A vast majority of IT decision makers at UK firms are still permitting the use of legacy apps within their organisations' networks in order to access historical data even though they are well aware that such apps could leave their networks wide open to security threats.
With GDPR being in force and organisations across all sectors ramping up their cyber-security spending to tackle emerging threats and to defend their networks against new forms of malware, ransomware, and DDoS attacks, it would be normal to assume that a majority of them have replaced their legacy applications with modern, more efficient and more secure ones.
However, despite the widespread adoption of new technologies and a fast-evolving threat landscape, a vast majority of organisations in the UK are still clutching on to their legacy applications just because such apps allow them to access historical data or to perform other operational tasks.
A survey of 100 IT decision makers commissioned by software solutions developer Macro 4 has revealed that 89 percent of them are still running their legacy apps "on life support" to access historical data, even though 87 percent of such decision makers know that legacy apps leave businesses open to security threats and 93 percent of them know that such apps eat up resources that could be more productively used to support digital transformation.
According to Jim Allum, director of Commercial and Technical at Macro 4, legacy apps not only allow access to historical data but also allow businesses to respond to customer queries and contain information necessary for compliance or business intelligence.
"Businesses can't afford to lose access to all that data so they just keep the old applications on ‘life support', which causes a lot of problems. Old systems are typically harder to fix when they go wrong, harder to keep secure and cost more to support – that's if you can find people with the right legacy skills.
"It creates a huge burden, especially where companies are running dozens or even hundreds of legacy applications – which is surprisingly common. As legacy applications pre-date the latest security innovations there is a clear security risk to having a lot of legacy within your application portfolio," he said.
A major reason why a majority of UK businesses are not replacing legacy apps with modern ones is that the integration of legacy systems with newer applications is often difficult and instead of achieving a seamless digital experience, many businesses end up with silos of data.
While 54 percent of IT decision makers surveyed by Macro 4 said that they feel it is too difficult to move the data somewhere else while keeping it easily accessible, 39 percent said business users are resistant to getting rid of their old applications, and 32 percent said they don't have the required in-house skills to retire/decommission applications.
At the same time, 30 percent of IT decision makers feel it is too risky to decommission legacy apps as it may lead to data loss, 30 percent feel they do not have the required budget to decommission all their legacy apps, and 32 percent fear they will no longer meet their compliance obligations if they move their data from old apps to new ones.
According to Allum, instead of migrating enterprise or customer data directly from one app to another, which many IT professionals are reluctant to do, enterprises must, instead, move the data away from obsolete applications and into a content repository where business users can continue to access it, so that the original application can be retired. They must also ensure that the repositories can keep the decommissioned data safe, secure and compliant before such data is moved to newer applications.
Commenting on the fact that a majority of UK businesses are still clutching on to legacy apps, Ed Williams, director EMEA, SpiderLabs at Trustwave, told SC Magazine UK that he is saddened and angered by the results of this report in equal measures.
"In 2018 I would expect us to be better at security; we know that legacy apps cause security issues. In part, this proves that security isn't where it should be in the list of an organisations priorities and this is of concern.
"“Too hard” simply isn't good enough, organisations and IT decision makers have a responsibility to all involved (staff, customers, shareholders etc) to ensure that they are secure. They have to want to make the change, get the job done, if you're not moving forward in security you're going backwards, and this is the case here!" he said.
"It appears that there is a lack of understanding as to the potential impact when running legacy apps. This issue lies at the feet of the infosec community, we need to do better in terms of raising the profile around this issue and explaining clearly why this is a serious issue that should be addressed.
"Replacing legacy apps should also be something that becomes BaU (Business as Usual) or part of the culture for organisations, not something that's too hard, or too expensive – and this has to be driven by the IT decision makers," he added.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout