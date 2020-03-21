Attacks on legacy systems

The notorious WannaCry ransomware, which crippled a number of companies in mid-2017, was enabled in large part by the victims’ use of legacy systems.

As Infosecurity magazine put it at the time, “The culprit is called the ‘EternalBlue’ exploit and it’s a tool that takes advantage of previously unknown vulnerabilities in certain older versions of Microsoft Windows operating systems, such as Windows XP.”

You might think that something as devastating as WannaCry would prompt not only consternation but action. But no. A survey conducted two years ago by the RSA Conference found that only 47% of companies patched known vulnerabilities right away—a hacker’s dream. The reasons? Respondents to the survey said they didn’t have time or money, or they didn’t have people with the expertise to do it.

The irony, of course, is that if one or more of those vulnerabilities gets exploited, they will have even less time and money.

IBM’s 2019 Cost of a Data Breach Report found the average cost worldwide was $3.92 million, but more than double that in the U.S., at $8.19 million.

Beyond that, legacy code could add even more financial risks for businesses operating under strict compliance requirements. Standards such as HIPAA (Health Insurance Portability and Accountability Act), PCI DSS (Payment Card Industry Data Security Standard), and SOX (Sarbanes-Oxley Act) require that technology security be kept current.

Not only does legacy technology make audits difficult and costly, but a breach will likely lead to fees and fines.