Financial Service Providers Need to Catch Up on TLPT / Keith Poyser on DORA
"A penetration test every three years is ineffective, irrelevant and immediately out of date. Monthly, or weekly testing is far more effective."
London (ots) - Since the implementation of the Digital Operational Resilience
Act ( DORA (https://horizon3.ai/downloads/whitepapers/dora/) ) on January 17th
this year, financial institutions in the EU are required to conduct regular
Threat-Led Penetration Testing (TLPT). This involves using real-world
cyber-attack techniques to assess IT infrastructures and identify exploitable
attack vectors before they are discovered by threat actors. "While this is a
positive step, the mandated three-year testing cycle is far too long given the
fast-paced nature of cybercrime," said security expert Keith Poyser
(https://www.linkedin.com/in/keith-poyser-883979/?originalSubdomain=uk) , Vice
President for EMEA at cybersecurity company Horizon3.ai (http://horizon3.ai/) .
The company operates the autonomous pentesting platform NodeZero®, where
financial service providers can conduct penetration tests on their IT
infrastructure, cloud and kubernetes environments, as often as they like to
identify potential security gaps. Poyser points to findings from Horizon3.ai's
"Cyber Security Report UK 2024/25" according to which 70 percent of
organisations questioned have fallen victim to a cyberattack at least once in
the past two years.
"Given the increasing frequency of cyberattacks, it is unacceptable for a
financial services provider to assess just once every three years whether their
IT infrastructure is capable of withstanding an attack or if it will fail,"
explained Poyser. He further added: "With cybercriminals becoming ever more
aggressive, an exploit focused, impact prioritised, high frequency, modern
testing regime, with fix actions and re-tests, has to be a key part of any
sensible strategy for financial services institutions."
"Like Finding a Needle in a Haystack"
According to the industry veteran, the biggest challenge is identifying which of
the vast number of potential IT weaknesses or vulnerability "noise" are real
world exploitable within an organisation, and prioritising these for quick
remediation. "The list of potential entry points is long, ranging from outdated
software somewhere in the system, weak or reused passwords, or excessively broad
access rights for individual employees, to threats arising from the software
supply chain," explained Poyser, illustrating the scale of the task. He
continued: "In this typically heterogeneous and complex IT landscape, finding a
security gap is like searching for the proverbial needle in a haystack. Threat
actors manage to do it, which is why financial service providers need to use the
same methods as cybercriminals to stay one step ahead. And that's exactly what
penetration tests are: searching for needles in your own IT haystack before
