The insider threat – are legacy systems the weakest link?

Over the past 10 years there have been plenty of examples of the type of impact that a security breach or flaw can have on organisations, both big and small. As companies beefed up the security around their networks and data to keep out the increasingly sophisticated external threat, so the warnings of the insider threat have also increased.

The usual suspects

Often employees inside of the firewall are the cause of data breaches and security lapses. Whether this is accidental or intentional, companies are now having to quickly come up-to-speed and deal with it.

Ensuring employees have a good understanding of systems and processes to manage their devices, USB’s, passwords and applications, helps cut down the threat of accidental lapses at least.

>See also: Insider threat denial: who is in the driving seat?

There is however, aside from the user, another key vulnerability that is often ignored by organisations when they look at the ‘insider threat’; legacy technology.

High cost of legacy

The investment made in technology often runs into millions of pounds making the task of updating or replacing it a difficult or even prohibitive one for most companies. However, the older the technology the less chance there is that it is up to dealing with the sophisticated threats, externally and internally.

Much of it will have been more than up to the task at the point of implementation, but as the years have rolled on, so the threats now facing organisations and their networks are unrecognisable. Systems companies rely on would not have been built for the integrations that are now necessary.

Equally, mobile strategies can be a gateway for hackers looking to access data, especially those strategies that cannot integrate with legacy systems.

>See also: Insider threat detected: now what?

Some industries still rely on spreadsheets as a crucial aspect of their day-to-day business. These often crash and can certainly more easily fall into the wrong hands when compared with the more up-to-date systems.

Another issue associated with legacy systems is the frustration that some departments feel when dealing with legacy systems. This often leads individual departments to download cloud apps, outside of the control of the IT department. This creates huge risks as the app is not integrated, inside the firewall or even on the radar of the IT team.

So the cost of replacing systems is prohibitive, and yet legacy systems are causing a real headache to IT departments up and down the country.

>See also: Why insider threats are the next big security challenge 

The key is understanding the complexities behind the legacy system. This can help ensure that systems continue to be a useful and secure element of your business. How do you know if your legacy systems are an insider threat?

Skills gap

As those who implemented what is now considered to be legacy technology, or at least were around when the technology was installed, come to the end of their careers, the skills gap they leave behind is vast.

Those left in the IT departments across the public and private sectors, have no knowledge, nor any interest in learning about out-of-date code or technology. This causes real issues from an internal perspective.

You can build the protective walls surrounding your networks as high as you like, but if the supporting technology is seriously out-of-date and not effectively managed, there are going to be easy access points throughout.

>See also: The insider threat: 5 things to do if your employee has gone rogue

Organisations across sectors are facing this issue. With rip and replace an expensive and often cost prohibitive method, there is plenty of head scratching going on within IT departments.

Safeguarding your legacy

There are, however, a number of simple steps that organisations can undertake to help mitigate the risk, stabilise systems, improve performance of existing systems and protect their business from an increasing form of insider threat.

• Consider a data security audit to identify where data is located, how it is managed and processed. Understanding legacy systems is crucial, especially with GDPR less than a year away; getting older systems in-line with regulation is more important than ever.

• A system health check is another cost-effective way of measuring the level of vulnerability within legacy systems. This type of software consultancy also helps organisations take the appropriate remedial actions to get legacy systems ready for future growth.

>See also: The enemy within: data thieves lurk within an organisations’ ranks

• Manual processes continue to put businesses at risks. By taking the step to automate them, companies can help to mitigate this. Data visualisation tools like Power BI can consolidate data from all sources to produce dashboards quickly and easily. It is crucial though that systems need to output that data securely and be ready to connect.

• Business Process mapping (BPM) can also help work out where there are potential problems and inefficiencies within legacy technology. This allows organisations to put into place fixes before there is an impact on the wider business.

>See also: How common is insider misuse?

The insider threat has been talked about a great deal over the past couple of years, but so often it is focused on the faults or criminal intent of employees.

However, whilst legacy technology remains in place, unmanaged, it remains as much of a threat as those who are using it, and a combination of both user error and legacy often leads to insurmountable problems for organisations from both a technological and reputational standpoint.


Sourced by Anthony Peake, MD at Software Solved


The UK’s largest conference for tech leadershipTech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...