compliance.

The knock-on effects of a business’s reputational and financial damage can’t be ignored. According to Hiscox’s 2024 Cyber-Readiness Report, almost half (47%) of organisations struggled to attract new customers following a successful cyber-attack. A major UK-based systems integrator suffered a breach in 2023 that cost £25 million in recovery, fines, and lost business, despite having security certifications.

The impact on business operations can be extensive with far-reaching consequences. In 2024, the average ransomware incident led to 21-24 days of downtime and cost $2.73 million, according to NinjaOne.

Four key actions security leaders must take

Ultimately, information security decision-makers must take four key actions to ensure their organisation is secure, resilient and compliant:

Ensure board-level oversight of cyber-risk through regular briefings, KPIs, and executive ownership

Commission an independent cyber-risk assessment that goes beyond Cyber Essentials Plus

Invest in detection and response capabilities – whether in-house or outsourced

Adopt a recognised security framework such as the NCSC’s Cyber-Assessment Framework, NIST Cyber-Security Framework (CSF) 2.0, or ISO 27001

Organisations must recognise that CE+ certification is not sufficient to counter today’s cyber-threats: it is only a baseline standard.

As threat actors are evolving faster than defences, cyber-security leaders and those who are responsible for cyber-security at board level, must have advanced detection capabilities to identify threats as they arise. This means elevating practices beyond CE+ and adopting new tools and measures that will maximise their defences, with proactive planning for a breach that can limit impact on the business, stakeholders, customers, employees and the supply chain, should the worst occur.

Moving forward as organisations navigate through the cyber-security world, one thing is clear. Cyber Essentials Plus is the beginning, not the end. By acting now, business directors and cyber-security teams can safeguard their organisations, protect stakeholder trust, and meet their obligations in an increasingly hostile threat landscape.

Cyber threats are evolving at an unprecedented pace, growing more sophisticated and harder to detect. In response, organisations are investing heavily in cutting-edge technologies, from firewalls and encryption to AI-powered threat detection systems. While these tools are essential, there is a growing tendency to rely too heavily on technology alone, overlooking a crucial element in the cyber security equation – people.

It is often said that humans are the weakest link in security, but this narrative is outdated and misleading. In reality, people can be the strongest line of defence, when they are properly trained, supported, and empowered. Cyber security is not just a technical challenge; it is a human one. The ability to recognise phishing attempts, follow secure practices, and respond swiftly to incidents often determines whether an attack succeeds or fails.

People are not the weakest link; they are the critical differentiator. At Cyberfort we believe it is time to shift the focus and invest in human resilience as much as technological strength.

Human Factor

According to the 2025 Verizon Data Breach Investigations Report (DBIR), approximately 60% of all confirmed breaches involved a human action, whether it was clicking on a malicious link, falling victim to social engineering, or making an error like misdelivering sensitive data. This statistic underscores a critical truth, while technology plays a vital role in cyber security, human behaviour remains a central factor in both risk and resilience. Rather than viewing people as the problem, organisations must recognise them as a powerful part of the solution. With the right training, awareness, and support, employees can become proactive defenders, identifying threats, reporting anomalies, and making informed decisions that technology alone cannot.

Culture and Behaviour

At the heart of a cyber resilient organisation is a culture that values open communication, psychological safety, and shared responsibility. These cultural traits shape the everyday behaviours that determine how effectively an organisation can prevent, detect, and respond to cyber threats.

Employees are encouraged, not punished, for reporting risks, mistakes, or suspicious activity. This openness ensures that potential threats are surfaced early and addressed quickly. Silence, often driven by fear of blame, is replaced with transparency and trust.

Mistakes are treated as learning opportunities. By shifting from a blame culture to a learning culture, organisations empower employees to speak up, share insights, and continuously improve. This mindset fosters resilience and agility in the face of evolving threats.

Cyber security is seen as everyone’s job, not just IT’s. When employees understand how their actions impact the organisation’s security, they are more likely to adopt secure behaviours and support one another in doing the same.

