In the cyber security industry a phrase gets used when looking at legacy applications – “Accept the Risk”. This is often said when it comes to legacy applications as there isn’t too much an organisation can do about them by their very nature. In speaking with CISO’s it is often said in the context of we recognize there is risk associated with these applications, but there isn’t a lot we can do about it, so we have to identify it as a risk and carry on.
The irony is that Legacy applications by their very nature are often business critical. If they weren’t, they would be shut down. But instead organisations will deem the applications and data too business critical to shut down, whilst paradoxically deciding they would be too expensive to upgrade up-grade. Instead, we are given the phrase “Accept the Risk”.
This raises a lot of questions, as in who is the organisation assuming this risk for? Certainly the organisation itself, but the key question becomes the type of data that could be potentially compromised. If it is customer data, or 3rd party data, this assumption of risk by the organisation is effectively saying we will be responsible should there be a problem. But history shows this isn’t the case.
At the moment for legacy applications, as an industry we tend to give a free pass to organisations who have “Accepted the Risk”, but should we? Should there not be consequences for deciding this?
Best practices for dealing with legacy applications is to try and isolate the workloads, limiting what can access them and ultimately hoping for the best. The problem with this approach is that it ignores one of the key steps in the Mitre Att@ck tactics ( MITRE ATT&CK®), namely Lateral Movement. Very few of the data breaches we read about don’t involve some form of lateral movement, so isolating on your network, whilst an important step, really doesn’t solve the risk of legacy applications. It is a mitigation tactic. Which is fine, not all risks can be eliminated, and we do have to accept that. The problem comes when an organisation “Accepts the Risk (but no responsibility)” and because of this fails to do even the basics in mitigating the accepted risk.
