Achieving Operational Resilience in an Increasingly Uncertain World

NIS2 is Now in Force

The EU’s Network and Information Systems Directive 2 (NIS2) for cybersecurity resilience entered full enforcement in October 2024, and compliance with its requirements presents significant challenges for many companies, particularly those in the financial services sector. While most IT leaders are confident in achieving NIS2 compliance, they also acknowledge that this cybersecurity directive has exacerbated existing challenges, such as resource constraints and skills gaps. Adding to this challenge, the Digital Operational Resilience Act (DORA) comes into force in January 2025. It focuses entirely on the financial sector and aims to help organizations build operational resilience into their critical business systems by demanding higher visibility, control, monitoring, and reporting levels.

Both regulations have been implemented because of growing threats. However, even with the most advanced threat detection and prevention technologies in place, no environment can be 100 percent protected. After all, a security environment must succeed every single time, but an attacker needs to succeed only once. Unfortunately, the aftermath of an attack can be devastating – with data breaches, financial loss, and reputational damage all contributing to the fallout.

DDoS attack frequency surged in the first half of?2024, with a significant increase in sophisticated application-layer attacks driven by hacktivist activities targeting global networks. Critical infrastructure sectors, including financial services and public utilities, faced a 55 percent increase in multi-vector?DDoS attacks?over four years, threatening essential services. Financial institutions are under constant threat due to the types of data they hold. Personal data and payment and bank account details are the most highly sought-after by cybercrime gangs. Therefore, financial institutions must look at how they build protection into their systems and how they can create more resilience in their critical application systems.

A10 Networks is a trusted provider to the financial industry, with a strong portfolio of solutions designed to smooth the path to regulatory compliance. Building resilience, managing risk, and simplifying accurate, real-time reporting are in our DNA. Our portfolio of security solutions, such?as SSL/TLS inspection,?load-balancing,?next-generation web application firewalls, and?DDoS protection, aligns with key regulatory requirements and combines to protect customer data and corporate reputations against malicious disruption and regulatory risk. Below are a few examples of how we do this.

The Importance of Encrypting Sensitive Data

Encrypting sensitive data is essential for keeping it safe in transit and at rest. Indeed, 95 percent of all internet traffic is now encrypted, and having a robust encryption strategy is a cornerstone of compliance with regulations. Using appropriate data encryption is a specific requirement under Article 21 of NIS2, which also focuses on the security and resilience of infrastructure and protecting personally identifiable information (PII).

However, malicious actors also leverage encryption. Almost half of all malware attacks now use encryption to evade detection by security tools and extract data. Their efforts are growing more sophisticated as computers become more powerful, resulting in an encryption blind spot, which gives organizations a dual challenge. They need an encryption strategy that securely encrypts their data to the required standard and an inspection capability powerful enough to provide complete visibility into encrypted threats seeking to bypass security tools.

Financial institutions must implement solutions that decrypt TLS/SSL traffic and allow their full stack of security products to inspect the data. The TLS/SSL solution must be capable of handling large and exponentially growing volumes of encrypted traffic to ensure that decryption and inspection don’t impact network performance and customer experience. It must also comply with privacy and other regulatory requirements such as PCI-DSS and be able to be tuned to bypass sensitive traffic selectively.?A10 Thunder SSL Insight?solution can help decrypt traffic into plain text, enabling it to understand who has initiated the request, where they are located, and what they wish to access. Based on this, the solution directs the data to the appropriate security appliance. Once cleared, A10’s solution re-encrypts data to the required level, and the request continues to its destination.

Additionally, network and system monitoring and incident reporting are key focus areas for NIS2 and DORA.?A10 Thunder ADC?delivers centralized network visibility, event monitoring, and alerting, enabling security teams to meet the regulations’ strict time-dependent reporting requirements.

Ensuring Web Applications are Secure and Always Available

A10’s web application firewalls (WAFs) are central to NIS2 and DORA compliance. They provide the defense financial services companies need to guarantee that their applications are secure and always available and that operational integrity is maintained. However, traditional WAFs are challenging to manage and maintain. They generate large volumes of false positives, burdening security teams that are forced to spend time chasing non-existent threats and potentially missing genuine issues.?Thunder ADC with A10 Next Gen WAF, powered by Fastly, resolves these challenges and supports compliance. A10 Next Gen WAF can be deployed to full functionality in hours, and its intuitive user interface and simple rule builders mean little expertise is needed for ongoing management. Its token-based approach to attack detection is more accurate than rules or static signatures and requires minimal tuning or maintenance.

Enterprise-ready DDoS Protection

A10 also continues to broaden its cybersecurity solution portfolio; it has focused on expanding capabilities to meet large enterprise requirements for mitigating multi-vector and volumetric DDoS threats. This capability complements existing?A10 Defend?on-premises DDoS protection with the ability to mitigate large volumetric attacks in the cloud, adding enhanced protection against attacks that exceed the size of internet links or on-premises capacity.

Today, the world is becoming increasingly uncertain. As risks proliferate, IT leaders in financial institutions must look beyond protecting their critical application systems to make them highly available, more robust, and resilient. If you want to understand more about how the A10 Networks portfolio of security solutions can help meet compliance requirements like NIS2 and DORA,?download our eBook.

“Building resilience, managing risk, and simplifying accurate, real-time reporting are in our DNA.”

This article appears on the A10 blog.