Human Judgement vs Tech

Even the most advanced AI systems cannot replicate human intuition. While automated tools are essential for detecting known threats at scale, they often lack the contextual awareness and critical thinking that trained employees bring to the table. A vigilant team member who questions a suspicious email or flags unusual behaviour can catch what algorithms might overlook. Their ability to escalate concerns quickly can mean the difference between a contained incident and a full-scale breach.

Humans provide reasoning, context, and prioritisation, qualities that machines cannot fully emulate. Cyber resilience is not just about identifying threats; it is about balancing risk, cost, and operational impact. These are nuanced decisions that require human understanding and judgment.

Technology is powerful, but it is people who make it effective. Empowered employees are not just part of the defence; they are the heart of it.

Cross Functional Collaboration

Cyber resilience is not the sole responsibility of the IT or security team; it is a shared effort that spans the entire organisation. Building a truly resilient posture requires cross-functional collaboration, bringing together departments like HR, Legal, Communications, Risk, and Operations. Each team plays a unique and vital role in preparing for, responding to, and recovering from cyber incidents.

• HR ensures that security awareness is embedded into onboarding, training, and culture.
• Legal helps navigate regulatory obligations, breach notification requirements, and liability concerns.
• Communications manage internal and external messaging during a crisis to maintain trust and transparency.
• Operations and Risk assess business impact and coordinate continuity plans.

One of the most effective ways to strengthen this collaboration is through crisis simulations and tabletop exercises. These simulations test not just technical responses, but decision-making, communication, and coordination across teams, turning theory into practice and exposing gaps before real threats strike.

Leadership

Leadership and management play a pivotal role in shaping an organisation’s cyber resilience culture. When leaders actively model good security behaviour, such as using strong passwords, reporting phishing attempts, and following data protection protocols, they send a powerful message – cyber security is everyone’s responsibility. Their actions set the tone from the top, influencing how employees perceive and prioritise security in their daily work.

This leadership commitment must extend to the board level, where cyber security is treated as a strategic business risk, not just a technical issue. Board-level accountability ensures that resilience is embedded into governance, risk management, and long-term planning. When directors ask the right questions and demand regular updates on cyber posture, it reinforces the importance of security across the organisation.

Buy-in from management is not just symbolic; it is strategic. Leaders must champion resilience initiatives, allocate resources for training, and integrate cyber security into broader business goals. They also play a key role in setting behavioural norms, reinforcing secure practices through communication, recognition, and consistent example.

When leadership leads by example, from the boardroom to the front line, cyber resilience becomes part of the culture, not just a compliance checkbox.

From Theory to Practice

Organisational Resilience
A well-trained workforce is not just a support function; it is a frontline defence and a cornerstone of cyber resilience. True resilience is achieved when cyber security is embedded into the values, behaviours, and everyday actions of everyone in the organisation, not just the IT or security teams. This means cultivating a culture where security is second nature, from how emails are handled to how data is shared and stored.

Embedding this mindset requires more than annual training modules. It involves ongoing education, leadership buy-in, and visible reinforcement of secure behaviours. For example, Microsoft has implemented a company-wide security culture program that includes regular phishing simulations, gamified learning experiences, and executive-led security briefings. These initiatives are tailored to different roles and risk levels, ensuring relevance and engagement across the board.

The result? Employees become active participants in defence, spotting threats early, responding appropriately, and reinforcing a culture of vigilance and accountability.

Engaging Training
Cyber security training must go beyond the traditional “check-the-box” approach. To be effective, it needs to be engaging, relevant, and continuous. This means using storytelling, real-world scenarios, interactive simulations, and up-to-date threat examples that resonate with employees’ daily experiences. When training is relatable and dynamic, it not only captures attention but also builds lasting awareness and practical skills.

Effective training empowers staff to detect and respond to threats quickly, reducing the risk of breaches and enabling them to contribute to the development and safe use of new technologies. It also fosters a culture where security is seen as a shared responsibility, not just an IT concern.

A standout example is Google’s Security and Privacy Training Program, which uses gamified learning, phishing simulations, and scenario-based exercises tailored to different roles. Employees are regularly tested with real-time challenges, and the program evolves with emerging threats, keeping security top of mind and skills sharp.

