What WannaCry Can Teach Businesses about Legacy Technology
Authored by: Silvano Stagni and Krishan Chauhan
The recent WannaCry Ransomware cyber-attacks have highlighted the vulnerability of legacy technology, data and operations to malicious business attacks, raising this as a key risk for financial services firms. Similarly, the Financial Conduct Authority (FCA) 2017 mission published in April also highlights the systemic and technical risks that derive from the continuous use of old technology as a priority area of intervention.
Why did “legacy” become such a big deal? What can be done about it at a time when a large share of the Information Technology (IT) budget, resources, and efforts are aimed at managing regulatory change? To answer these questions, we need to look at what makes these systems vulnerable and why.
Some areas of the financial industry are constantly embracing new technology, using people with extensive systems and workflow experience. The tail-end of the technology lifecycle management is often neglected. Managing the upgrade (or the update or, indeed, the demise) of an old system must include maintaining a robust control model (e.g. performing updates check each quarter) to identify and remediate points of vulnerability and to understand how they apply across the technology ecosystem.
Few systems exist in complete isolation. Any change, however small, to the corporate IT landscape may affect an old system. If the system is poorly documented, it will take longer than expected to implement any change. The worst-case scenario may result in unplanned investment in time, effort, and money. Any system downtime has the potential to result in reputational risk, a sudden and urgent need to source costly resources to re-establish the service, or a high-priority requirement that can block resources from being used elsewhere.