In the nooks and crannies of many company server rooms there are still devices running, the rebooting of which raises legitimate concerns. Office workstations run applications with interfaces that remember decades gone by.
They are the quiet heroes of everyday work – systems that simply get the job done. The question remains, however, when is such a technological veteran a valuable, stable monument, and when does it become a ticking time bomb that can put the entire organisation at serious risk?
Legacy systems, referred to in the industry as legacy, are in place in companies for a number of reasons. Sometimes this is determined by budget constraints, and sometimes by their critical importance to critical processes, making replacement seem an extremely complex operation.
The problem is that age in technology is not just a metric. It’s often a lack of vendor support, a failure to patch known security vulnerabilities and an architecture designed at a time when the cyber threat landscape looked very different.
This article provides a practical guide to diagnose risks and implement mitigating actions in a few steps, without the need for an immediate and costly revolution.
A key action, with which the whole process begins, is a reliable inventory. It is impossible to effectively protect assets whose existence is not fully known. Therefore, the first step in regaining control is to create an inventory of technological veterans.
It is worthwhile for such a register to include their name, age, date of last update and their role in the company. Just being aware of your assets is half the battle and a solid foundation for further thoughtful action.
Next, it is worth asking fundamental questions about risk analysis. Not every old system poses the same risk. The key is its connection to the rest of the network and the internet. An old computer with a database running fully offline is a very different case from an unpatched production control system connected to the company network.
It is important to assess whether the device is connected to the internet, whether it communicates with other systems and what data it processes. The answers to these questions allow proper prioritisation.
Diagnosis should go even deeper, all the way to the software supply chain. Sometimes a threat is hidden in a seemingly modern solution that under the hood uses old, unsupported components.
The so-called SBOM (Software Bill of Materials), a transparent ‘list of components’ of software, is becoming increasingly important in the industry. It is good practice to verify with suppliers which technologies their products are based on, as a new interface does not always guarantee modern and secure code.
Once the picture is clear, countermeasures can be implemented. Often the quickest results come from taking care of basic digital hygiene. These are absolute foundations that are easily forgotten in the daily rush.
Actions in this area include changing all default or weak passwords, systematically reviewing lists of users with access and disabling unused ports and services that may provide an unnecessary gateway for attackers.
For systems that cannot be updated for fear of failure, isolation is an effective solution. One can use the analogy of a valuable but fragile exhibit in a museum that is placed behind armoured glass.
In the IT world, a firewall or network segmentation mechanism is such a protective barrier. Isolating a critical but vulnerable system from the rest of the company’s infrastructure, especially the internet, drastically reduces potential attack vectors.
The final piece of the puzzle is to implement continuous monitoring. Even the best-secured assets are worth keeping a close eye on. In practice, this comes down to the use of intrusion detection systems (IDS).
To use another analogy, they act as a ‘smoke detector’ for infrastructure. They may not put out a fire, but they will immediately raise the alarm as soon as there is a threat, giving valuable time to react before an incident escalates into a major crisis.
An old system does not have to be either a worthless antique or a ticking bomb. It should be a consciously managed part of the corporate ecosystem. The key is not to panically replace everything that is more than a few years old, but to proactively and wisely manage your technological heritage.
The starting point for these activities can be the aforementioned stocktaking – a process that, with little effort, provides a great deal of knowledge and lays the foundation for a more secure future for the organisation.