Recognition and Reward
Recognising and rewarding good cyber security behaviour is a powerful way to reinforce a culture of resilience. When employees feel that their efforts to stay secure are noticed and appreciated, they are more likely to remain vigilant and engaged. Celebrating individuals or teams who demonstrate strong cyber hygiene, such as reporting phishing attempts, following secure data handling practices, or contributing to awareness initiatives, helps normalise and encourage these behaviours across the organisation.

Recognition does not have to be complex. It can range from shout-outs in team meetings and internal newsletters to formal awards or incentives. The key is consistency and visibility.

A best practice example comes from an American company called Salesforce, which runs a “Security Champions” program. Employees across departments are nominated for their proactive security efforts and receive public recognition, exclusive training opportunities, and branded rewards. This not only boosts morale but also builds a network of internal advocates who help spread security awareness organically.

By celebrating the right behaviours, organisations reduce human error and strengthen their first line of defence, their people.

Review and Response
Cyber security is most effective when it is treated as a shared responsibility, not just an IT function. One of the most impactful ways to reinforce this is by regularly collecting feedback from employees on what is working, what’s unclear, and where improvements are needed. This two-way dialogue encourages ownership, reinforces learning, and helps build a culture of vigilance and continuous improvement.

Feedback mechanisms can include anonymous surveys, post-training evaluations, suggestion boxes, or open forums during team meetings. The key is to act on the feedback, showing employees that their insights lead to real changes.

A best practice example comes from a UK company called PwC, which integrates cyber security feedback loops into its broader risk culture program. After simulations or incidents, employees are invited to share their experiences and suggestions. This feedback is then used to refine training, update policies, and improve response plans. The result is a more engaged workforce and a security strategy that evolves with real-world input.

By listening to employees and responding meaningfully, organisations not only improve their defences but also foster a sense of collective responsibility and trust.

Case Studies

Click on the navy blue boxes below to read each case study.

Ministry of Defence Payroll Data Breach (2024) – Human Oversight Led to Exposure

UK Retail Sector Ransomware Attacks (2024–2025) – Human Error as Entry Point

Co-Op – Swift Human Detection and Containment, just days after the M&S breach

In 2024, a major breach occurred at Shared Services Connected Ltd (SSCL), a contractor for the UK Ministry of Defence. The incident compromised sensitive payroll data for over 272,000 current and former military personnel, including personal and financial information.

While the breach was executed through external compromise, investigations pointed to inadequate internal controls and oversight, including poor access management and insufficient employee awareness of data handling risks. This case underscores how human oversight and weak internal processes can expose even highly sensitive government data to exploitation.

Several human-led response actions were taken to contain the damage and begin recovery:

• Immediate Government Oversight and Transparency: UK Defence Secretary Grant Shapps addressed Parliament, confirming the breach and identifying SSCL as the contractor involved. This public acknowledgment helped establish transparency and accountability from the outset.
  
• Rapid Notification and Support for Affected Personnel: The Ministry of Defence prioritised notifying individuals whose home addresses and financial details were exposed. Affected personnel were offered access to commercial data protection services, including credit monitoring and alerts for suspicious activity.
  
• Cross-Government Review and Human Oversight: The Cabinet Office launched a full review of SSCL’s work across government, not just within the MoD. This involved bringing in specialist analysts to assess internal controls, data handling practices, and contractor oversight, a clear example of human-led auditing and governance.
  
• Focus on Cultural and Procedural Reform: The breach prompted a broader conversation about internal oversight, employee awareness, and access management. While technical fixes were part of the response, the emphasis on reviewing human processes and decision-making reflects a shift toward strengthening the human layer of cyber resilience.

These actions demonstrate how, even after a breach caused in part by human oversight, people were central to the response and recovery, from leadership transparency to operational containment and long-term cultural reform.

Several high-profile UK retailers, including Marks & Spencer, Harrods, and Co-op, were targeted in ransomware attacks where human error played a central role. In these cases, employees were tricked into clicking malicious links or downloading infected attachments, allowing attackers to gain access to internal systems.

These incidents highlight the ongoing vulnerability of even well-resourced organisations when cyber hygiene and awareness are not embedded across all levels. In response, many of these companies have since implemented enhanced phishing simulations, role-based training, and stricter access controls to reduce human risk.

