Often the business systems you rely on most can be the most neglected. They have been running well for years without much attention. The assumption is that this situation will continue, and the business can focus and invest in more ‘sexy’ solutions.
However, long-held assumptions must be challenged. How would your business cope if a cyber-attack disrupted systems of record or product and supply chains? Nick Denning, CEO of Diegesis, discusses the issues and proposes six steps to protect your organisation and its legacy systems.
Facing new workplace realities
It can be daunting to look back on the events of the last few years and the list of issues we have all faced with the often-unexpected impacts on our employees and ways of working.
The threats posed to business are changing. Are our long-held assumptions still valid? Are our organisations as secure and resilient as they need to be? Is it time to take stock and develop new strategies?
The pandemic drove employees to work from home and it seems as if a more hybrid working model is here to stay. This has pushed out the security boundaries of organisations and introduced new points of vulnerability. No longer are the vast majority of staff accessing business systems from the relatively secure environment of the office. Employees now need access to core systems via their home internet or mobile devices.
The COVID-19 pandemic also prompted the phenomenon known as the ‘Great Resignation’. It has seen record numbers of people change jobs or leave the job market completely. However, the Institute of Employment Studies sees this as the ‘Great Retirement’. Many of those falling out of the UK workforce are over 50.
UK labour market statistics have shown that there are now 180,000 fewer over 50s in work than before the pandemic. Is your organisation in danger of losing long term staff who’ve kept your key legacy systems running smoothly?
We believe that the pendulum will swing back towards the office. People whose first job was working from home will realise the importance of forming relationships, teamwork, collaboration, and leadership roles. Nevertheless, we need to continue to be aware of the impacts of hybrid working and adjust accordingly.
Supply chain upheavals
The pandemic, the war in Ukraine and Brexit have shone the spotlight on supply chains. They have led to governments and businesses questioning the benefits of globalisation. Even after two years of COVID-19, supply chain surprises continue to emerge. CNN recently reported, “China’s unwavering commitment to stamping out COVID by locking down big cities such as Shanghai threatens to deal a hefty shock to its vast economy, place more strain on global supply chains and further fuel inflation.”
Shanghai is China’s most populous city at 26 million. It is also home to its leading financial centre and some of its largest sea and airports. Lockdown here will have a much greater impact on global supply chains than the closure of the likes of Wuhan, China’s 9th largest city with a population of 8 million. This is just one of many examples of why organisations are looking again at their key suppliers. It, in turn, will impact supply chain and production systems to which trusted partners are given access.
There is a significant increase in supply chain risk across all our industries. It suggests that as a nation we must maintain some capability in the UK so that we do not lose the competencies essential to our supply chain.
In IT, this can mean we ensure all work is properly documented, and all teams contain a UK-based employee so that we can always re-train our technical staff. We also need to be able to rapidly skill up new employees if our remote workers suddenly become unavailable.
Increased cyber threats
Hybrid working and the changes in supply chains will increase vulnerabilities. This is compounded by ever-evolving threats from cyber-attacks and an increased level of danger from state-sponsored bad actors.
Many expected Russian cyber-attacks against Ukraine. The Ukrainian government called on the ‘hacker underground’ to come to its defence which has offered some levels of protection. A more complete understanding of the impact of the cyber element of the Russian attack of Ukraine will not be possible until after the conflict ends. However, the Council on Foreign Relations has already identified numerous malware and denial of service attacks on Ukraine. These have been kept off the front pages by more traditional warfare.
If the war continues and deepens, other nations, businesses and supply chains could see increased cyber-attacks from Russia and other sources of state-sponsored cyber aggression.
Protect your systems of record
With so much changing over the last few years, is your business now at greater risk of cyber-attack? A large proportion of cyber security effort has been focused on newly installed systems and apps which are often customer-facing. This is important, but have you left an open door to vital legacy systems?
It is easy to neglect them if they have been running well for years. But, how would your business cope if systems of record, production and supply chains were disrupted by a cyber-attack?
The Verizon 2021 Data Breach Investigations Report found that over 80% of cyber-attacks gained access via issues with users’ IDs and passwords. Therefore, it is especially important to focus efforts on protecting and controlling employee and supply chain partner access to key systems via logins and interfaces.
Six ways to reduce your organisation’s risk of cyber-attack
There are numerous areas to look at when increasing protection against cyber-attack, but here are six things an organisation can do:
Maintain engineering practices and standards: Invest in ensuring your design approaches encompass best practices. Turn this into a key business benefit for your customers by ensuring compliance with standards such as OWASP and WCAG 2.1 AA. Also, comply with GDS standards to win business across the public sector from which non-compliant organisations are excluded.
Identify and prioritise new risks: The world has changed, and it’s time to think the unthinkable. Consider putting in place a formal review of the impact of what has happened over the last few years. Look at the threats from hybrid working, supply chain upheavals and the introduction of new supply chain partners. Remember to include in the review the turnover of staff and the impact of losing experienced employees with knowledge of running key legacy systems. Mitigation steps can then be developed once the new risks are known.
Proactively work to retain experienced staff: Create a culture that is anti-ageist. Invest in line-management training, including policies related to older workers, such as managing employees with long-term health conditions. Implement mid-life career reviews and plans, recognising that deep expertise gained over years is just as valuable as management ambitions and a desire to climb the hierarchy. The use of the Chartered Institute of IT SFIAplus – IT skills framework provides an excellent way for your staff to realise how good they are and how effective they can be.
Focus on knowledge management and effective processes: With an increase in hybrid working, greater turnover of employees, the potential loss of experience and more volatility in suppliers, it is important to have a robust approach to all your processes. Focus on security, including on-boarding, leaver processes and user access to systems. Take a look at the creation and removal of user ids, password management and the potential adoption of new authentication tools.
Look to the cloud: Many corporate functions now use cloud-based applications. But has your organisation considered transitioning legacy systems to the cloud too? This may not be appropriate for every system or organisation. However, systems in the cloud typically benefit from enhanced security built by industry experts and increased availability.
Learn from the experts: UK businesses benefit from the leadership and guidance from the National Cyber Security Centre. Ongoing initiatives such as Cyber Essentials point the way to making your organisation more secure against cyber-attacks. It also publishes regular information updates and advice on evolving threats, such as those resulting from the invasion of Ukraine and elevated risks from Russia.
The world looks very different from the start of this decade. If we accept that there has been an accumulation of interdependent changes and address them head-on then it is perfectly possible to create the mitigation strategies needed to protect organisations against heightened cyber threat levels.
References:
- CNN: “Lockdowns in Shanghai and other Chinese cities pose a growing threat to the economy” – April 2022
- China’s biggest cities
- Reuters: Ukraine calls on hacker underground to defend against Russia – February 2022
- The Council on Foreign Relations: Tracking Cyber Operations and Actors in the Russia-Ukraine War – March 2022
- The Institute of Employment Studies: The Great Resignation Vs The Great Retirement – Nov 2021
- The Verizon 2021 Data Breach Investigations Report
- Government GDS standards
- IASME Cyber Essentials
- BCS Skills Framework for the Information Age +
Diegesis is a business technology and IT systems integration company that specialises in delivering outcomes using RDBMS, integration and data analytics technology. The company has a proven track record delivering successful projects that provide tangible business value to large and mid-size organisations through the effective combination of people, process and technology. Diegesis specialises in helping organisations to release the hidden knowledge and wisdom from within their entire range of diverse sources of information (documents, emails, core business systems and applications, databases, intranet, internet and presentations) to support swift and effective decision-making. For more information, visit www.diegesis.co.uk