Ah, legacy systems. Like wrinkles or a receding hairline, as your company and its IT environment age, they seem to be a fact of life. Sure, you can get rid of them, but much like getting rid of wrinkles, this presents the question of whether it is worth the effort or expense.
So, just what is a legacy system? Generally, legacy systems are old hardware, software, or applications. For various reasons, these aging systems and software can’t be updated or patched. This leaves them vulnerable to a whole host of security threats too numerous to list. Suffice it to say, these vulnerabilities could have devastating consequences on your business, such as theft of sensitive customer data, intellectual property theft, or even the two most costly types of attacks, business email compromise and ransomware.
So, it’s old technology. So what? Just replace it, right?
Not so fast there, my friend!
Legacy systems are commonly used because processes or other systems are dependent upon them. They can’t be taken offline without interrupting business processes for unacceptable periods. Trying to update them or replace them will break the processes that the business relies on, like widget production or online transactions. Sometimes, legacy systems exist in a business environment because no one knows they are there. Maybe Kevin in IT quit, and no one told Karla that the system was there when she replaced him.
Having these systems in an IT or, maybe more commonly, in an OT environment (think industrial controls systems) presents various problems, not the least of which may be an increased risk of cyber-attack. Most of us in IT are familiar with patching. Cyber researchers discover new vulnerabilities all the time, and patches are developed to address many of them. Those patches are then applied to prevent threat actors from using that vulnerability to facilitate an attack. When a system can’t be patched for the reasons already discussed, these patches provide little to no value, and the vulnerable system remains that way.
In addition to the difficulties that lead to the proliferation of legacy systems in business environments and all the complexities therein, the problem of legacy systems seems to be getting worse due to the Covid-19 pandemic and resulting supply chain issues. When the workforce transitioned from the company office to the home office almost overnight, it became much more challenging to get your hands on home office equipment. Laptops, monitors, and fax machines (I’m kidding… or am I?) became much harder to find as workers clamored to obtain the equipment they needed and wanted to set up their new home offices. As Tim Sewell, CTO and co-founder of Reveal Risk points out, “Legacy systems became more connected to support remote work, and getting replacement parts became almost impossible, forcing companies to keep things running even longer than they otherwise might not have.” The same supply chain and staffing problems that have plagued almost every industry have been disrupting the production of semiconductors, which are required to produce the computing hardware necessary to replace legacy systems. So, even if you wanted to take the potentially expensive and labor-intensive steps to replace your legacy systems, now you may not be able to get your hands on replacements for many months, despite your proactive intentions.
All of this may make one wonder just how big this problem is. For individual companies, that may be difficult to determine, as it may not be in a company’s best interest to publicly disclose that they have these systems in their environment. However, some entities, like certain Federal governments, must be more transparent. A multi-national study conducted by Dell revealed that upwards of 70% of Federal IT leaders reported using legacy systems in their environments. Of course, this is likely not the situation in every business environment, but it clearly illustrates that the problem may be significant.
Of course, it would be best to be able to replace legacy systems with modern technology that can be adequately secured. It is also quite clear now that many obstacles may lie in the way of accomplishing that. It may be necessary to continue to use legacy systems, even if your production dependencies are not reliant upon the older systems because of the lack of availability of new systems. In the absence of new equipment, what steps can businesses take to mitigate the risks posed by continuing to operate legacy systems in their environments?
- Identify: You can’t protect systems you don’t know you have.
- Protect: Ensure systems are patched as much as possible and isolate as many as you can (firewalls, network segmentation, sandboxing); limit the amount of user access as much as possible and eliminate any unused/unnecessary applications/services (system hardening).
- Detect: Closely monitor systems for any anomalous activity. Keep in mind that, to do this effectively, baselines of regular activity will probably need to be determined.
This is not an exhaustive list, as there is almost always more than can be done to improve overall security. These steps are also not suggested as an alternative to replacing legacy systems. However, they may be an effective temporary solution to help your business remain productive and somewhat more secure despite the supply challenges we are all currently facing. Unfortunately, the more time passes before legacy systems are replaced, the more difficult and expensive it may become to modernize your environment.
The team at Reveal Risk can review and help elevate your processes and procedures to mitigate vulnerabilities in your environment, including legacy systems.