The recovery was driven by people:

M&S also launched internal awareness campaigns to reinforce secure behaviours and prevent future incidents.

• IT and cyber security teams worked around the clock to isolate affected systems and restore operations.
  
• The CEO issued a public apology, reinforcing transparency and accountability.
  
• Customer service teams were mobilised to support affected users, including guiding them through password resets and addressing concerns about data exposure.
  
• M&S also launched internal awareness campaigns to reinforce secure behaviours and prevent future incidents.

Co-Op was targeted in an attempted ransomware attack. However, human vigilance made the difference:

• The IT security team detected the intrusion early and took proactive steps to shut down systems before the ransomware could fully deploy.
  
• This quick action minimised disruption, keeping stores and websites operational.
  
• Co-op issued clear internal guidance to its 70,000 staff, including instructions to keep cameras on during remote meetings and avoid recording calls, a move aimed at preventing further exploitation.
  
• The company praised its internal teams for their rapid, coordinated response, which helped contain the breach and protect customer data.

These incidents show that while human error can open the door to cyber threats human action, when empowered and prepared, is also the key to resilience and recovery.

Final Thoughts

Technology will always be a cornerstone of cybersecurity, enabling detection, automation, and defence at scale. But technology alone cannot adapt, reason, or care. It is people who bring resilience to life. They are the ones who notice the unusual, ask the right questions, escalate concerns, and recover systems under pressure.

By investing in your people, educating, empowering, and engaging them, you do not just build a secure organisation, you build a resilient one. One that can anticipate, absorb, and adapt to threats, not just react to them.

Cyber resilience is not just about systems, firewalls, or AI. It is about culture, communication, and collective responsibility. It is about creating an environment where every individual understands their role in protecting the organisation and feels confident to act.

In the end, resilience is not built by machines, it is built by people. And its people who will make the difference when it matters most.

For more information about Cyberfort Cyber Resilience services please contact us at [email protected].  

A major financial institution is hit by a cyber-attack that cripples its online services for days. Customers are locked out of their accounts and transactions grind to a halt, the impact starts spreading to the supply chain, other financial institutions, shareholders and government agencies become interested in the drama unfolding ; trust and reputation is beginning to slip away… Unfortunately, this isn’t just hypothetical, it’s a growing reality in today’s financial world.

Enter DORA, the Digital Operational Resilience Act – a landmark regulation from the European Union designed to ensure that financial entities can not only withstand cyber threats but also recover quickly and continue operating. DORA became operational on the 17^th January 2025 and is set to reshape how financial institutions across the EU approach digital risk.

In this article, we’ll break down what DORA is, why it was introduced, and what it means for your organisation. Whether you’re a compliance officer, executive, or just curious about the future of cyber security in finance, this article will help readers to understand how to prepare for, and benefit from, DORA.

So what Is DORA?

The Digital Operational Resilience Act (DORA) is an EU regulation designed to enhance the digital operational resilience of financial entities (Digital Operational Resilience Act (DORA) – EIOPA). Its primary goal is to ensure that financial institutions can withstand, respond to, and recover from various ICT-related disruptions and threats. DORA applies to a broad range of financial entities, including banks, insurance companies, investment firms, and their critical third-party service providers. By implementing robust risk management frameworks, these entities will be better equipped to identify, protect against, detect, and respond to risks. Additionally, DORA mandates regular testing of digital operational resilience to demonstrate that potential disruptions can be managed.

DORA also requires financial entities to report major incidents to competent authorities and share information on cyber threats. This regulation also imposes stringent requirements for managing risks associated with third-party service providers. DORA came into force on January 16, 2023, and was fully applicable from January 17, 2025. By adhering to these requirements, financial institutions can safeguard their operations and contribute to a more resilient cyber security environment across the EU.

Key components of DORA

Robust risk management framework

Reporting incidents to competent authorities

Sharing information on threat intelligence and incidents

Regular testing of digital operational resilience

Comprehensive supply chain management

---

What DORA aims to do

Whilst traditional cyber security frameworks such as ISO 27001 and NIST CSF laid solid foundations for cyber security, the financial industry’s growing dependence on digital systems created operational vulnerabilities that could not be effectively managed; DORA was created to address these critical gaps and develop unified, enforceable standards across the EU.

