Your systems are making you vulnerable to cyberattacks

When you've got legacy systems, how do you ensure you're up to speed on cybersecurity?
20 July 2018

Travis Greene, Director of Cross-Portfolio Strategy at Micro Focus. Source: Micro Focus.

Companies have built up their digital infrastructure, piece by piece, over the past several decades.

As a result, the kind of cybsersecurity they can adopt differs from one piece to the next. It’s one of the main reasons many of the big companies with legacy systems remain vulnerable to cyberattacks.

Can this be fixed? Sure. Does it need to be fixed all at once? Not at all. In an exclusive interview with Micro Focus Director of Cross-Portfolio Strategy Travis Greene, TechHQ learned about what ails existing business infrastructures and how companies can go about fixing it themselves.

The use of legacy systems does not necessarily render businesses more vulnerable to cyberattacks. Having a solid cybersecurity strategy, alongside a key understanding of the type of system being used and its underlying risks, can reduce the risk of a successful attack.

It is essential that businesses run maintenance checks and implement updates and patches in a timely manner.

The Equifax breach, for example, exemplifies the importance of system patches — where the breach resulted from the company’s failure to implement a patch available two months ahead of the breach.

Given that legacy systems often require a specific technical environment and hardware, it is important that companies that utilize such systems set aside a budget for maintenance spending as well.

However, today’s IT environments is comprised of different elements, from conventional, on-premise data centers, to private clouds. This is known as ‘hybrid IT’.

Very often, cyber security in such environments is treated as a separate element. New environments, which create a completely different attack surface, require integrated security approaches and appropriate solutions.

“It’s important that the fast-pace of innovation doesn’t push cybersecurity down the priority list,” emphasized Greene.

Organisations may face the challenge of justifying the spending of additional finances and resources on security solutions after having invested in innovative solutions and revamping their IT infrastructure.

Even though it’s not always easy to justify extra spending to those outside of day-to-day IT and security operations, companies have to correlate resources with the evolving threat landscape.

Companies must remember that the cost of malicious cyber activity is always enormous. According to a 2018 report by the White House, for example, such activity cost the U.S. economy between US$57 billion and US$109 billion in 2016.

If the budget remains tight, they should focus on identifying opportunities to improve current programs and infrastructure in ways that can make a significant impact.

For example, compliance can drive the budget for security, but implementation should be focused on reducing risk, with compliance as a by-product.

For a lot of organizations, getting rid of legacy IT infrastructure doesn’t make business sense and increasingly they ‘add’ new solutions to their existing environments.

Given the speed of innovation, the key challenge with new, disruptive solutions is that security protection is not the priority while they’re being developed. If you consider the fact that these solutions are increasingly being connected to infrastructure that might not be up to today’s security demands, we are faced with a significant security gap that could affect many enterprises.

In order to protect their infrastructure from evolving changes and targeted attacks, businesses need to apply policies and controls consistently across all of their environments – on-premises or in the cloud.

Many organizations have trouble knowing who has access to all of the cloud apps that their employees use, for example, even if they have stronger access management and governance for apps hosted in their own data center.

In addition to developing policies and controls, organizations should develop a more data-centric security strategy, moving their protection closer to the point of risk.

“Instead of focusing on securing everything, they should start protecting what matters most – the data,” explained Greene.

With recent attacks and strict legislation implemented across different geographies, it’s crucial to have a full awareness where the sensitive data is stored, have policies for handling it, implement technical controls and educate the users who handle the data on the current threats.

McAfee CEO Christopher Young hit the nail on the head when he said, “security cannot be an aftermarket or afterthought in the world of connected devices. Companies need to make cybersecurity the new quality.”