Outdated technology often acts as a company’s soft underbelly, leaving them open to cyber breaches. But the cost and inconvenience of moving from so-called legacy systems means such vulnerabilities are hard to address.
Companies and security providers are gradually realising that it is impossible to build impenetrable defences and keep out every attacker. Instead, the focus has shifted to ensuring that once a system has been compromised it is difficult for an intruder to leave with anything useful.
According to Net Applications, a web analytics company based in California, the third most widely used desktop computer operating system in the world is Windows XP. It is run on nearly one in 10 desktop computers even though Microsoft stopped writing and distributing security updates for it in 2014.
For many companies, the cost of replacing software for their entire stock of computers is prohibitive, even without factoring in the disruption it would cause. There are other issues to consider, too. Sometimes the legacy system may be running on computers housed inside expensive specialist tools. This is particularly true in industries with budget pressures such as healthcare.
Dan Taylor, head of cyber security at NHS Digital, the body that advises the UK’s National Health Service on cyber security, says the use of Windows XP persists in some unexpected parts of the NHS because of this problem. “You wouldn’t throw out your MRI scanner because it’s got XP,” he says.
Businesses — both those running legacy systems and the security consultants helping them with their data security — are learning that the most practical solution often involves accepting some level of security risk.
“In the past, the approach was to do nothing: the security challenge didn’t outweigh the risk of bringing the enterprise to a halt,” says Salvatore Sinno, chief security architect for Europe at IT company Unisys. “Now the approach is around three fundamental strategies: hardening the legacy systems; doing a formal risk assessment of a particular system to identify what elements are most at risk, and replacing that part of the system; and, in some industries, replacing the legacy system completely.”
Mr Sinno says there are several options open to organisations unable or unwilling to replace legacy systems.
“Businesses are putting more effort into having a better understanding of what damage security incidents can do,” he says. “At the same time they are starting to realise that it’s [about] how you respond to the security breach.”
An anonymous reporting culture can help organisations learn from cyber security mistakes, but just as vital is an awareness of the extent to which legacy systems are still in use. “If you count pharmacists, there are 40,000 NHS organisations,” says Mr Taylor, who is trying to find out how many of them still use Windows XP. “What we don’t know is the scale of the problem. Once we know . . . we can work out the different strategies to move them off [legacy systems] as soon as possible.”