Legacy systems, or outdated software and hardware that are still in use, are still found at the heart of not just large organisations, but also smaller firms that have been operating for a long time. Despite the need of the hour to digitally transform, these systems may even remain in place for decades due to the cost and complexity of replacing them. Most of these are not compatible with modern technologies, including cloud-native workflows and cybersecurity solutions, and may require expensive transitioning for businesses to gain the best value.
Many organisations are unwilling to upgrade legacy systems for new, more secure models due to the fear of the unknown. They know changing core systems can be costly as it may involve hiring external consultants and requires extra resources with specialised skill sets to manage. Legacy systems are also difficult to replace, especially if a system plays a role in powering critical business processes. With these risks in mind, many IT leaders are willing to keep legacy systems despite the liability as there is potential for upgrading systems to be highly disruptive of their everyday business operations.
Legacy systems are security risks
Today, more than ever, legacy systems pose a major threat to organisations, making them highly susceptible to cyber attacks. Data stored within legacy systems is usually not connected to a cloud service and is therefore harder to access and secure. This data could be easily lost as it is not backed up and supported by up-to-date security protocols integrated with modern systems that many enterprises use to protect their data against threats. In a way, its isolation makes it increasingly tempting for hackers.
When legacy systems were first built years ago, cyberattacks were not as advanced as they are now. Several years and countless technological advancements later, the threat landscape is vastly different and is constantly changing. Threats are more sophisticated and cyberattackers are more tactical, making organisations with implemented outdated systems easy targets, especially to new and emerging threats.
In 2020, cybercrimes in Singapore reached a total of 16,117 cases, according to the Singapore Cyber Landscape 2020. The manufacturing, retail and healthcare sectors were among the top victims of ransomware attacks, which showed a significant 154% increase from the previous year with a total of 89 reported cases.
Legacy systems are often targeted by cyber criminals. Last year, a Singaporean e-commerce giant received an attack on its online supermarket platform, where 1.1 million users’ personal information, including names, numbers and partial credit card numbers, were stolen. Its cybersecurity team detected the customer database was taken from a legacy system, which was more than 18 months out of date at the time of the attack. The company has since stopped using the system and taken the necessary actions to strengthen its cybersecurity.
A global market for renting Ransomware-as-a-Service (Raas) is also increasingly becoming prevalent, where attackers strike users through exploit kits. This service is usually offered by cyber criminal groups that rent out ransomware to malicious attackers through portals or threads on hacking forums. By renting out ready-made ransomware codes, cyber criminals can easily penetrate the networks of vulnerable users, such as those with legacy systems, through email phishing attacks, email spam campaigns and compromised credentials with the goal to gain access to corporate data.
Battling the growing cyber landscape
Cyber criminals adapt and evolve, quickly becoming more sophisticated in using advanced exploits, which allow them to easily infiltrate legacy systems. The ease with which they can gain access was demonstrated when a food and beverage e-commerce organisation in Singapore found that their servers and devices were infected with NetWalker, a common ransomware strain. A note was found, instructing the victim to view the ransom demands through a webpage on the Dark Web. The company could not retrieve its data as its backups were also on the affected servers, forcing it to rebuild its IT system from the beginning.
Although it is currently unknown if legacy systems were to blame in the attack on the food and beverage company, it is highly possible. Due to the risk and cost of replacing legacy systems, its stability as tried and tested platforms appears too appealing to organisations.
It’s easy to say that organisations should update their systems to prevent cyberattacks. Migrating from old technology to new ones can trigger disruptive outages, which can cause whole systems to go offline, lose data, or stop working altogether. It is not surprising how many organisations will choose to keep the systems in place to avoid this, taking the chance of a possible cyberattack over outages. However, as the F&B company lost all its data, the incident underlines one of the biggest issues of using legacy systems — the inability to patch and update software.
Investing in a secure future
With all its pros and cons, it is imperative for organisations to balance the needs of their business with the risks associated with the outdated systems they use and manage how to prioritise the most crucial aspects of their operations. First, they should not neglect their network security and the valuable information their tools can provide, especially when legacy applications are involved. Network detection and response can help organisations eliminate blind spots, while enabling the ability to respond fast to any potential threats without having to go through mountains of logged data.
Second, it is important that organisations invest in tools with automation to assist strapped cybersecurity teams. Leveraging cloud-scale machine learning to analyse network traffic can help build a picture around what constitutes a normal network, so that anomalies are easily recognised and classified as potential threats.
Finally, with the onset of hybrid work, telemedicine, and newer ways of doing business, having a plan for digital transformation is an absolute necessity not only for protecting business data and maintaining operations, but also for future-proofing the business and ensuring that it will stand the test of time. Organisations need to plot out a realistic timeframe and understand their tolerance of risk.
All in all, there are many risks involved in not upgrading legacy systems, such as limited security protection, inefficiency in processes and the lack of data insights. In our competitive world, it is crucial for businesses to stay ahead of the game by digitalising their infrastructure and making use of the current technology to protect their business from sophisticated cyberattacks. Organisations can no longer ignore their exposure to today’s advanced threats due to legacy systems. By prioritising the right technology, partners, and plan, they can benefit from higher security standards as well as deliver improved performance and reliability with a reduced maintenance cost.
