Sikov - stock.adobe.com

Legacy IT systems a significant security challenge

Information security professionals need to work closely with the business to identify critical legacy IT systems to ensure security risks are managed effectively, CISO tells Infosecurity Europe

Legacy IT systems, some dating back to the 1970s, pose a significant business risk to all industries and government, with cyber threats evolving faster than security teams’ ability to update those systems, Bobby Ford, global chief information security officer (CISO) at Unilever, has warned.

“When we talk about business risk, we are not talking about negative impacts to staff productivity, but about the failure of systems resulting in a company’s inability to manufacture goods, to ship products and raise invoices,” he told attendees of Infosecurity Europe 2019 in London.

As legacy IT systems age, said Ford, the security risks increase, compounded by the fact that many of these systems are critical to the business and often cannot be decommissioned or replaced because of high costs, complexity or lack of suitable alternatives.

“Legacy IT systems are often at the heart of cyber breach incidents, and because decommissioning is not usually an option, information security professionals need to manage the risk by working closely with key business stakeholders to identify all critical systems and the systems that support them,” he said.  

The next step, said Ford, is to understand which are the most critical systems. “The role of security professionals is to assess the likelihood and potential impact of a cyber attack, while the role of business [professionals] is to identify what systems and processes are the most critical,” he said.

“Legacy IT systems are often at the heart of cyber breach incidents”
Bobby Ford, Unilever

Once security professionals understand what systems are critical, Ford said they would be able to prioritise and plan which ones to update and patch to make them secure. “This should be the objective of all information security professionals as business risk managers.”

However, he said, not all legacy systems can be patched and updated. “These systems then need to be placed on a network segment of their own, so that all data flows involving these systems can be strictly controlled.”

If a security issue is detected, Ford said careful network segmentation meant organisations would be able to lock down any affected legacy IT systems and contain any compromises or infections.

Finally, he said, organisations should monitor all legacy systems closely for any anomalous activity and other potential indicators of compromise to enable rapid detection and response. 

Read more about legacy IT systems

 

Read more on Hackers and cybercrime prevention