As the number of cyberattacks on organizations continues to rise, it’s likely not if, but when your enterprise will be targeted. 68% of respondents polled in a recent Voice of the CISO report felt at risk of a material cyberattack, compared to 48% the previous year. 61% feel unprepared to cope with a targeted cyberattack, and 62% are concerned about personal liability.
In a not unrelated point, tech debt is also increasing, with a 2022 survey finding that 78% of companies had taken on greater levels over the previous year. And while 82% said they could assess all (or most) of their tech debt – a figure that could be contested – more than half didn’t have a formal strategy to address it. With high levels of tech debt, however, comes high risk. Tech debt – created when decision-makers opt for shortcuts to development to get a product or solution out faster – impacts productivity, costs, and the customer experience if left unchecked, and can also create vulnerabilities that cyber attackers are more than ready to exploit.
Governments are Prioritizing Tech Modernization
Earlier this year, the World Economic Forum released the Global Cybersecurity Outlook 2023 report finding more than 93% of cybersecurity experts and 86% of business leaders believe a far-reaching, catastrophic cyber event is likely in the next two years. Gartner predicts worldwide government IT spending will grow by 8% in 2023 to $589.8 billion in response to global turmoil.
In March the US Government announced its National Cyber Security Strategy – a multi-year approach to technology modernization. It was previously noted that the federal government spends more than $100 billion on IT and cyber-related investments, with around 80% devoted to operations and maintenance of existing systems. A 2019 Government Accounting Office (GAO) report found that of 65 critical federal legacy systems, 10 were most in need of modernization. The systems ranged between 8 and 51 years old, and several were using older languages.
Last year, the UK Government also released a roadmap for a digital future, committing to ending its reliance on legacy infrastructure by 2025. This follows a report that it’s spending almost half of its IT budget - £2.5 million per year – on patching legacy IT systems.
The Cost of Legacy Equipment
A 2022 report estimated the cost of poor software quality in the US had grown to at least $2.41 trillion – with accumulated software technical debt having grown to $1.52 trillion. Every dollar spent on patching, reworking, and training staff on outdated systems is a dollar lost to new digital investment.
Despite this level of spending, cybercriminals continue to maximize opportunities created by software vulnerabilities and legacy infrastructure. Here are just some of the prominent attacks from the past few years:
- In May 2021, cyber attackers severely disrupted Colonial Pipeline’s operations after gaining access via a legacy VPN system without multifactor authentication. This resulted in fuel shortages impacting tens of millions of Americans, with the company paying $4.4 million to the hackers.
- Outdated infrastructure is a risk for food and agricultural companies and it was likely the cause of the JBS cyberattack, also in May 2021, which saw disruption to the US beef and other meat markets and resulted in a ransom payment of $11 million.
- An attack on Advanced, a UK software and managed service provider took down patient management software as well as the NHS 111 call services in 2022.
- A zero-day vulnerability exploited in MOVEit file transfer software impacted more than a thousand organizations and nearly 18 million individuals around the world this year, including the BBC, British Airways, Sony, EY, PWC, Shell and the US Energy Department, and the UK telecom regulator.
- UK Royal Mail international shipping was suspended, and other consumer and business services were impacted when a criminal gang launched a ransomware attack on it this year.
How Is Tech Debt Risking Your Enterprise?
To get an idea of how tech debt could be an issue for your organization, ask yourself:
How fast can we detect vulnerabilities? If you don’t address legacy systems and applications within the IT estate, then each new digital capability you introduce increases complexity. Tools, databases, and systems don’t interact so it’s getting more difficult to see across the estate and identify vulnerabilities.
If teams can’t see what is in the IT estate, how do they know what’s unpatched or no longer supported from a performance or security perspective? At the least, you could risk non-compliance. And if they can’t visualize complex interdependencies, do you know how quickly malicious code could spread and where it could spread to?
Staff burnout and rapid turnover are common among those managing tech debt, and new staff may not have the historical knowledge to understand and manage it, opening the door to more risks.
This year the largest non-Windows ransomware attack targeted a known vulnerability (for which a patch had been made available in February 2021) in VMware EXI servers. Vulnerabilities in software are constantly being uncovered. Between January and April of this year, 7,489 new IT security vulnerabilities and exposures (CVEs) were discovered.
How fast can we respond? if teams can’t see vulnerabilities, they may not know if a cyberattack has occurred. Many don’t. That’s what happened in the case of T-Mobile. Having agreed to settle a class action lawsuit for a previous breach, including paying $350 million to customers, and committing to a two-year $150 million security improvement initiative, a data breach that began in November 2022 went undetected until January 2023, impacting 37 million customers.
Plan to Secure Enterprise Data
Could cybersecurity risks spell the end of tech debt? It’s certainly a compelling reason to address it. Ask your teams if they know the full extent of the legacy tech they are supporting and if not, to conduct a comprehensive inventory and risk assessment. Working with the business they should then construct a plan that focuses first on the tech debt that could have the biggest impact on security (and productivity), and after gaining leadership sign-off, communicate and manage tech modernization.
This is no one-off project, however. Do you have the headcount to manage this on an ongoing basis?
Address Tech Debt and Shore Up Cyber Security Using Automation
As more users rely on digital systems cyberattacks will have a greater impact on any enterprise. That means you can’t afford to ignore tech debt any longer, but you can break through IT estate complexity and leverage automation to make tackling it simpler, using a digital platform conductor (DPC).
A DPC connects to relevant tools, databases, and repositories and aggregates, normalizes, and analyzes the data they contain in real-time. Your teams can use this to identify unpatched, outdated, or unsupported systems, as well as potential candidates for application rationalization or migration/modernization. And if there is any outdated tech the business just can’t do without, teams can see interdependencies and ringfence it from financial and other critical systems to limit the impact of any potential attack.
Teams can also use a DPC to augment cybersecurity monitoring or observability tools and enrich alerts with more data, for better decision-making. And using a DPC's orchestration capabilities, workflows are automated and digitally recorded, providing access to reports that can be shared with stakeholders, to show the myriad ways that IT is protecting enterprise data.
Book a demo with ReadyWorks to understand how a digital platform conductor can help you address tech debt and shore up cybersecurity for your enterprise.