The Cybersecurity Report by Cisco found that legacy technologies remain a significant cybersecurity challenge for organisations.
According to the report, 63% of respondents said their organisation still relies on legacy systems, and 53% said those systems were more vulnerable to cyberattacks.
According to StatCounter, the percentage of Windows users worldwide using the XP version of the OS currently stands at 0.4%. For an OS that officially ended support in 2014 but is still deployed worldwide, it’s a significant number.
However, findings like these don’t hold true for all regions. In some cases, emerging and developing countries have been found to have more advanced, and therefore more secure, tech stacks. The reason for that is that companies in emerging markets started their digitisation journeys more recently than their peers in developed markets. That means many of these companies do not have legacy systems holding them back, making it relatively easier to deploy and integrate security solutions across their entire IT infrastructure, giving them an edge over peers in developed countries.
Organisations are exploring different pathways to data modernisation
With the rising sophistication of cyberattacks and a shortage of cybersecurity skills, IT executives are turning to third-party cloud and managed security services to secure their data. One of the major drivers for this trend is also increasingly stringent cybersecurity compliance requirements. In fact, cybersecurity and data protection is one of the top drivers for cloud migration, followed by data modernisation.
A Deloitte study suggests that cloud and data modernisation are interrelated and reinforce each other. Cloud also offers operational agility, greater efficiency, and a range of solutions and options from established tech vendors compared to legacy tools. While the benefits of transitioning to cloud are seldom in dispute, the practical implementation is often its Achille’s heel. Cloud migration tends to be more complex than expected, and as long as workers need to access data held on legacy platforms, cloud migration will always be a work-in-progress.
Legacy technologies also present a thorny security challenge for organisations. Meeting industry or regulatory requirements while managing security across different generations of technology can quickly spiral into an unmanageable task. In practice, many organisations simply ignore their legacy tech issues and work around them best they can. This is common in many types of hybrid IT infrastructure builds. But the longer the legacy tech issue stays unaddressed, the more tech gets layered on top of it, and the more difficult, complex and expensive it becomes to fix.
Continuing to use legacy tools in a hybrid infrastructure without adequate security can lead to several complications, including:
Increased vulnerabilities: Legacy tools are often outdated and may not receive regular security updates or patches. This makes them more vulnerable to cyberattacks, especially in a hybrid infrastructure that uses multiple technologies and has complex security requirements.
Lack of integration: Legacy tools may not be designed to integrate with modern security solutions, making it challenging to implement a comprehensive cybersecurity strategy across the entire hybrid infrastructure. This can lead to gaps in security and leave the infrastructure open to attack.
Compliance issues: Depending on the industry and location, there may be regulatory requirements for data privacy and cybersecurity that must be followed. Using legacy tools that are not compliant with these regulations can result in fines and legal issues.
Increased costs: Maintaining legacy tools in a hybrid infrastructure can be costly, requiring specialised expertise and resources. This can lead to a drain on resources that could be used to invest in more modern and secure technologies.
Barrier to implementing Zero Trust security: Legacy technologies are a significant barrier to implementing Zero Trust security, a security model focusing on continuous authentication and access control.
Companies that rely on legacy technology may be more vulnerable to cyberattacks as their outdated security features are no longer effective against modern cyber threats - including weak encryption, lack of multi-factor authentication, and outdated firewalls.
Legacy technology can also be difficult to integrate with newer security tools and technologies, making it more challenging for companies to implement a comprehensive cybersecurity strategy.
How to approach security when decommissioning legacy applications
When moving your old applications to a hybrid cloud, you have two options to keep them secure.
First, you can leave the application as it is and add security services specifically for the cloud around it. But this might only allow all-or-nothing access to the application and data.
Your second option is to modify the application to use security services based on user access controls. This way, you can control exactly who has access to what in a very detailed way. But it usually requires some changes to the application itself, which might be more work.
Like security, governance can be managed depending on the level of resources, applications or data. But if you want to govern at the service level, you might need to make some changes to the application again. And that could significantly affect the cost and risk of your project.
Not ready to move to the cloud yet? Fortify your hybrid IT infrastructure.
Obviously, not every organisation will be willing or able to make a full transition to cloud, relying on hybrid IT infrastructure with some legacy components in play. Here are some steps they can take to ensure security:
Keep your legacy systems up-to-date. Even though your legacy systems may be old, it's essential to keep them updated with the latest security patches and updates. This will help prevent known vulnerabilities from being exploited.
Implement access controls. Limit access to your legacy systems to only those who need it. Implement strong passwords, two-factor authentication, and other access controls to ensure that only authorised personnel can access these systems.
Monitor network traffic. Use monitoring tools to detect and block unauthorised access attempts, unusual network traffic patterns, and other suspicious activity. This will help you quickly identify and respond to any security incidents.
Encrypt data in transit and at rest. This will protect your data from interception and theft.
Conduct regular security audits. Regularly audit your security infrastructure to ensure it meets industry best practices and compliance requirements. This will help you identify any security weaknesses and take steps to address them.
Invest in modern security solutions. Consider investing in modern security solutions such as firewalls, intrusion detection and prevention systems, and endpoint security software.
While these solutions can help protect your legacy systems and data from cyberattacks to some degree, they are no substitute for modernising legacy systems and migrating to newer technologies.
Vulnerability to cyberattacks is not solely dependent on the use of legacy technology. Companies of all sizes and industries can be targeted by cybercriminals, regardless of their technology infrastructure. It's essential for companies to regularly assess their cybersecurity risks and implement appropriate measures to protect their systems and data.