It’s true to say that that with the exception of new start-up’s, most businesses have legacy systems to manage. This can be for a multitude of reasons:
Firstly, these may be systems inherited and are thus considered, rightly or wrongly, too low risk and therefore not imperative to upgrade; couple that with the cost to upgrade and potential upheaval associated with that, makes the removal of legacy systems an unappealing option.
In a recent InfoWorld article it stated that there was a “lack of attention to legacy systems where as much as 80% of business data is stored…”
Considering recent challenges that businesses have faced, knowing that 80% of valuable business assets are at potential risk is startling, and acknowledging that these vulnerabilities could potentially leave that open door to cyber criminals is the start to addressing how to protect your assets.
If these business systems, that we so heavily rely on, are in fact neglected in terms of cyber security – particularly if you have a lack of clarity on your controls, as well as budgetary and human resources constraints – this is creating a perfect storm that could threaten the very heart of your organisation.
Consider this – how would your business cope under cyber-attack?
We know this is a question that keeps CISO’s and CIO’s up at night, but the challenges they have faced over recent years have presented and accentuated the issue even more – are your systems resilient?
With so much changing, is your business at greater risk of a Cyber Attack?
Many organisations cyber efforts have focused primarily on customer facing activities, meaning ‘back doors’ into your business are being left open. However, legacy systems are easy to neglect when they are seemingly working so efficiently.
The Verizon 2021 Data Breach Investigation Report found that 80% of cyber attacks gained access via issues with ID’s and passwords, a seemingly simple way to access business data. So now it is even more important than ever to focus your efforts to help protect and control employee engagement and supply-chain partner access to all your key systems via log in and interfaces.
The QO View: Protecting your legacy systems to protect your security posture.
1. Ensure you have total Board focus and budget support
This is the top priority – demonstrating that legacy systems are a potential threat by demonstrating the gaps in your controls and processes are the first imperative step. You must have senior buy-in in to accomplish any of the steps we recommend.
2. Obtain visibility of your assets and the data it holds
Does it hold data and how valuable is it to your business? Understanding how it interacts with other systems is vital in knowing the scale of the potential risks. Also, do have a complete understanding of where all of your legacy systems are? Is there an inventory of them?
3. Explore what can be redesigned
What systems can be redesigned and improved in order to protect your security posture? This could be as simple as testing and upgrading components to supported versions. You may be challenged on this if it is an exercise previously tried before, however, sometimes with the right focus from the right person, this can be executed with high success.
Another avenue to explore is the move to the cloud; potentially this can be more timesaving in the long run, but challenging in an environment with budgetary constraints.
4. Isolate legacy kit and restrict access control
This is often not ideal for legacy solutions. However, by providing a controlled “front door” access, often through VDI or some kind of proxied solution and ensuring “back door” access via controlled PAM solutions (CyberArk etc.), will strengthen protection.
5. Where you can – patch and secure
Again, not always possible with old solutions, but where you know you can, consider implementing a test or pre-production system to test and assess risk for the environment.
6. Retain the staff and supply chain that maintain your legacy kit
Have you looked around your team lately and noticed anything?
As business leaders it is very easy to oversee the people that just “get on” with their jobs. People that have perhaps been there for some time, but we just don’t have time to check in with.
We are not suggesting that this is a deliberate act – we all do it – but what we may be missing is the fact that those people may be bored, suffering from alert fatigue, and possibly thinking about leaving and the only thing that might be keeping them there is the apathy to leave and a solid pay cheque – not positives if you want to get the most out of your team.
However, this does not mean that you should not act to retain these team members – don’t forget they have the knowledge, they know the legacy systems, and this is invaluable.
So consider how they can help you in protecting these systems WITH them, not only because they have the knowledge, but by engaging with them and challenging them to support you with solutions. This will not only make their day-to-day job far more interesting, but will also help you secure your environment.
Also consider engaging with some graduates who could support you in figuring all the legacy operations out, this will not only remove some of the risks of only a few understanding the legacy equipment in place, but mixing experience with youth can often create incredible results.
There’s one more thing you may want to consider….
Monitoring your cyber environment with Continuous Controls Monitoring
Multiple platforms, multiple compliance frameworks – legacy systems are a potential amalgamation of the perfect storm that truly only helps the cyber criminals that want to infiltrate your business.
You may think your legacy kit is low risk, so you don’t feel any action is needed. But truly – how confident are you of that?
Are you monitoring all of your platforms and systems? We don’t mean taking a snapshot in time, but truly monitoring them, continuously so that you have the ultimate truth in your security posture, because if you are not, then you need to consider how you create the security around the perimeters of your business.
Consider these questions:
- How do you know all of these things you depend on are working properly?
- Has anyone changed anything that may have opened the door to criminals and placed you at higher risk?
How does Continuous Controls Monitoring answer these questions?
- CCM can monitor any of your data, which includes any legacy systems you may have.
- Real-time, 24/7, accurate monitoring of your controls and compliance to provide you with a single source of truth
- Operational efficiency – alleviating the pressures from your teams
- Providing risk quantification – gather the data you need to understand your risk.
Essentially combining of all of these things, attempting to lock down systems and implement continuous controls monitoring will bring cohesion and security to your cyber environment and ensure continued compliance.
Want to find out more about the benefits of CCM? Take a look a look at a recent infographic