When the technology is purchased, it comes with latest OS, latest hardware, and latest version of the software itself. When time passes (an year or two or may be more), new hardware with increased capacity and new version of software with more features is introduced. HP, IBM, Intel, and other biggies introduce new hardware with new chipsets, increased RAM, new software to enable a faster and secure product.
Sometimes there are technical limitations of the new software features to work on old hardware and a hardware upgrade is required for it to work. Other times, the technology vendor would provide bug fixes and security patches to make it equivalent to the latest version. Most of the times, the vendor would stop providing technical support on an outdated version of hardware or software, even if you are using it in production. The technology vendors have to keep up with the pace of technological advancement to maintain competitive edge in their own industry and they have to upgrade their products, and hence they focus their time and investment into research and development of new products. This is reasonable and logical.
However, client organizations with limited budgets are left with a choice. Where to spend money and most often upgrading the software/hardware takes a backseat when other priorities take over such as meeting regulatory or audit requirements or other projects that enable digitization and transformation of the organization.
Larger the organization, larger the complexity. Given the challenge complicated legacy systems and network pose in front of CTO, it is often also a change management problem. Most of the legacy systems are running from many years if not decades and sometimes are customer facing. Getting a change window in a customer facing application running in production is a bigger challenge in itself. It then becomes a question of the delicate balance between cost investment v/s revenue loss. I think there is a bigger picture that we might completely be missing.
Why should you upgrade?
Hackers are getting smarter and are finding new ways to take control over your digital assets. They would exploit a vulnerability for which a patch has not been released yet. Ransomware would infect your computer with phishing scam and using social engineering techniques, it will spread within your network. Few aggressive ransomwares such as Netpoya would exploit the security loopholes in your system without the need of phishing. Few others would encrypt your data with a stronger encryption key.
Security Ventures forecasted that global ransomware damage cost would reach $20B by 2021. Majority of it will be politically motivated by the big four (US, Russia, China, Iran) in the form of APT (Advanced Persistent Threats), but non-state sponsored ransomware would still continue to be a big threat followed by phishing scams. However Payout is not the only thing that you have to worry about.
As stated by Security Ventures,
It's a common myth that ransomware damages are only limited to payout. Ransomware costs include damage and destruction (or loss) of data, downtime, lost productivity, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hostage data and systems, reputational harm, and employee training in direct response to the ransomware attacks. The estimations take attacks on businesses and individuals into consideration, and also include global ransom payouts
Hackers are now exploiting what you would usually trust. As a simple example, you'd not think twice before installing a patch from Microsoft for your Windows OS installed on your personal computer, because you trust that Microsoft will be doing its due diligence. However, what if even Microsoft couldn't detect a backdoor trojan installed in their patch that they are releasing to their customers. Yeah, you know what am I talking about. SolarWinds Hack!! and FireEye Hack (which seems like a revenge hack to SolarWinds). SolarWinds and FireEye hack sent shockwaves across the world and every CIO and CTO was calling emergency meetings to find if they are affected. They were worried and they should be.
As the technology is making advancements, the hackers are getting more sophisticated as well. Future attacks would by backed by AI and there is news that state sponsored ransomware would use Ransomware as a Service (RaaS) to launch cyber warfare.
As TD Bank's Head of Cyber Security, Claudette McGowan says
"Hoping nothing bad happens is a fairy tale, not a cyber security strategy"The importance of securing yourself can't be stressed more. If you don't want to be that soft target, start upgrading now.
1. Legacy Systems and software are the soft targets for cyber criminals
2. Start by convincing management to create an annual budget dedicated to Currency upgrades
3. Start an ongoing project to identify, patch, upgrade vulnerable systems. There are vendors like Qualys who can produce reports on hardware and software that are more vulnerable. Start with high risk items.
4. Have Zero Trust Policy when it comes to cyber security. Test every bug fix, every patch before you put it in production.
5. Encourage your vendors to upgrade systems as well