High-profile cyber-attacks, such as the Optus hack[1] and the Medibank health fund breach that exposed millions of customer records and led to demands for million-dollar ransom payments[2], demonstrate the real security risks Australian organisations are facing. It shows why the constant, rapid evolution of cybercrime techniques and growing volume of attacks have put organisations on high alert that strengthening security through modernising applications is an urgent task confronting IT leaders.
Legacy apps were typically not designed to use data effectively and report security issues, meaning the consolidation of data around security and the ability to interpret it doesn't always exist in a useful way in legacy apps. It's why accumulating technical debt imposes real security risks and burdens on organisations, according to Gartner's 2021 report, Building a Successful Business Case for an Application Modernization Program.[3]
Legacy applications that have outlived their reliable lifespan pose serious security risks in the hyper-connected landscape where the sophistication of cyber-attacks is growing in line with advances in technology. Most older apps were originally built to be in secure, closed networks, where security considerations only needed to extend to that environment. If a security incident occurs, system logs may be in place but not set up to trigger security alerts or flags because this capability wasn't needed and not built into the app.
Malicious actors can target networks running legacy software and routinely scan for vulnerabilities, according to the Australian Cyber Security Centre's 2022 report.[4] However, older applications that have little or no proper documentation or a patchwork of spaghetti code from years of add-on updates pose challenges when looking to modernise.
In some cases, organisations can face a lack of developer support, leaving their older applications on technical life support and their organisation vulnerable to code exploitation and other attacks. Who's to know the security implications of binding old and new code together until it's too late?
The recent examples in Australia with Medibank and Optus demonstrate the profoundly damaging impacts of cyber attacks. Every day, organisations large and small are needing to defend themselves from a myriad of threats and attempted attacks.
The problem with legacy applications relying on code stitched together through different iterations is that organisations can't easily respond to the evolving threat landscape. To protect themselves, organisations need to be on a defensive footing, with resilience as the foundation of their systems, and identify, defend and remediate security breaches on all fronts. As their security perimeters are changing, with increasing digitalisation, cloud-based functionality and the explosion in remote working and end-point devices, the blanket of security needs to be more robust.
In this climate, the process of responding to attacks is paramount, and it's no surprise application modernisation is expected to be one of the top ten IT projects across the Asia-Pacific region, which includes organisations in Australia, according to IDC's 2022 FutureScape report. In their modernisation efforts, organisations must adopt a security-first approach across their operations, with the aim of delivering numerous benefits, such as strengthening data security, tightening regulatory compliance and ensuring there's a uniform platform to deliver updates to keep up with evolving threats. The goal is to adopt a security architecture that enables them to address security events in a timely, responsive way.
However, the squeeze on IT talent across the country, the changing threat landscape and the accelerated push for digital transformation pose significant challenges for organisations. Even so, they can't overlook the importance of strengthening security within application modernisation initiatives. It underscores why security, together with agility, productivity gains and IT cost savings, will be the key drivers for some 80% of organisations choosing to modernise their applications by 2025, IDC predicts.
Today there are security considerations that didn't exist when applications in limited frameworks were developed. Security flaws and weaknesses can emerge over the working life of applications and become particularly vulnerable when apps reach the limits of viable upgrades. Patches and updates can only move applications so far down the path of staying functional and secure.
Older, retired applications may also pose unforeseen security risks from not being properly decommissioned. For instance, if whole strings of components aren't fully decommissioned, such as a database that's associated with an application, it can create vulnerabilities that attackers can exploit. With distributed systems and technology, organisations are relying on external elements they don't necessarily have control over and it's creating new vulnerabilities and the urgent need to lift security protections.
Australia must keep pace with technological innovation to underpin future economic prosperity, yet security concerns, legacy systems and lack of skills are some of the major barriers, according to the Government's Productivity Inquiry interim report in August 2022. Recent events in Australian show that organisations can't afford to allow legacy systems to leave them vulnerable to security weaknesses while holding back digital innovation and productivity gains.
To support them in addressing these challenges, organisations should look to engage an experienced, reliable service provider like NashTech and benefit from the end-to-end expertise and capability in modernising applications and lift their security posture. Furthermore, as security is strengthened, it also becomes a shared responsibility between the business and the application service provider.
[1] https://www.theguardian.com/business/2022/oct/01/optus-data-hack-australians-scramble-to-change-passports-and-driver-licences-after-telco-data-debacle
[2] Hackers claim they demanded $15 million ransom as more Medibank customer data posted to dark web - ABC News.pdf
https://www.abc.net.au/news/2022-11-10/medibank-data-breach-latest/101637160
Australia's Medibank says data of 4 mln customers accessed by hacker Reuters.pdf
https://www.reuters.com/business/healthcare-pharmaceuticals/australian-health-insurer-medibank-says-all-customers-personal-data-compromised-2022-10-25/
[3] https://www.gartner.com/en/documents/4001945
[4] https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-july-2021-june-2022