Five key areas were identified for improvement by The European Commission’s DORA Directive:

• ICT risk management
• Operational resilience during disruptions
• Enhanced oversight of third-party providers
• Consistent resilience standards across EU markets
• Structured incident reporting for knowledge sharing

With a theme of “stronger together” and a collaborative and knowledge sharing approach to cyber security, especially around operational resilience, DORA aims to lift the industry cyber security posture standard.

The Five Pillars of DORA

Out of the key areas for improvement, DORA aims to improve cyber resiliency by strengthening five areas. Let’s take a look at each one in more depth:

Risk Management

DORA outlines the core requirements for financial entities to establish a comprehensive ICT risk management framework. Financial entities must:

• Implement a well-documented risk management framework as part of their overall risk management system.
• Include strategies, policies, procedures, protocols and tools to protect information assets, hardware assets, and physical infrastructure.
• Have a control function to oversee risk management that is independent and has authority to challenge decisions and escalate issues.
• Be proportionate to the size, complexity and risk profile of the financial entity (as defined in Article 4).
• Must have a mechanism to continually improve their risk management practices.

Moving forward board members will need to be involved in the risk management frameworks of their organisations. As stated in the DORA framework, the Board of Directors are personally liable for cyber security governance and risk management. This means each board director will require an understanding of cyber threats to inform their decision-making.

They will also need to define and approve their organisations risk management framework, including third-party supplier strategy, showing the importance of informed decision-making to address emerging cyber threats effectively. But with board-level responsibility for cyber security steadily declining among businesses since 2021 (only 27% of businesses have a board member fully responsible for Cyber Security in 2025 vs 38% in 2021)  now is the time for financial services firms to take action and ensure board members are taking responsibility for aligning cyber security alongside business objectives.

So where should Financial Services organisations start with improving risk management and ensuring it is part of the board agenda?

Many financial services organisations have not undertaken a formal cyber security risk assessment in the past 12 months. It is estimated that only 48% of UK organisations have undertaken a formal cyber security risk assessment in the past year. This means board members of financial services firms and their cyber security teams could be making plans or reviewing their cyber security risk strategy with data that is not relevant, up to date or based on the latest NCSC guidance. Clearly this could not only be a business risk but could also be preventing wider business initiatives from being successfully undertaken in a secure, compliant and resilient manner.

Additionally, it should be noted that not all cyber risk assessments are the same. Unfortunately, many cyber security risk assessments are simply being seen as ‘tick box’ exercises without providing adequate detail or direction for how to improve.  At Cyberfort we believe the starting point for building a cyber risk strategy is to undertake an NCSC assured Cyber Resilience Audit and Review. The review based on NCSC best practices and guidance provides Cyber Security professionals and board members with a clear picture on their resilience posture vs industry benchmarks and highlights where improvements can be made. Furthermore, board members can use the cyber resilience audit and review to demonstrate back to regulatory bodies that they have undertaken due diligence and understand their responsibilities in relation to cyber security in the wider business context.

Incident Reporting

The incident management requirements under DORA aims to ensure that financial entities can detect, assess, and respond to incidents in a structured and effective manner. It also requires organisations to maintain detailed internal logs, conduct thorough post-incident reviews, and integrate lessons learned into their risk management practices. DORA highlights that Financial Services organisations should have the following in relation to Incident Management and Reporting:

Timely Detection and Classification
Have mechanisms to detect, classify, and prioritise incidents. Incidents must be assessed based on their impact on operations, data, and service continuity.

Structured Incident Reporting
Reported to the relevant national competent authority using standardised templates. Reporting must follow a strict timeline with the initial notification happening as soon as possible (having an expectation of within the same day), an intermediate report within 3 days, and a final report within a month. The final report should include root cause analysis and mitigation.

Internal Logging and Documentation
Maintain detailed internal logs of all incidents, including minor ones. Logs should support trend analysis and continuous improvement.

