Why legacy tech is a legal risk management nightmare
Poor cybersecurity presents a legal risk to your organization, and, unfortunately, data breaches and cyberattacks are becoming more common. By 2025, a predicted 45% of organizations across the globe will face an attack aimed somewhere at their digital supply chain.
Though it’s not part of traditional business law, legal professionals now have an obligation to understand their options for mitigating risks by securing their tech stack and updating old systems to options that include better safeguards for customer data.
A system that’s built on outdated tech will make it difficult — even impossible — to manage your legal risk effectively. Replacing legacy tech can protect your company against cybersecurity threats and shore up weaknesses in your operations and third-party vendor relationships.
The risks of legacy tech
Legacy tech is older software, systems, or hardware that have become obsolete and outdated. Because progress moves fast in the tech world, software and systems can be classified as legacy very quickly. Old software isn’t just a nuisance; it also presents a number of avenues that bad actors can use to access sensitive data.
Lack of patches and updates
Legacy tech isn’t supported by its developer. Developers periodically phase out (or “sunset”) old tech to focus on new products. That means they’ll no longer devote time and resources to keeping their old products secure and up to date — you continue using them at your own risk. For example, Microsoft will end support for Windows 8.1 in January 2023. No new security updates or patches will be released for that OS, leaving users potentially vulnerable to cyberattacks.
Bad actors are constantly looking for ways to exploit legacy software. In late 2021, attackers found a flaw in Log4j, a widely used tool for the popular online game Minecraft. Within just 12 hours, attackers accessed sensitive data and installed malware. Thankfully, developers patched the software and eliminated the vulnerability. With supported software like Log4j, developers move quickly to patch any vulnerabilities, but when it comes to legacy software, the fallout can be catastrophic.
In 2017, a widespread ransomware attack known as “WannaCry” shut down the systems of a variety of large companies across the world as well as hospitals in the UK. WannaCry exploited a flaw present in current and past versions of Windows, and while Microsoft quickly addressed the problems in its newest software, the company initially failed to address the problem in a legacy OS, Windows XP. Microsoft did eventually take the unusual step of patching its legacy software, but that was due to the serious impact that the ransomware attack had worldwide.
Lost internal knowledge
Another risk in keeping old tech involves the specialized internal knowledge required to use and update it. If only one employee knows how to operate an outdated system and you don’t have a knowledge management strategy in place, you’re at substantial risk if they ever choose to leave your company. In those situations, that tech becomes legacy — if there’s no one around who understands how to use it, it can’t be kept secure. That’s especially true if that employee established a patchwork process involving add-ons and workarounds to make use of that outdated tech. Without them on your team, you’ll be stuck trying to understand how they made their approach functional.
Unsecured third-party access
Legacy tech may also allow vendors and third parties to gain unsecured access to your internal systems. In fact, 74% of companies that experienced a breach said it happened due to unsecured third-party access to their systems. Old vendors and former employees sometimes retain their access credentials even after the business relationship has ended, and it can be harder to manage access if you’re using old software. Newer software includes more secure authentication for users through identity and access management (IAM). In 2021, Volkswagen and Audi experienced a data breach after a third-party vendor left the personal information of over 3 million customers unsecured. The companies are now facing a class-action lawsuit.
Acquired tech
Security risks can also follow mergers and acquisitions. While your internal systems may be up to date and secure, the tools used by your newest acquisition may not be. Once your companies are merged, you effectively take on those added security risks. This is a major blind spot for many organizations — and it’s a reason why it’s a good idea to conduct a thorough security audit as part of the M&A process. If you find legacy software, it’s time to upgrade your tech stack to cover your expanded business needs.
Data privacy laws are changing
As data protection regulations change, your tech also needs to change to meet those regulations. Outdated tech likely won’t comply with the strict standards in the General Data Protection Regulation (GDPR), for instance. In the United Kingdom, almost half of government IT spend is dedicated to keeping legacy tech running — even those systems that don’t meet cybersecurity standards. Though the GDPR only protects the data of EU citizens, it represents a comprehensive data protection law that other nations might copy — and it applies if your website is accessed in EU member nations.
