Two years ago, a data analytics and technology company in the US experienced a major cyber-attack that impacted more than a 150 million Americans. It discovered that one of the systems at the heart of that attack was dated to 1970.
"Legacy systems exist not just in fast moving consumer goods sector but across all industries," said Bobby Ford, global CISO at FMCG major Unilever, speaking at Infosecurity Europe in London. "It also exists in the government as well."
An outdated computer system, programming language, software application, process or any technology beyond the present ambit of support and maintenance, which still remains essential for the host organisation, can be termed a legacy system. Simply put, they cannot be replaced or updated easily.
"The simple solution would be to decommission them. However, these legacy systems support some critical business processes, and because of that, we can’t just get rid of them," said Ford.
A recent survey of 600 leaders in government and industry found that 34 percent were concerned about the vulnerability of legacy systems. "Our systems are ageing and our ability to replace them are slowing down," he said. "As these systems age, the threat increases for them. And we can’t update the systems fast enough to stay in front of the threat."
A 2018 study by Dell Technologies found that 57 percent of global executives said they struggle to keep up with the pace of digital change.The pace at which the WannaCry attack hit and spread in May 2017 was possible because of legacy systems. The trouble has grown from beyond a case of mere patching to a full-blown, quantifiable business risk, said Ford.
Business risk is not just a system going down, but the inability to ship products, manufacture goods or invoice your customers, he said. "Business risk is losing the faith of your consumers or customers."
According to Ford, the solution begins at having "engaging conversations" with the business partners to understand our most critical business systems. "We can’t define what’s most critical, only the business can define that," he said, using the analogy of a man explaining to a hardware professionals about the essential electronics in his home. Once the priorities are ascertained, the threats associated with them can be assessed.
"I’ve said this my entire career; if we are going to be successful as professional security risk managers, we have to be able to prioritise. We cannot do everything and we cannot secure all systems. We have to work with the business to identity the most critical systems, and then try to secure those," he said.
"We identify them and we patch when possible. When patching is not possible, we segment them. When segmenting is not possible, we monitor them."