“It’s The Legacy That Gets You”: What is the Threat Of Outdated Systems

Written by

During her keynote at this year’s Infosecurity Europe, Baroness Dido Harding - former chief exec of TalkTalk - warned other business leaders about the threat of legacy tech, and she was well placed to do so: TalkTalk customers had their details comprised in a large breach in 2015, resulting in huge damage to brand reputation for the company as well as a £400,000 fine from the ICO.

However, the threat of outdated systems is hardly a new one, and private businesses as well as public sector bodies are facing the same dilemma. 
In brief, the shackles of legacy tech are inhibiting companies from fulfilling their digital transformation journeys and leave them exposed to new and emerging threats. So what are the barriers that are leaving organizations exposed?

Lack of awareness
Firstly, organizations can find themselves uninformed to the fact that they are running technology that is no longer supported by its creators and therefore poses a security risk. This can be the case for organizations that are rapidly progressing; part of this process might be making planned consolidations such as mergers and acquisitions, which in turn could mean inadvertently inheriting outdated technology.

This is essentially the situation that TalkTalk found itself in, as Harding explained: “We were a fast-growing company, acquiring others, and were hit by a simple SQL vulnerability in a legacy website that no one noticed.” 

This mindfulness of legacy technology and infrastructure, particularly during times of amalgamation, is crucial; paramount to this is communication between IT teams and wider business leaders. Otherwise, organizations can find themselves out in the open to security risks – as Harding explained: "...there was the IT equivalent of an old shed in a field that was covered in brambles. All we saw were the brambles and not the open window."

Greater still, lack of awareness and understanding can also be found when it comes to vital software reaching its end of life. Many organizations still run legacy operating systems such as Windows XP which haven’t received security updates from the vendor in several years; an astonishing fact given the rate at which security threats are evolving and becoming more sophisticated.

It may be the case these organizations who still run legacy are simply naïve of the risks, but, often enough, the problem goes far deeper.

Time, cost and risk perception
Many organizations that run outdated software are not uneducated to the risks, but are still forced to host applications in an environment that has reached its end of life due to perceived limitations.

When it appears that their bespoke applications are incompatible when newer alternatives become available, organizations are seemingly left with the dilemma of either rewriting the applications or keeping them where they are. 

The former scenario has the potential to present a huge time and budget expense that could extend into the millions for a large enterprise and, even more dire still, some organizations may not even possess the ability or talent in-house to undertake this process even if money and bandwidth permit. 

Additionally, it is often the perceived notion of vendor lock-in that deters organizations from making the sensible and imperative decision to move away from legacy technology. Many organizations may feel that after sinking immeasurable amounts of time, effort and money into one particular vendor, it is difficult and painstaking to move to a more modern alternative.

The reality is far less bleak 
It is important for organizations to understand that the barriers that seemingly hinder an organization’s journey away from legacy technology and towards a more modern future often do not exist. 

Technology is available that provides portability for these applications; compatibility that does not discriminate against technology suppliers and can provide unification where it otherwise cannot be achieved.

The use of compatibility containers, for example, offers a ‘lift and shift’ option that does not require a single code change - saving time, money and resources in the process. With this in mind, the biggest obstacle to the modern threat of legacy technology is simply cognizance of the issue: a fact that, as more and more influential business leaders speak out about, will hopefully be diminished.

What’s hot on Infosecurity Magazine?