Legacy Systems Security: Why Keeping Current is Critical
Legacy systems house essential information for insurers, but they can also pose a security risk. The older a legacy system becomes, the less capability it has to keep up with new technological developments, leaving it vulnerable to digital threats. Older legacy systems are also less likely to have the original developers or documentation available for reference.
Legacy systems are those that are no longer supported by their developers or that can’t meet current compliance standards, says Miriam Cihodariu, communications and PR officer at Heimdal Security. They can be operating systems or platforms designed for internal use, as well as customer-facing software.
Insurance companies don’t have to throw out their legacy systems entirely. Insurers do, however, need to ensure that legacy systems have the data security they need to comply with applicable regulations and to protect customers and the company from exposure.
Why Insurers Need to Address Legacy System Security
Cybercrime is big business. Hacking and similar acts cost the global economy $3 trillion in 2015 and are projected to cost up to $6 trillion per year by 2021, says Cybersecurity Ventures founder Steve Morgan. A study by University of Maryland associate professor Michel Cukier estimates that hackers attack a computer system somewhere in the world every 39 seconds on average.
Legacy systems, with their outdated or noncompliant setups, offer easier access for those looking to steal insurance company data or cause digital mischief.
Why do organizations love their legacy systems?
Legacy systems are in common use in businesses and other organizations worldwide. Often, organizations continue to use outdated software because that software serves as life support for critical systems or information.
For example, when Microsoft announced it would no longer support Windows XP in 2014, the U.S. Department of Defense reached out to seek support while the Pentagon transitioned to Windows 10. Approximately 30 percent of computers worldwide were still running Windows XP in 2014, including a number of critical U.S. military systems, according to tech journalist Jeremy Hsu.
Organizations may also choose to continue using legacy systems in order to maximize the value of their investment in the software and its maintenance. “When investing in infrastructure, organizations do so with the expectation of getting a certain duration out of the product. This life cycle becomes part of multi-year amortized budgets and business plans that financial officers are loath to depart from unless absolutely necessary,” says Jaime Manteiga, information security researcher and founder of Venkon.us.
Finally, legacy systems may be maintained because they are custom-built pieces of software that do exactly what the business needs, adds Manteiga. Replacing these custom systems can be expensive and difficult.
The fact that a legacy system is common, valuable or indispensable, however, doesn’t mean it’s risk-free. Often, insurance companies find themselves using legacy systems that pose significant security risks, because there is no better option. For instance, a major platform may not have a functional replacement, or a piece of software works but doesn’t comply with the latest security laws or regulations. In these cases, attention to legacy system security is a must.
An easy in.
It’s easy to see how outdated security on a legacy system can imperil the information stored within that system. These systems, however, also pose risks to every other system on an insurance company’s network.
For example, imagine an insurer whose information systems include a server with a fifteen-year-old operating system that contains a known vulnerability. That vulnerability, if left unaddressed, becomes an open door for unauthorized access.
“If attackers gain access to this one unpatched machine (which is much easier than hacking a modern, well-patched server), they can laterally move deeper into the network,” explains Lior Neudorfer, vice president of products at data center and cloud security company Guardicore.
This example isn’t entirely imaginary. In May 2019, Microsoft released a patch for Windows XP and Windows Server 2003. While both operating systems are approaching their 20th birthdays, they’re still being run as part of many organizations’ IT systems, write Daniel Goldberg and Ophir Harpaz at Guardicore.
Hackers already seek the least secure nodes on a network in order to gain access. In one famous example, hackers used a smart fish tank sensor to access the network in a Las Vegas casino, eventually breaching a database on information on the casino’s patrons — data the casino had thought was secured.
“Someone used the fish tank to get into the network, and once they were in the fish tank, they scanned and found other vulnerabilities and moved laterally to other places in the network,” says Justin Fier, director for cyber intelligence and analysis at cyber AI company Darktrace.
Like fish tanks, legacy systems can represent the weakest part of an insurance company’s network, rendering the entire IT infrastructure vulnerable.
Data Security Challenges on Legacy Systems
Legacy systems frequently lie at the center of data security challenges. “Legacy IT systems are often at the heart of cyber breach incidents, and because decommissioning is usually not an option, information security professionals need to manage the risk,” says Bobby Ford, vice president and global chief information security officer at Unilever.
Legacy systems pose a number of challenges for IT teams. For instance, new software updates, including security patches, are harder to apply to older systems. A legacy system may also lack adequate documentation of its existing security controls. Without this documentation, IT teams find it harder to add firewalls, encryption units, malware detectors and other security tools, writes senior engineer Susan Crozier Cox at the Carnegie Mellon University Software Engineering Institute.
In addition, IT teams face increased pressure when attempting to keep a legacy system secure. Not only does the team need to stay current on ever-changing security risks and tools, they must also ensure that those risks and tools are understood and adapted correctly in the context of a legacy system — the same system for which adequate documentation may not exist.
All these challenges can make legacy systems daunting to maintain and secure. At the same time, financial and inconvenience costs of switching to an entirely new system can seem just as daunting.
Best Practices for Legacy Systems Security Updates
Legacy systems often play a key role in a P&C insurer’s day to day business. Following best practices for updating and preserving legacy system security can help insurance companies ensure they can use their legacy system data safely.
Work as a team.
Legacy system security requires the help of experienced IT security professionals, but the project cannot be left solely in their hands. Instead, security professionals and business professionals must work together.
“The role of security professionals is to assess the likelihood and potential impact of a cyber attack, while the role of business [professionals] is to identify what systems and processes are the most critical,” explains Ford.
Expand your security horizons.
Many insurance companies are seeking to build business ecosystems, partnering with other companies to place the insurer exactly where they need to be to help customers at every stage of their life journey.
A number of technologies support the creation of ecosystems, such as the use of application processing interfaces (APIs) to connect software and systems for improved data transfer and sharing. When legacy systems are included in an API-driven ecosystem, however, the process becomes more complex — especially when guidelines for securing legacy technology are lacking, writes Shuvo G. Roy, head of banking and capital markets solutions at Mphasis.
Legacy systems needn’t stop an insurance company from building a viable ecosystem. Insurers and their ecosystem partners will benefit, however, from considering the additional security challenges that arise when legacy systems enter the equation.
The costs of upgrading to a new platform can seem overwhelming. However, they can be considerably lower than the costs of continuing to nurse along an outdated legacy system.
For example, a GAO report estimates that about 80 percent of the federal government’s $90 billion IT budget is spent on operating and maintaining older systems, including legacy systems that may be more than fifty years old in some cases. Over time, legacy systems consume parts of any organization’s budget that might be better spent on upgrading new technologies. Faced with the cost of upgrading, some companies turn to firmware patches to modernize legacy systems. While patches can be effective in some cases, the practice often ends up costing more over time than an upgrade would, say Vertiv’s David Dedinsky and Ricardo Duque.
“Systems aren’t optimized, which leads to alarmingly low utilization rates and inefficient zombie servers”, they write. Firmware patches can help a legacy system limp along, but do not address the underlying issues that make the legacy system a poor choice for continued investment.
Options like wraparound systems can help insurance companies improve efficiency and continue to serve customers while they work on security measures and upgrades, says Kumar Utpal, regional sales manager for banking and insurance at In2IT. When security takes priority, insurance companies can find ways to use their existing investment while also phasing in up-to- date technologies.
Images by: everythingpossible/©123RF.com, Konstantin Pelikh/©123RF.com, Evgeniy Shkolenko/©123RF.com