Are your legacy systems an open door for cyber attacks?
- Published: Friday, 17 June 2022 08:05
Often the business systems you rely on most can be the most neglected. They have been running well for years without much attention. However, this situation must now be challenged – the changing cyber threat landscape means the risk of downtime to your legacy systems is increasing. Here Nick Denning proposes six steps to protect your organization and its legacy systems.
It can be daunting to look back on the events of the last few years and the list of issues we have all faced with the often-unexpected impacts on our employees and ways of working.
The threats posed to business are changing. Are our long-held assumptions still valid? Are our organizations as secure and resilient as they need to be? Is it time to take stock and develop new strategies?
The pandemic drove employees to work from home and it seems as if a more hybrid working model is here to stay. This has pushed out the security boundaries of organizations and introduced new points of vulnerability. No longer are the vast majority of staff accessing business systems from the relatively secure environment of the office. Employees now need access to core systems via their home Internet or mobile devices.
The COVID-19 pandemic also prompted the phenomenon known as the ‘Great Resignation’. It has seen record numbers of people change jobs or simply leave the job market completely. However, The UK Institute of Employment Studies sees this more as the ‘Great Retirement’ with many over 50s falling out of the workforce. Is your organization in danger of losing long term staff who’ve kept your key legacy systems running smoothly?
We believe that the pendulum will swing back towards the office. People whose first job was working from home will realise the importance of forming relationships, teamwork, collaboration, and taking on leadership roles. Nevertheless, we need to continue to be aware of the impacts of hybrid working and adjust accordingly.
Protect your systems of record
With so much changing over the last few years, is your business now at greater risk from cyber attack? A large proportion of cyber security efforts have been focused on newly installed systems and apps which are often customer facing. This is important but have you left an open door to vital legacy systems?
It is easy to neglect them if they have been running well for years, but how would your business cope if systems of record, production and supply chains were disrupted by cyber attack?
The Verizon 2021 Data Breach Investigations Report found that over 80 percent of cyber attacks gained access via issues with users’ IDs and passwords. Therefore, it is especially important to focus efforts on protecting and controlling employee and supply chain partner access to key systems via logins and interfaces.
Six ways to reduce your organization’s risk of legacy system cyber attack
There are numerous areas to look at when increasing protection of legacy systems against cyber attack, but here are six key things an organization can do:
Maintain engineering practices and standards – invest in ensuring your design approaches encompass best practice. Turn this into a key business benefit for your customers by ensuring compliance with standards such as OWASP and WCAG 2.1 AA. Also comply with GDS standards to win business across the public sector from which non-compliant organizations are excluded.
Identify and prioritise new risks – the world has changed and it’s time to think the unthinkable. Consider putting in place a formal review of the impact of what has happened over the last few years looking at the threats from hybrid working, supply chain upheavals, and the introduction of new supply chain partners. Remember to include in the review the turnover of staff and the impact of losing experienced employees with knowledge of running key legacy systems. Mitigation steps can then be developed once the new risks are known.
Proactively work to retain experienced staff – create a culture that is anti-ageist. Invest in line-management training including policies related to older workers such as managing employees with long-term health conditions. Implement mid-life career reviews and plans, recognising that deep expertise gained over years is just as valuable as management ambitions and a desire to climb the hierarchy. The use of the Chartered Institute of IT SFIA+ – IT skills provides an excellent way for your staff to realise how good they are and how effective they can be.
Focus on knowledge management and effective processes – with an increase in hybrid working, greater turnover of employees, the potential loss of experience and more volatility in suppliers, it is important to have a robust approach to all your processes. Focus on security including on-boarding, leaver processes and user access to systems. Take a look at the creation and removal of user ids, password management and the potential adoption of new authentication tools.
Look to the cloud – many corporate functions now use cloud-based applications, but has your organization considered transitioning legacy systems to the cloud too? This may not be appropriate for every system or organization, but systems in the cloud typically benefit from enhanced security built by industry experts and increased availability.
Learn from the experts – UK businesses benefit from the leadership and guidance from the National Cyber Security Centre. Ongoing initiatives such as Cyber Essentials point the way to making your organization more secure against cyber attacks and there are regular information updates and advice on evolving threats, such as those resulting from the invasion of Ukraine and elevated risks from Russia.
The world looks very different from the start of this decade. If we accept that there has been an accumulation of interdependent changes and address them head on then it is perfectly possible to create the mitigation strategies needed to protect organizations against heightened cyber threat levels.
Nick Denning is CEO of Diegesis Limited, a business technology and IT systems integration company. Nick is an acknowledged expert on risk management and relational database technologies.