Vulnerability Management

Looming retirement of legacy system custodians put global IT systems at risk

Government IT systems and critical infrastructure systems around the world are at risk due to legacy technology and the pending retirement of those who have historically maintained these older systems.

Of the U.S. General Services Administration’s mission-critical IT staff, 20-50 percent will be eligible to retire by 2024 and 66 percent of U.K. companies have too few cybersecurity personnel, with only 12 percent of U.K. cybersecurity workforce under 35 years old, according to the BDO Cyber Threat Insights report.

Worldwide, Gen X and Baby Boomers make up 49 percent of the cybersecurity workforce. 

Researchers point out that 20 years ago legacy systems were built using proprietary technology with a lifecycle of at least 15 years and that in the U.K. 46 percent of British local authorities’ systems are still running outdated software dating back to 2000.

Companies must also consider the risks associated with blanket re-platforming for improved cybersecurity of public services' legacy system because of the unpredictability of consequences, due to the inextricable intertwinement of IT systems over the past decades.

“In April 2018, TSB transferred its customers’ accounts from Lloyds Bank systems to its new Proteo4UK core banking system,” the report said. “Customers began to experience serious problems with their mobile and Internet banking services. During the outage, customers were locked out of their accounts and saw money disappear from online accounts.”

Companies that seek to maintain the status quo will likely face the increasing costs of maintaining older systems. The U.S. government alone the costs of maintenance and operations for legacy systems accounted for 70 percent of the total IT budget, or $85.2 billion, in fiscal year 2018 compared to accounting for 68 percent in fiscal year 2015.

In addition to costs, many of these systems are vulnerable to attack.

“It’s understandable that BDO reached these conclusions - many government agencies don’t even know exactly what is on their networks,” Kevin Bocek, chief cyber security strategist at Venafi, told SC Media. “So, it’s pretty reasonable to assume those networks are not as secure as we need them to be.”

Bocek added that basic security hygiene issues and under-resourced security teams in government agencies lack automated tools that could allow them to better protect very complex networks.

“For example, during the recent government shutdown, over one hundred government websites failed when TLS digital certificates expired,” Bocek said. “If these agencies had automated solutions that could reissue, install and validate new certificates, the government probably would have been able to get through the shutdown much more easily.”

Colin Bastable, CEO of Lucy Security, added that this problem will be more prevalent in the government's where people stay long lengths of time due to pensions and job security.  

“The speed of change in the cybersecurity landscape means that, to maintain their careers, people need to be committed to lifelong learning, and that requires a different approach to the management of IT systems and people,” Bastable said. “You have to add staff, or automate, to cover for those who are being trained.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.