Post-Incident Review and Lessons Learned
A post-mortem analysis is required to identify root causes and improve controls. Findings must be documented and used to update risk management and response plans.

Communication and Stakeholder Management
Ensure clear internal and external communication during incidents. This includes informing customers, partners, and regulators as appropriate.

Integration with Business Continuity and Disaster Recovery
Plans should be tested regularly to ensure effectiveness under real-world conditions.

So what does this mean in reality?

From our experience at Cyberfort it means Financial Services firms must have tailored incident response plans in place to be able to detect and respond to cyber security incidents, while mitigating the impact on operations and reputation.

This is an area all UK businesses need to improve on. In the latest UK Government Cyber Security breaches survey 2025 it is estimated 53% of medium sized businesses and 75% of large businesses have formal tested Incident Response plans in place. These plans should include technical, communication, and legal playbooks. But those responsible for cyber security in their organisation should be asking themselves:

• When was the last time the company incident response plan was truly tested?
• Are cyber security teams and members of the board aware of gaps that may exist and potential impact if not addressed?
• If gaps do exist in terms of knowledge, process or people skills how are these being addressed in a timely manner before a live incident occurs?

If the right expertise does not exist in house, then a specialist third party cyber security supplier who has knowledge of DORA and best practices in relation to Incident Response should be consulted so best practices can be adopted into the organisation.

Digital Operational Resilience Testing

A crucial part of DORA that extends past traditional cyber security is an organisations ability to operate despite an adverse cyber event, requiring a set of detailed and tested response plans that relate to the risks and prevalent threats, that will prove to be effective. This requires a:

• Risk led comprehensive testing schedule and a range of testing methods
• Independence and objectivity of the testing
• Mandatory annual testing of critical systems
• Remediation mechanism to classify, prioritise, and remediate any issues
• Proportionality principle to determine the scope of the testing, based on size, complexity, and risk profile

Recognising the above steps is only the beginning. A proactive approach to cyber resilience needs to be implemented. By being proactive with Cyber Resilience financial services organisations can minimise disruptions to their operations and strengthen their ability to maintain operational continuity and protect sensitive data. By making cyber resilience a high priority, financial services organisations can ensure their defence against potential breaches and a culture of preparedness and responsiveness can succeed in a reactive cyber security world. This proactive approach will help to mitigate risks and position a financial services organisation as a trusted digital partner in their customers and suppliers minds.

Third-Party Risk Management

DORA absorbs the supply chain into the regulation by giving financial entities the responsibility to ascertain, assess, and monitor their third-party providers. DORA expects entities to identify all third-party service providers and classify them based on the criticality of the services they provide and maintain a comprehensive register of information. Then, for each, conduct risk assessments before entering into contracts, to understand their security posture, resilience capabilities, and compliance with DORA standards.

The contracts themselves must meet minimum contractual standards, for example, include specific clauses covering topics such as Service Level Agreements (SLAs), audit and inspection rights, ongoing monitoring and oversight, and termination and exit strategies.

The financial entity must continuously monitor the performance and risk exposure of their third parties, including regular reviews, audits, and updates to risk assessments, and ensure that third-party risk management is integrated into their overall risk governance framework, with clear roles and responsibilities at the management level.

In addition, in certain situations, DORA introduces EU-level oversight for critical third-party providers (e.g., major cloud service providers), ensuring they meet stringent operational and security standards.

This may sound simple in theory but the practical reality from our experience at Cyberfort is Supply Chain Cyber Security is complex and can be difficult to manage. This is demonstrated by the fact that only 14% of UK organisations have undertaken formal risk reviews of their supply chain security in the past 12 months. At Cyberfort we recommend all financial services firms to take action with the following 8 steps to improve their supply chain security:

• Validate your own supply chain, often suppliers and sub suppliers go down in size and hence in cyber maturity.
• Ensure your security controls are appropriate for the level of business risk you’re dealing with.
• Migrate to SaaS where possible, utilise the security packages for an efficient and effective minimal effort approach to security management.
• Validate and evidence the controls that your suppliers have in place, it’s not your effort but hold the supplier to account.
• Make sure you have cyber essentials plus.
• Keep on top of pen testing and Vulnerability Management and keep track of evidence.
• Understand what your customer expects of you in security and compliance, and price this into your solution.
• Ask your customer about their controls, likely targets and defences, find a trusted advisor/partner to help you extrapolate this to the threats you are likely to face.