In the healthcare industry, patient data is sometimes managed on legacy systems that are vulnerable to attack, possibly exposing people’s private health information. In some cases, data protection standards were so lax that they violated the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Medical records are full of sensitive information that can be used against patients maliciously. The U.S. Department of Health & Human Services takes violations of the HIPAA Privacy Rule seriously: noncompliance can result in corrective actions and fines.
In short, violating data protection laws may lead to regulatory fines as well as extensive damage to a company’s reputation.
Costs of breaches are rising
In a 2021 report, IBM reported that the average cost of a breach is $4.24 million. Costs are highest in the healthcare, financial, pharmaceutical, and tech industries. In healthcare alone, the average cost of data breaches jumped from $7.13 million in 2020 to $9.23 million in 2021 — the likely driver of that increase was a rapid, unsecured switch to remote work for some employees during the pandemic.
Most of these high costs come from lost business due to tarnished reputation and system downtime. There are also significant expenses associated with detecting the breach, responding to the problem, and notifying customers and regulators. The longer a company takes to spot a breach, the higher costs rise as well — and, on average, it takes 212 days to identify that a breach has occurred.
How a system upgrade will mitigate security issues and reduce risk
Once you’ve discovered that you’re relying on unsecured legacy tech, replacing it is a top priority for risk reduction. Upgrades will plug the holes in your cybersecurity and make sure you don’t lose business due to a cyberattack or data breach.
Complies with industry standards
Industry standards for data security vary depending on the risk levels involved in your work. If you’re in the healthcare or financial industry, you’ll have to meet higher standards for regulatory compliance since the information you’re dealing with is high risk and so valuable to attackers. In healthcare, that higher standard is laid out in the HIPAA Privacy Rule, and for finance, it’s spelled out in the Gramm-Leach-Bliley (GLB) Act.
Simplifies your ops
Aside from the risk management benefits, upgrading your tech also presents an opportunity for you to simplify your system. You get the chance to reset your processes to make them safer and, depending on how outdated your previous system was, likely faster. It’s also easy to keep a new system organized, so you don’t need to rely on an individual employee’s knowledge to keep it running smoothly.
Of course, upgrading can get complicated and costly, especially if your system is built on a foundation of legacy tech. But keep in mind that the overall cost of a data breach is 47% higher for companies working with outdated technology compared to those that have an updated, secure tech stack. Investing in new tech may ultimately save you money.
Keeps up with the competition
There’s also a business case to be made for updating your legacy tech: it puts you on equal footing with digital-native start-up companies that have been focusing on cybersecurity since they launched.
And cybersecurity is top of mind for consumers. A 2020 survey found that 89% of Americans have concerns about how well companies are able to protect their personal and financial information. An updated, secure system can act as a compelling selling point for customers who are worried about their data security, especially in vulnerable industries like banking and healthcare.
Gets leadership behind your risk management approach
Another benefit to upgrading your legacy tech is that it shows all of your company stakeholders how important your legal risk management initiatives are.
When you allocate time and resources toward software upgrades, it offers you an opportunity to ensure that your C-suite executives see cybersecurity as a top priority in your organization. It’s also a good idea to remind them to look out for blind spots in this area during their decision-making. It also provides your human resources department with a chance to cultivate a security-focused culture among employees and help them learn to reduce human error. Upgrading to new software allows you to introduce better training around cybersecurity for your staff.
Finally, undertaking a large project like this gives you the chance to create a schedule for software updates, so you don’t find yourself behind the curve in the future (and supported software includes free updates and patches to keep it secure). Regular risk identification processes and updates are key components to establishing a more secure risk management strategy for your company.
Organize your legal ops with intuitive software
Organized ops and vendor management can be the difference between strong cybersecurity and a data breach. An up-to-date tech stack can help you lock down your system and keep unauthorized third parties from gaining access. It also prevents old vendors and former employees from retaining their credentials.
SimpleLegal helps in-house legal teams establish the right risk management framework for their company. From vendor management to e-Billing, we make each part of management legal ops easier for general counsel, so you can focus on more urgent matters. Request a demo to learn more.