Thu, Nov 12, 2015

Removing Risk From Legacy Technology: When Systems Are So Old They Are “Indefensible”

Your company wants to innovate, but it is being held back by the enormous expense that would come from updating legacy technology. This problem is often viewed through the lens of stifling company growth; however, neglect of legacy hardware or software also may increase cyber security risk. Consider this along with budgetary concerns because a breach of data originating with old, unsupported or un-patched systems might just be your CIO’s worst nightmare.

When the federal Office of Personnel Management (OPM) announced its breach of sensitive government employee records in early 2015, it was later revealed that the data was not encrypted because the computer systems that stored the files were too old to be updated. Since that time, the conversation has escalated, with many federal officials now in agreement that the aging technology still in use by many agencies is an inherent security risk. Some federal CIOs are speaking up, telling their legacy technology “horror stories” in an effort to illustrate just how great a risk may be present.

Outdated technology is only one piece of the cyber security puzzle, but it has an insidious way of affecting many organizations before it’s realized. Software and devices that were, at one time, the secure workhorses of the organization can become risky, unreliable devices operating within the company if given enough time and sufficient levels of indifference. This isn’t a “wait and see” issue, which could lead to an “indefensible” position, as explained by Michael Daniel, White House cyber security coordinator: “We’ve got architectures in various places and hardware and software that is indefensible no matter how much money and talent we put on it.”

We wrote about this issue earlier this year, offering a list of issues to explore. Take a look it might help you to begin the conversation at your own company on how to handle the inherent security risks of legacy technology.

By Kroll Editorial Team

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.