Information Sharing

Financial entities are encouraged to voluntarily exchange cyber threat intelligence including indicators of compromise (IOCs), tactics, techniques, procedures (TTPs), cybersecurity alerts, and configuration tools. The goal is to enhance collective digital operational resilience by improving awareness, detection, and response capabilities.

These exchanges must occur within secure and structured environments to ensure that shared information is handled responsibly. Entities are required to uphold strict confidentiality and data protection standards, ensuring that sensitive business or personal data is not exposed or misused. Additionally, any formal participation in information-sharing arrangements must be reported to the relevant competent authorities, promoting transparency and regulatory oversight. The ultimate aim is to support proactive threat detection and coordinated responses across the financial sector.

Those who are responsible for cyber security in their financial services organisation should start by asking themselves if they are participating in information sharing schemes (e.g. ISACs), and have the tools in place to effectively process threat information which is shared with the organisation so knowledge can be shared and disseminated in a timely and appropriate manner.

The Strategic Business View of DORA

The Digital Operational Resilience Act (DORA) marks a significant shift in how financial institutions must approach digital risk. Rather than treating cyber security and ICT risk as isolated compliance tasks, DORA requires organisations to embed resilience into their core operations. This means preparing not just to prevent disruptions, but to detect, respond to, and recover from them swiftly and effectively. For many firms, this represents a move from reactive IT support to a proactive, strategic resilience posture.

One of the most notable changes is the increased accountability placed on senior leadership. DORA mandates that boards and executive teams take ownership of risk management, integrating it into the broader enterprise risk strategy. This shift demands greater visibility, governance, and cross-functional collaboration particularly between IT, compliance, legal, and business units. It also means that digital resilience is no longer just a technical issue; it’s a boardroom priority.

Implementing DORA may also require significant investment in technology and infrastructure. Legacy systems may need to be upgraded or replaced to meet the regulation’s requirements for monitoring, testing, and recovery. Additionally, organisations must reassess their relationships with third-party providers. DORA introduces strict oversight and contractual obligations for these vendors, especially those deemed critical, making third-party risk management a strategic concern.

Finally, DORA has global implications. While it is an EU regulation, its reach extends to any non-EU firm offering financial services within the EU. This is likely to drive broader alignment with DORA’s standards across international markets. For organisations that embrace this shift early, DORA offers an opportunity to build trust, enhance operational resilience, and gain a competitive edge in an increasingly digital financial ecosystem

Final Thoughts

The Digital Operational Resilience Act (DORA) is a pivotal regulation introduced by the European Union to strengthen the financial sector’s ability to withstand and recover from adverse cyber events. Its importance lies in creating a unified, comprehensive framework that ensures all financial entities can manage digital risks effectively. By focusing on areas like risk management, incident reporting, resilience testing, third-party oversight, and information sharing, DORA not only enhances operational stability but also builds trust in the digital financial ecosystem. It marks a shift from reactive compliance to proactive resilience, making it a strategic imperative for organisations operating in or with the EU financial market.

As the Digital Operational Resilience Act (DORA) reshapes the regulatory landscape, financial institutions face more than a compliance challenge, they face a strategic inflection point. DORA demands a fundamental shift in how organisations think about digital risk.

For forward-thinking Financial Services firms, this is an opportunity to build trust, enhance operational continuity, and differentiate in a competitive market. But navigating DORA’s complexity across governance, incident response, third-party oversight, and resilience testing, requires more than internal effort. It requires a partner who understands the regulatory nuance and the operational realities of financial services.

At Cyberfort, we help organisations turn DORA readiness into a strategic advantage. From assessing your current posture to designing scalable resilience frameworks, we align your digital operations with regulatory expectations while strengthening your ability to adapt and recover in the face of disruption.

For more information about Cyberfort Governance, Risk and Compliance services and how we can help your organisation shift from reactive compliance to proactive resilience contact us at [email protected].