In the classic Only Fools and Horses scene, Trigger proudly reveals he has used the same broom for 20 years, boasting: “This old thing has had 17 new heads and 14 new handles!”. Much like Trigger’s broom, legacy IT systems, some dating back to the 1970s, are often held together with sticky plaster fixes, posing a significant business risk. Cyber threats are evolving faster than security teams’ ability to update systems, and the same problem exists in the private and public sectors, across all industries.

The threat of legacy IT systems

As explained by Bobby Ford, global chief information security officer (CISO) at Unilever: “Legacy IT systems are often at the heart of cyber breach incidents, and because decommissioning is not usually an option, information security professionals need to manage the risk by working closely with key business stakeholders to identify all critical systems and the systems that support them.” Without heeding Ford’s advice, IT bosses lumbered with legacy systems can’t always know what data sits where, who owns it, and who even knows it exists, let alone who is able to access critical data, leaving the organisation exposed to a potential data breach. Under GDPR regulations, UK companies stand to be fined up to £17.5 million or 4% of annual global turnover – whichever is greater – for infringements, in addition to loss of business, inability to operate, and irreparable damage to brand reputation and trust. That’s why it’s critical that legacy systems aren’t forgotten about. When legacy systems don’t get as much attention as recently refreshed IT, they are easily forgotten, and cyber security updates stop. When these updates stop, legacy systems no longer receive critical patches for the latest threats making them extremely vulnerable to hackers and malware. As cyber-attacks evolve and get ever more sophisticated, malware can live undetected for as long as six months, extracting hundreds of thousands of lines of data.

Increasing risk

The two biggest challenges – particularly within Central Government – are an inability to replace certain systems due to their operational importance and the cost involved, and the resource required to manage legacy systems. A segmented network and outsourced cyber security as a service can help protect against incidents such as the 2017 WannaCry attack, which targeted vulnerable systems and crippled organisations around the globe. And the threat is growing. During the first six months of the Covid-19 pandemic alone, there was a +600% increase in the volume of phishing email, with attackers capitalising on the opportunity to target distracted homeworkers who are less vigilant and suddenly accessing critical business data from non-corporate devices. Looking ahead, the increase in cyber-attacks will keep accelerating, whilst a new generation of workers to whom legacy IT equipment is increasingly unfamiliar enters the workplace, increasing the cybersecurity risk even further. The only option is for organisations to embrace digital transformation and ensure devices and security protocols are modernised and fit for purpose against a backdrop of damaging cyber threats.

Embracing digital transformation

Device as a Service (DVaaS) is a key component of modern digital transformation strategies, as explored in this blog by SCC. By spreading the investment in IT equipment over a fixed term, organisations are saving money whilst making sure they have the latest, greatest hardware that is secure and managed. Typically taken over three years, DVaaS enables a rolling refresh of IT equipment alongside a portfolio of managed IT services and secure, compliant technology recycling at the end of each device’s useful life. By replacing legacy IT systems in a way that is affordable and sustainable, organisations significantly reduce the threat of cyber-attacks. SCC’s DVaaS team has more than 30 years’ experience and works with a diverse portfolio of clients to help save money and better manage IT. Where organisations have already made costly, long-term investments in their IT estate, SCC offers a buyback service, acquiring existing IT and leasing it back under a fixed term agreement, with additional IT managed services. Find out more about DVaaS by SCC and how we can help you here, or if you have any questions please complete the form below and we will be in touch.

How we might use your information

We may contact you by phone or email, if you have not opted out, or where we are otherwise permitted by law, to provide you with marketing communications about similar goods and services, the legal basis that allows us to use your information is ‘legitimate interests’. If you’d prefer not to hear from us you can unsubscribe here. More information about how we use your personal data can be found in our Privacy Policy.

Scroll to Top