Legacy systems still in use: making a cybersecurity case for modernisation
What does the term “Legacy Systems” mean to you? What image does it conjure up?
Well, the word “legacy” can mean “something transmitted by or received from an ancestor or predecessor or from the past.” For example, the “legacy of the ancient philosophers”, or perhaps “legacy of ancient IT professionals.” A legacy is something that is passed from one generation to the next. That next generation may not have asked for this gift, but they must accept it nonetheless.
Legacy Systems
According to Technopedia, and in the context of computing, the definition of a legacy system is “outdated computer systems, programming languages or application software that are used instead of available upgraded versions. The system still meets the needs it was initially designed for, but doesn’t allow for growth. Not surprisingly, this definition doesn’t quite hit the target because not only does a legacy system not allow for growth – it can leave organisations exposed to a number of risks.
The UK Government states that “legacy technology can refer to an organisation’s IT infrastructure and systems, hardware, and related business processes.” Technology becomes legacy because any or all of the following points become true:
- The technology is out of support from the supplier, i.e., has reached its end-of-life.
- The technology is impossible to update.
- It is no longer cost-effective to maintain the technology.
- The technology exceeds the acceptable risk threshold.
There are many examples of legacy systems in operation today, and they operate at the highest levels of society and at the heart of some of the most influential and important institutions that we can imagine. But removing legacy systems could be extremely problematic. They may be integral to the safe running of a critical service, or perhaps even critical national infrastructure (CNI).
Legacy of the Beast
In 2019, the US Government Accountability Office (GAO) released a report highlighting the ten most critical legacy systems that needed modernisation.
In that report, they identified a number of systems that were over 30 years old and classified as “High” in terms of their criticality. The government bodies included in this report included the Department of Defence, Department of Education, and Transportation.
Although this report focused on the US, there is no reason to think that branches of the UK government aren’t equally exposed as our American cousins. In 2021, the UK launched a review of legacy IT systems, and aims to have a framework to identify “at risk” infrastructure by the end of 2022. This will enable them to prioritise spending and ensure there is a programme of modernisation in place.
In July 2021, the Digital Economic Council report indicated that almost 50% of the UK government’s IT spend is dedicated to ‘keeping the lights on’ activity on outdated legacy systems. This equates to an annual spend of £2.3bn (US$3.1bn). The analysis goes on to state that this brings a number of challenges, including very high ‘keeping the lights on’ maintenance costs, data and cybersecurity risks, and an inability to develop new functionality on technologies and systems that are no longer widely supported. In regard to cybersecurity the study goes on to say that some Departmental services fail to meet even the minimum cybersecurity standards.
The conclusion is that the UK Government must do better. But here we are today, having inherited systems as a legacy from the previous generation of IT professionals. From a generation who most likely didn’t consider the world in which we now inhabit. A digital universe without borders which has been likened to the wild west so many times it has almost become a cliché. But it’s only a cliché because it’s true.
One of the fundamental issues with legacy systems is that they are outdated. In this modern world with the threats ever-increasing around us, outdated means vulnerable to attack, disruption, and outages. Another key risk surrounding legacy systems is that they have grown into beasts that are difficult to manage or contain, and where they are able to be managed effectively, those who have the knowledge to support these systems are equally growing old and leaving the workforce.
Making a case for modernisation
Using legacy systems can also lead to inefficiencies within the organisation. For example, they may operate slower than more advanced systems, and their ability to integrate with other systems (such as APIs) is diminished.
Legacy systems don’t lend themselves to the more “agile” way of working, which many organisations now operate to. This means slower production and productivity, which increases costs.
It’s also important to remember that organisations implementing security standards like Cyber Essentials and ISO 27001 will need to demonstrate they have implemented patch management processes. If there are legacy systems in place, then how is an organisation demonstrating compliance if these systems remain unpatched?
Of course, before you make a case for modernisation, you need to learn how to tame the beast!
Taming the beast
It’s essential to understand what is in your network and understand where the most significant risks are. This is why it’s crucial to conduct system performance and security audits so that you can see what devices, systems, and software reside in your infrastructure. Having an accurate asset register of your systems and services is therefore a critical step in taming this beast. But, while this is something that can be carried out using a variety of tools and systems, you should go further than this.
Conducting a Business Impact Assessment or Analysis (BIA) to establish the criticality of the system will give you a sense of the criticality of that system. From there, you can develop a programme of modernisation, or at the very least, develop a plan to reduce the impact on your organisation in the event of an outage. For example, you might decide to increase the security and controls around the legacy system, thereby protecting its fragility and reducing the likelihood of a direct hit on the system.
Although this may seem to be an effective approach, it will not completely eradicate the legacy system’s risks, as the human resources age and leave the organisation. The key question to ask is, “Who understands this system if all else fails?” Therefore, further investment in training and succession planning is required. The “old guard” must learn to trust their younger counterparts and pass on the knowledge they have obtained over the years.
Conclusion
There is no denying that legacy systems are still operating in abundance across multiple public and private sector organisations. But this isn’t sustainable, and there are things we can do to improve the situation. To continue to ignore this is putting us all at risk, so we need to consider a programme of modernisation based on criticality and impact on our organisations. The time is now to tame the beast. Let’s work to upgrade the systems so that the only legacy you leave in any organisation that you touch along your career is that of “The one who tamed the beasts”.
About the Author: Gary Hibberd is the ‘The Professor of Communicating Cyber’ at Cyberfort and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger, and international speaker on everything from the Dark Web to Cybercrime and Cyber Psychology.
You can follow Gary on Twitter here: @AgenciGary
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.