A spotlight on legacy systems

A key part of any company’s cybersecurity posture is ensuring that its applications and systems are up-to-date. All software providers release security patches and updates for their programmes, to protect users as new threats emerge - but not forever. Eventually, software falls out of support and is no longer updated - meaning that the longer an unsupported application is used, the greater risk it presents to your cybersecurity.

Part of the security profile suppliers set up on Risk Ledger asks: “Does your organisation run any applications or systems that are no longer supported and no longer receive security updates?” We’ve compared all industries to show where suppliers are the most likely to be using software that no longer receives security updates - revealing that unsupported systems are most likely to be used by manufacturing, telecoms, and financial services industries.

Does your organisation run any applications or systems that are no longer supported and no longer receive security updates?

The table above shows the percentage of organisations from each industry who answered 'Yes' or 'No' to this question. The manufacturing industry has the highest proportion of organisations (42%) who are still running out of support systems.

In all of these industries, it’s possible that the reason they are using out-of-date software is that the software in question is too integral to their business to update - the risk to their business of the update is greater than the risk of a breach. Or, if not a business-critical system, there might be a process-critical system where updating the software would risk breaking the process, and the process in question isn’t deemed enough of a risk to spend the time ensuring the update is done - perhaps it’s an isolated system, not connected to any others.

In a world where attempts of cyber security attack on your organisation is almost inevitable, it’s a risk to assume that any system, no matter how sandboxed it is, isn’t a target for an attacker. If your supplier is using unsupported software, we’d advise asking them exactly which systems are not supported, whether your data would ever pass through those systems, and what steps they take to protect that system from compromise. Then you can make your own judgement call as to whether the risk is acceptable to your business.