One of my first introductions to the world of cyber security was the movie War Games. This is the tale of how a high school student manages to hack into a computer in the North American Aerospace Defence Command. He plays a game of global thermonuclear war against the computer that happens to be using the real defence systems. The “game” almost causes a nuclear war.
Moving on forty years to the present day and the threats posed to our computer systems have become very real. Fortunately, tools and services to protect us are available. Letting a professional IT security company look after this is something I would strongly recommend. It’s something we do at Reach Aware because we acutely understand how essential it is that your systems are adequately protected.
An area that organisations often overlook is the security of their business applications. For applications that have been developed in house and are often in use for a long period, it is vital that they are kept up-to-date and running on supported versions of their base platforms. Our cyber security partners, Melius Cyber, have highlighted that running applications on older, unsupported platforms would be a reason to fail security audits such as ISO 27001 and Cyber Essentials Plus. There is also a real risk that cyber insurance cover would reject a claim if a breach came through a vulnerability in such an application.
This represents a challenge to many organisations. The established wisdom and working practice has been: “if it isn’t broke, don’t fix it”. This approach may have served us well in the past but unfortunately is no longer sustainable. The security threats are too great to leave old applications in place running out-of-date software full of known vulnerabilities.
The way modern software is built contributes to the problem. I estimate there are as many components supplied by third parties in modern software applications as there are in a new car. Software tools make it easy to discover and use existing components and there are tens of thousands of them out there. This is great for productivity and reliability as the developers are not reinventing the wheel every day. On the flip side, though, it opens up software to new risks such as hidden chains of dependencies where it is very hard to determine exactly how many different components are in use, or from which sources.
There needs to be a change in mindset in organisations to move away from the “buy once and forget” mentality for software applications, to one where maintenance and support is planned in from the beginning. The onus has to be on the providers when it comes to leading this. If the underlying technologies are only supported for three years, then the cost of the project needs to factor in the costs to migrate in three years’ time. As a responsible software developer, I need to ensure that these future costs are clear and quantifiable to the customer in every sales contract, to enable properly informed decision-making.
What can be done about existing applications? Significant investments have been made to build bespoke systems and these need to be protected. Simply replacing out-of-date systems is not an option. Fortunately, there are companies out there, like Reach Aware, that can help bring existing systems up to date. A project to upgrade systems can also be used to look at areas for improvement, introducing productivity gains and efficiencies. If there are new requirements, building these alongside migration to current platforms can help reduce the cost. Combining platform upgrades with new development helps make a compelling business case, providing essential security upgrades alongside increasing revenues.
In summary, don’t overlook business applications when planning your cyber security strategy. It should be a key element alongside everything else.