Directors need to be aware of the security and operational risks posed by old and out-of-date IT systems, say cybersecurity experts.
Defined by the Australian Signals Directorate (ASD) as “end-of-life products or those no longer receiving support from their manufacturer or vendor”, legacy IT systems don’t receive the usual security updates and bug fixes that current systems do. Additionally, experts in the computing language of a legacy IT system might not be available to maintain it, while many were not built with security in mind, because the current cyber threats didn’t exist. All this leaves legacy IT highly vulnerable to outages and cyberattacks, which can open the door to the rest of the organisation for hackers.
“Keeping legacy IT in your IT environment therefore increases the risk that your organisation will experience a cybersecurity incident,” says the ASD. “It can also make any cybersecurity incident that does occur much more impactful. There are also significant business risks associated with legacy IT in your IT environment. For example, legacy IT can increase the likelihood that your organisation will have systems taken offline, service delivery disrupted, data destroyed or leaked, and public confidence lost.”
Luke Clifton, group executive marketing at Macquarie Telecom and chair of the not-for-profit Australian Men’s Shed Association, says directors need to understand the risk of legacy cyber and then work through a recognised cybersecurity framework, such as the NIST Cybersecurity Framework or Australian Cyber Security Centre Essential Eight, to ensure they have the appropriate governance and controls in place.
“Educate yourself on it — it’s not hard,” says Clifton. “Then start asking some questions of your executives at the next board meeting. In some cases, we’ve seen boards set up their own cybersecurity subcommittees to become more expert at the questions they should be asking and [to get] on top of reports they should be looking at. This is not difficult, but it does take a bit of effort, a bit of reading, a bit of time and a bit of an immersion around it. Everyone can do it.”
Director responsibility
The warnings about legacy IT come as the government is pursuing significant changes to cybersecurity and privacy regulatory settings, including changes to the Privacy Act 1988 and the Security of Critical Infrastructure Act 2018.
Banks and other financial institutions, and the telecommunications sector — last year’s Optus outage notwithstanding — have done a good job of managing their legacy IT systems, says Clifton. But mid-market businesses with 200–2000 employees often struggle to hire and retain qualified cybersecurity professionals and so can lack some of the fundamental cybersecurity controls. NFPs, which can hold a lot of sensitive information about individuals are particularly at risk, he notes.
Professor Matt Warren, director of the RMIT University Centre for Cyber Security Research and Innovation, advises boards to consider cybersecurity as a business risk rather than just an IT risk — to constantly review the organisational posture and investment in cybersecurity.
“By considering the legacy systems as a high risk to the organisation, it would have to be reported to the board or the risk committee on a regular basis,” he says. “This ensures that the board has an oversight of the risk and will be informed of any issues.”
What’s the risk?
Peter Woollacott MAICD, CEO and founder of IT security company Huntsman Security, outlines several questions the board or risk committee should be asking IT and security teams. What is the state of our vulnerabilities within our system? What is the state of our patching? Are there vulnerabilities that we can no longer close off with an update or a patch? Can we identify those vulnerabilities — or the assets concerned?
“The board should be getting a picture from the security team as to what risks are starting to become issues at an IT level, which may translate into an operational risk at some time in the future,” says Woollacott.
Whether to replace an IT system is a difficult and likely expensive decision, so shouldn’t be left solely in the hands of the security team. Additionally, there can be tension between the security team — which sees the risk — and the business team — which is using the asset and might prefer to leave things as they are. And while replacing a legacy IT system might deal with security risk, the operational risk arising from a major IT project also has to be considered.
“The chief information security officer can’t be expected to make a decision that we need to invest $100m in a new banking system,” says Woollacott. “It needs to be a corporate decision, but they need to provide that information up to the board that says, ‘this is now costing us a lot of money and I’m worried that we’ve got exposure here’.”
Cost-benefit analysis
Weighing up whether or not to replace a legacy IT system requires a cost-benefit analysis, says Peter Jones, a telecommunications partner at law firm Herbert Smith Freehills. “Your risk team might provide some views around trying to calculate or quantify what the extent of that risk looks like — to aid in that decision around how we make the decision, whether or not this risk is now unsustainable for the organisation,” he says. “You’re trying to find the most effective and efficient way of running your business within an appropriate risk parameter. So any decision that will incur significant expenditure will automatically be considered through a prism of the cost-benefit analysis attached to that decision.”
A digital upgrade or change in business strategy is often an opportunity to replace a legacy IT system. Or replacement might even be a necessity because the old system is not capable of fulfilling new business requirements. While a lot of organisations are moving systems to the cloud, this does not absolve directors of their responsibilities for non-financial risk management with regard to IT.
“The question doesn’t necessarily dissipate,” says Jones. “It just changes from being something we can potentially control to being something that sits outside our control. If you’re entering a cloud arrangement or something similar, where a third party will be managing the platform, it’s being clear around the extent to which that third party has the appropriate levels of security.”
He adds that dealing with legacy IT issues should never be a set-and-forget exercise because new problems continually arise and more systems are continuously becoming out of date.
Legacy cyber threats: Key questions for boards to ask
Phil Goldie GAICD is managing director and vice president of Okta ANZ and a board member of the Children’s Medical Research Institute.
There is no doubt that outdated legacy systems compromise security. If you aren’t in a position to replace legacy systems, you must focus on improving your ability to detect, prevent and respond to cyber threats by adopting a zero trust approach and using modern identity practices.
Key question: Are our legacy systems well represented on the cyber risk register and what steps are we taking to ensure controls are being applied?
A zero trust approach empowers boards to stay ahead of the evolving threat landscape, safeguard data and improve resilience against cyber risks. It is not a question of “if” an attack will happen, but “when”. Zero trust challenges the traditional assumption of trust within an organisation’s network and treats every user, device and application as potentially malicious until proven otherwise.
Key question: How are we assessing our progress in zero trust strategies? Boards can ask the executive teams to use free or paid assessment tools such as Okta’s free zero trust assessment tool, which allows boards to see where they are on their security journey (okta.com/au/zero-trust).
Traditionally, cybersecurity strategies have centred around fortifying the perimeter and locking down applications, networks and services. However, this approach doesn’t address the many attack vectors that can breach these defences. A paradigm shift is happening. By placing identity at the core of cybersecurity, businesses are significantly reducing the risk of a breach. Among the updates to the Australian Signals Directorate maturity model last year was the introduction of requirements for phishing-resistant multifactor authentication (MFA). MFA is required for maturity level 2 and above for workforce access and must be offered as an option for customer-facing systems. These requirements will actively prevent organisations from being breached, as only a subset of factors are resistant to the phishing infrastructure used by attackers.
Key question: Are we mandating the use of MFA for access to key legacy systems where there is higher risk? How are we tracking and reporting this usage to ensure it’s being adhered to?
Businesses should ask themselves if they have the right delineation between the applications they’re using and their ability to secure and govern those applications. There may be commercial advantages to bundling products from one provider, but the ability to isolate identity as a key technology pillar — as a standalone, neutral platform that works across any kind of technology, any kind of application, any kind of device — will be incredibly important in the future. Organisations with this mindset are better placed to withstand an attack.
Key question: How are we balancing the pressures of reducing spending in the current economic environment vs ensuring we have the right platforms and tools to ensure we’re secure?
This article first appeared under the headline 'Dubious Legacy’ in the August 2024 issue of Company Director magazine.
Latest news
Already a member?
Login to view this content