If you are leading a business or work within a business, this guide is definitely for you.
You have probably come across the term legacy software or legacy systems but don’t know exactly what they are. Or, even more likely, you are using legacy software or systems without even knowing it.
But there are risks and challenges associated with this (somewhat unavoidable) business practice.
Below I will explain everything there is to know about making the most you can out of legacy software and systems. As I said, it’s highly probable for a business older than a year to be using at least some tools which can be labeled as legacy tier.
First thing’s first, though: let’s start by exploring what is legacy software and what are legacy systems. Typically, any medium to large company nowadays has at least a few legacy elements in its IT environment.
Next, we’ll move along to tips that can help you identify whether your legacy software or legacy system is one of the risky ones or not.
What Is Legacy Software? Definition(s)
To put it in as few words as possible, legacy software is any piece of software that can’t receive continued patching or support from its developer, or can’t meet the compliance standards in use.
The examples of enterprise-level legacy software can be quite different.
Here are just a few cases which can be labeled as legacy software, to get a better idea of what it can encompass:
- A major platform with no functional replacement (yet), still supported and compatible with other IT assets, but which does not receive security updates anymore;
- An older piece of software that is still in use and receives support, but its creators are announcing the transition of support to the newer version of the product (such as the case of Python 2 vs Python 3);
- A piece of software or platform which still gets updates but only for features (not security patches);
- A piece of software or platform which still gets security updates and support but is no longer compliant with recent standards;
- A piece of software or platform which gets updates and support but is not compatible with the newer systems and drivers in use (thus stalling the company’s adoption of those);
In some cases, the category of legacy software can include consumer-oriented software products issued by companies that no longer exist.
But, in spite of the discontinued support – and the discontinued official listing of that software (there’s nowhere to officially buy or download it from) – some users continue to procure it out of nostalgia.
Such is the case of Winamp media player, for example. There are entire Reddit forums dedicated to Winamp nostalgia, along with users still sharing custom made Winamp ‘skins’. There is also newly issued software that can emulate Winamp in-browser. So, the power of nostalgia for legacy software can still make the world go ‘round.
What Is a Legacy System in a Computer Industry Context?
A legacy system is a platform or hub or operating system (something which facilitates digital operations but is one level above software) which is outdated.
This state of being outdated can refer to the fact that the system is either lacking the possibility of support, or to its compatibility with other IT system elements, or to its level of compliance, or to the updates it receives.
Myth Busting Legacy Software and Legacy Systems
Here are the most common misconceptions about legacy software and legacy systems.
#1. Legacy software is useless
While legacy software and legacy systems still pose risks (which I’ll dive into below), it doesn’t mean they outlived their usefulness completely.
In many cases, a piece of legacy software or a legacy system is still in use precisely because it is the most comfortable option. Either there is no exact functional replacement yet, or the transition is still too difficult to weather.
Regardless of the exact reason, companies continue to use legacy software precisely because it’s still useful.
Ideally, yes, people should try to move on from legacy software as soon as it’s feasible, but things are always a bit more complicated in practice.
#2. Legacy software is free
The opposite can be true: precisely because legacy software was quite an investment, companies may be reluctant to replace it yet. An investment only makes sense if the cost is recovered over a pre-determined use period.
In many cases, even subscription-based software and systems (which the company is still actively paying for) are in fact legacy ones. The recurrent fee ensures continuous support and perhaps even some feature updates, but the security patches are unsatisfactory, or the software is not compliant.
#3. Legacy software is unsupported
As mentioned above and through the examples so far, there are cases when legacy software is still supported by an actual team and you can still get an account manager to troubleshoot stuff for you.
Regardless, no matter how active and involved the support team behind the software is, if it doesn’t get security updates or is uncompliant, it still counts as legacy software.
#4. Legacy software is dangerous
I know that most sources you will consult about legacy software will seem to push you to replace it ASAP, on account of it being dangerous.
But the truth is that legacy software is not always dangerous. It depends a great deal on the specifics of the case.
I’ll get into more detail on how to mitigate the risks of legacy software below.
#5. Legacy software and legacy systems should be immediately replaced
Just as legacy software is not always dangerous, so it does not always need to be replaced. It depends on the case and its specifics. Not only of the software but also of the company and its way of operating.
Before you decide whether a particular piece of legacy software needs to get replaced, you should do a case analysis. Applying software updates is a major hassle anyway for company IT admins unless they are already using a smart patching automatization software. No need to make that job even harder.
The Risks of Running Legacy Software and Systems in Your Business
Still, even if legacy software is not always dangerous, there are cases when it can definitely pose some risks.
Here are a few examples of such risks deriving from legacy software or legacy systems:
- The risk of falling prey to a data breach or cyber-attack more easily;
- The risk of slowing down the activity due to the performance issues or the need to manually fix issues regularly;
- The risk of becoming non-compliant;
How to Mitigate the Risk of Legacy Software: 3 Ways
In order to avoid these three main types of risk deriving from legacy software or legacy systems, you just need to be proactive about it. Don’t wait until you are already facing a productivity crisis or, worse yet, a security breach.
The main ways to go about it are these:
#1. Consult with security experts about the legacy software elements in your IT environment
As mentioned above, it’s not always dangerous to stick to your legacy software or legacy system already in use. Sometimes the switch can involve costs that are not justified by the amount of risk you need to absorb. So, in some cases, it makes perfect sense to stick with the legacy software (and that’s exactly what some companies do).
Check with security experts to see what software absolutely poses a risk and what legacy software you can afford to continue using. Also, implement an automatic software patching solution in order to close potential security gaps and to make the life of your sys-admins easier.
#2. Do a case by case comparison between your legacy software and alternatives
Sometimes, the bad news is that legacy software that really needs to be replaced does not have a viable replacement yet.
But when it does, look into it just as you would look into any other business decision, with pros and cons. When you consider the (explicit) costs of updating, also consider the (implicit) costs of not updating. Is a potential breach easier to come back from than absorbing the costs of a change?
#3. Analyze the impediments to a transition from legacy software to non-legacy software
Also, in each case analysis, consider all the other variables and effort required for a transition. Compatibility and cost concerns are valid, but internal effort and time should not weigh so much in the final decision. Just because it will be a bit of a hassle doesn’t mean you should postpone indefinitely. That’s what gets companies on the breach list in most cases.
This concludes today’s guide on legacy software and legacy systems. If you have any questions or stories to share, feel free to comment below or contact me. I’m here to help if I can.
The post What Is Legacy Software and a Legacy System in Business + The Risks appeared first on Heimdal Security Blog.