Are your legacy systems an open door to cyber attacks?

Often the business systems you rely on most can be the most neglected. They have been running well for years without much attention. The assumption is that this situation will continue and the business can focus and invest in more ‘sexy’ solutions. However, long held assumptions must be challenged.

Facing new workplace realities

It can be daunting to look back on the events of the last few years and the list of issues we have all faced with the often-unexpected impacts on our employees and ways of working.

The threats posed to business are changing. Are our long-held assumptions still valid? Are our organisations as secure and resilient as they need to be? Is it time to take stock and develop new strategies?

The pandemic drove employees to work from home and it seems as if a more hybrid working model is here to stay. This has pushed out the security boundaries of organisations and introduced new points of vulnerability.

No longer are the vast majority of staff accessing business systems from the relatively secure environment of the office. Employees now need access to core systems via their home internet or mobile devices.

The Great Resignation

The COVID-19 pandemic also prompted the phenomenon known as the ‘Great Resignation’. It has seen record numbers of people change jobs or simply leave the job market completely. However, The Institute of Employment Studies sees this more as the ‘Great Retirement’ with many over 50s falling out of the UK workforce.

UK labour market statistics have shown that there are now 180,000 fewer over 50s in work than before the pandemic. Is your organisation in danger of losing long term staff who’ve kept your key legacy systems running smoothly?

We believe that the pendulum will swing back towards the office. People whose first job was working from home will realise the importance of forming relationships, teamwork, collaboration and taking on leadership roles. Nevertheless, we need to continue to be aware of the impacts of hybrid working and adjust accordingly.

Supply chain upheavals

The pandemic, the war in Ukraine and Brexit have shone the spotlight on supply chains and led to governments and businesses questioning the benefits of globalisation. Even after two years of COVID-19, supply chain surprises continue to emerge.

CNN recently reported, “China's unwavering commitment to stamping out COVID by locking down big cities such as Shanghai threatens to deal a hefty shock to its vast economy, place more strain on global supply chains and further fuel inflation.”

Shanghai is China’s most populous city at 26 million, home to its leading financial centre, and some of its largest sea and airports. Lock down here will have a much greater impact on global supply chains than the closure of the likes of Wuhan, China’s 9th largest city with a population of eight million. This is just one of many examples of why organisations are looking again at their key suppliers. It, in turn, will impact supply chain and production systems to which trusted partners are given access.

There is a significant increase of supply chain risk across all our industries. It suggests that as a nation we must maintain some capability in the UK so that we do not lose the competencies essential to our supply chain.

In IT this can mean we ensure all work is properly documented, and all teams contain a UK-based employee so that we can always re-train our technical staff. We also need to be able to rapidly skill-up new employees if our remote workers suddenly become unavailable.

Increased cyber threats

Hybrid working and the changes in supply chains will increase vulnerabilities. This is compounded by ever evolving threats from cyber attackers and an increased level of danger from state-sponsored bad actors.

Many expected Russian cyber attacks against Ukraine. The Ukrainian government called on the ‘hacker underground’ to come to its defence which has offered some levels of protection.

A more complete understanding of the impact of the cyber element of the Russian attack of Ukraine will not be possible until after the conflict ends. However, The Council on Foreign Relations has already identified numerous malware and denial of service attacks on Ukraine which have been kept off the front pages by more traditional warfare.

If the war continues and deepens it is likely that other nations, businesses and supply chains could see increased cyber attacks from Russia and other sources of state-sponsored cyber aggression.

Protect your systems of record

With so much changing over the last few years, is your business now at greater risk from cyber attack? A large proportion of cyber security effort has been focused on newly installed systems and apps which are often customer facing. This is important but have you left an open door to vital legacy systems?

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

It is easy to neglect them if they have been running well for years, but how would your business cope if systems of record, production and supply chains were disrupted by cyber attack?

The Verizon 2022 Data Breach Investigations Report found that over 80% of cyber attacks gained access via issues with users’ IDs and passwords. Therefore, it is especially important to focus efforts on protecting and controlling employee and supply chain partner access to key systems via logins and interfaces.

Six ways to reduce your organisation’s risk of cyber attack

There are numerous areas to look at when increasing protection against cyber attack, but here are six things an organisation can do:

1. Maintain engineering practices and standards – invest in ensuring your design approaches encompass best practice. Turn this into a key business benefit for your customers by ensuring compliance with standards such as OWASP and WCAG 2.1 AA. Also comply with GDS standards to win business across the public sector from which non-compliant organisations are excluded.
2. Identify and prioritise new risks – the world has changed and it’s time to think the unthinkable. Consider putting in place a formal review of the impact of what has happened over the last few years looking at the threats from hybrid working, supply chain upheavals and the introduction of new supply chain partners. Remember to include in the review the turnover of staff and the impact of losing experienced employees with knowledge of running key legacy systems. Mitigation steps can then be developed once the new risks are known.
3. Proactively work to retain experienced staff – create a culture that is anti-ageist. Invest in line-management training including policies related to older workers such as managing employees with long-term health conditions. Implement mid-life career reviews and plans, recognising that deep expertise gained over years is just as valuable as management ambitions and a desire to climb the hierarchy. The use of BCS, the Chartered Institute for IT SFIA+ – IT skills provides an excellent way for your staff to realise how good they are and how effective they can be.
4. Focus on knowledge management and effective processes – with an increase in hybrid working, greater turnover of employees, the potential loss of experience and more volatility in suppliers, it is important to have a robust approach to all your processes. Focus on security including on-boarding, leaver processes and user access to systems. Take a look at the creation and removal of user IDs, password management and the potential adoption of new authentication tools.
5. Look to the cloud – many corporate functions now use cloud-based applications, but has your organisation considered transitioning legacy systems to the cloud too? This may not be appropriate for every system or organisation, but systems in the cloud typically benefit from enhanced security built by industry experts and increased availability.
6. Learn from the experts – UK businesses benefit from the leadership and guidance from the National Cyber Security Centre. Ongoing initiatives such as Cyber Essentials point the way to making your organisation more secure against cyber attacks and there are regular information updates and advice on evolving threats, such as those resulting from the invasion of Ukraine and elevated risks from Russia.

The world looks very different from the start of this decade. If we accept that there has been an accumulation of interdependent changes and address them head on then it is perfectly possible to create the mitigation strategies needed to protect organisations against heightened cyber threat levels.