Out of Date Systems Can Lead to Security Issues and Business Interruptions
February 25, 2019
By Afzal Bashir, CISO, Versatile Inc.
There are many outdated systems, such as Windows 7 for clients and Windows 2008 for servers, that are running key areas of companies’ businesses. Some are still even using Windows XP, Windows Server 2003, Office 2007, Outlook 2007 and other proprietary software that are no longer supported. It’s challenging to keep track of all IT assets (software/hardware) when the business doesn’t have an enterprise-level asset management program, or a proper change management process.
Most IT teams know the importance of unsupported systems and lifecycle management, competing priorities and the approach of “if it’s not broken” is often taken with legacy systems. However, once these systems lack support, operations become vulnerable and are no longer safeguarded from risks.
Security, compliance, and compatibility are fundamental to business operations. IT assets should be part of a change management process to reduce business interruptions and financial risks. Unsupported assets can be a major risk causing incompatibility issues and/or hindering a competitive edge, leading to security issues or even a data breach.
Planning for end of life is not easy, especially for proprietary systems. When the software or hardware lacks support, bug fixes, and security patches, security can be easily compromised by bad actors who attempt to find exploits, knowing vulnerabilities cannot be patched. It’s not just the systems running the unsupported software that are vulnerable, it’s the entire infrastructure that becomes vulnerable. When an un-patched system is compromised with an infected virus or malicious code, it becomes the ‘evil intruder’ on your infrastructure and can quickly be compounded on the network. Viruses or malicious code often move laterally and can impact even the latest operating systems if those systems have not been patched or do not have virus/malware protection. For example, if you leave one outside door open in a building, all other unlocked offices in that building are now at risk. Doing nothing can lead to extended operational outage and financial loss.
Compliance and audit are other concerns for manufacturers. Written requirements in many governmental regulations relate directly to the concept of keeping software solutions current. Equipment must adhere to required levels of certification and are subject to either industry or government regulations around privacy and security. Using unsupported software may find themselves out of compliance with regulated industry or regulated data mandates, and perhaps fail their audits. Removing non-supported software and hardware greatly helps in meeting compliance and audit objectives. Often businesses focus on compliance after the audit can possibly lead to severe legal consequences or penalties.
New versions of applications are innovative and are being continually released and optimized to work with the latest operating systems (OS). Using the latest applications on an old OS such as Windows XP or Windows Server 2003 will not always perform as intended or may not function at all. Continuing to use a legacy application on an unsupported OS may lead to vulnerable systems ultimately producing both poor performance and reliability.
Asset and change management, along with planning, are key success factors to decommissioning a legacy asset. Part of the planning requires keeping focus with your vendors as to when assets will lose support. It’s important to have the business stakeholders involved early to ensure they are aware of the risks and are committed to the migration process.
Many factors must be considered when planning: pricing models, types of licenses, training required, frequency of upgrades, annual maintenance, implementation timeframes, consulting services, hosting infrastructure, upgrade cycles, and total cost of ownership, to name a few.
Process resiliency and operational efficiency will safeguard a manufacturer’s productivity and ensure production runs at full capacity. Production downtime translates to financial loss and greater loss when critical process failure occurs, given the time to rebuild and restart. Malfunctions or production issues at plant sites can cause harm by delayed deliveries or problems with product quality.
Planning Keeps the Business Running Smoothly
Manufacturing engineers are trained to meet quality production schedules but are not expected to have the same level of expertise in IT. Consequently, an end-to-end turnkey IT outfit, can ensure everything is executed correctly.
Manufacturers should address their unsupported systems early on and to work with vendors and partners who can provide guidance and handle operability, reliability, and integrity for multiple technologies, equipment, software and hardware. This is further impacted by interoperable systems that support the use of multiple vendors and application versions.
A software/hardware migration can represent a massive business investment, making a migration project an inevitable consequence of aging software systems. With the right planning, this can become a worthy improvement to the business, achieving the key objectives in terms of better performance, security, reliability, seamlessly integrated operations and competitive edge.
About the Author
Afzal Bashir is Chief Information Security Officer for end-to-end IT solutions provider Versatile Inc. (www.weareversatile.com). He is an experienced IT leader in the field of information security with broad skill set across risk, privacy and technology services.
Afzal previously worked for Steward Health Care as Director of Information Security and Risk Management. Previously, he held various IT management positions for Dunkin’ Brands.