Legacy Systems & Risk: A Cybersecurity Balancing Act

“Vintage” might be trendy when it comes to fashion, but it’s one of the last things you want when it comes to the technology you use to run your business.

Despite their limitations and the vulnerabilities they introduce, many organizations continue to rely on legacy systems because they play key roles in certain business functions. In this way, maintaining legacy systems becomes a balancing act for cybersecurity teams as they must juggle user needs, technology, and business objectives with security and liability. These systems often have very few users and can be forgotten about by system administrators. In such an environment, legacy systems likely aren’t receiving the latest updates and critical patches (if available), which creates weaknesses within an organization’s infrastructure that cyberattackers can exploit.

Is your organization reliant on legacy systems? Below are our tips for assessing and improving the management of these systems.

Identify and isolate.

The first step when it comes to legacy systems is to identify the type of system. Knowing what you are working with will give you key information necessary to determining whether the system is worth maintaining, its place within your infrastructure, and what risks it could introduce. Are the systems custom built, or where they “off the shelf” solutions? Who built the system, are they still in business, and do they still support it? Has the system been modified? These are just some of the questions you should ask yourself when evaluating legacy systems.

Once you have identified all of the legacy systems on your network, you should isolate them and remove them from public access. Any system with known vulnerabilities should either be patched or disabled. After these systems are identified and isolated, you should also create new controls and protocols surrounding their use. Revoke access for any unnecessary users or accounts and monitor the system for suspicious activity or data transmission.

Define roles and responsibilities.

Do you know who is currently in charge of maintenance for legacy systems? Who is responsible for patching and updating these systems on a regular basis? Define key personnel to complete these tasks and ensure they are trained on any complexities or nuances related to these older systems.

Think about sunsetting.

In some cases, a legacy system or the code it’s built with may be so old that it is prohibitively challenging or costly to maintain. Or, perhaps the system was a custom build and the designer has been gone for years and didn’t leave proper documentation. And what happens when a manufacturer announces they will no longer support a product? Scenarios like these can make it difficult to protect older systems or scale them to meet the needs of a growing business. In this case, you may want to consider creating a transition plan and sunsetting your legacy systems entirely. If you find yourself maintaining an older system simply because “it’s the way we’ve always done it,” then it is probably time to introduce a new solution that can evolve along with your organization and supports innovation.

Many organizations continue to maintain legacy systems because they have determined it is “cheaper” than moving to a more modern solution. When you consider the long-term cost of managing and supporting legacy systems, however, you may find that it is actually more expensive than investing in new technology. Some costs related to legacy systems are obvious, such as upgrades and support, but there are hidden costs you may not be considering. For example, the more time your staff spends on maintaining legacy systems only used by a few employees means less time spent on implementing new systems that will help your organization generate revenue.

Another thing to consider: will you still think the cost savings of that legacy system are worth it when the vulnerabilities within it are the source of your next cybersecurity incident?

In conclusion…

There is no silver bullet when it comes to legacy systems. In reality, maintenance of these systems will only become harder as they age and the workforce that created, installed and understood them retires. (The banking industry is already experiencing this with COBOL-based systems. Due to a shrinking number of workers with COBOL experience, financial institutions often need to call in retirees when they need to implement patches or upgrades.) With this future in mind, it’s recommended that companies put together a security and IT team that can validate the viability of current legacy systems, identify risks within that environment, and create a corrective action plan to address these issues.

Ultimately, you must assess your legacy system environment and decide whether the level of risk these systems introduce to your business is acceptable. It’s not possible to eliminate all threats to your legacy systems, but strong cybersecurity policies and procedures can help you manage and mitigate associated risks.

Need help creating a cybersecurity program that allows you to better protect and manage your legacy systems? Click below to email GreyCastle Security or call us today at (518) 274-7233.