Patching Old Systems

The Cost, Challenges, and Necessity

Businesses constantly battle to keep their systems secure, functional, and efficient. As technology evolves, many challenges come with it, such as maintaining and updating legacy systems. While crucial for security and stability, patching old systems is often seen as a cost driver delivering little immediate business value. Business units need time and resources that typically must be pulled from their day-to-day jobs.

But, neglecting the update requirements can impose far greater risks, including security breaches and operational failures. In this blog, we’ll explore why patching old systems is necessary for any budget cycle. We will also discuss the challenges businesses face in doing so. Additionally, we will provide strategies to manage the process more effectively.

High Cost – No Value?

Legacy systems often represent a “technical debt” that combines outdated software operating on old hardware, still performing critical business functions. But when the software is no longer supported by its software vendors, it’s called an “End-of-Life” (EoL) situation. No software support contracts are available, and if functionality breaks, the respective situation must be handled by their own IT departments.

I remember a large oil and gas company that ran SAP R/2 for its Canadian operation many years after the EoL announcement by SAP. They had to keep their knowledgeable developers for the software application and sometimes got spare parts for their (ancient) mainframe system from eBay. OK, the business process to drill and pump oil hasn’t much changed over the years. However, to mitigate the risk of a complete system failure beyond a point of no return, a completely new implementation project would be required as there is no simple upgrade path available.

Cost without Immediate Value

Patching or upgrading old systems is a resource-intensive process. It involves identifying vulnerabilities, developing or acquiring patches via support contracts, testing them thoroughly, and deploying them across the landscape. Unlike implementing new application features, upgrading does not immediately enhance the business’s capabilities or sell more products. Instead, it often feels like an expense that maintains the status quo rather than driving the business unit forward.

This perception of the business leaders makes it difficult for IT departments to secure the necessary budget and resources. Typically, business leaders prioritize projects that offer visible returns on innovations, such as new product launches or customer-facing initiatives. However, this short-sighted approach can lead to far greater costs in the future.

The Hidden Costs of Inaction

The cost of “not patching” can be exponentially higher. Legacy systems are often vulnerable to security threats, as they no longer receive regular software updates from vendors. Cybercriminals use these vulnerabilities and actively target outdated systems to exploit weaknesses.

We all know that a successful cyberattack results in data breaches, financial loss, reputational damage, and even regulatory penalties. The costs, ranging from legal fees to lost business, can far exceed the investment required to keep systems up-to-date.

Resource Allocation and Testing

Any software upgrade of a business application, old or new, requires thorough testing. When updates are applied, they mustn’t inadvertently disrupt existing functionalities or introduce new issues. If testing scenarios are not automated, it’s always a burden for the business units as testing falls on business users and IT staff. Business leaders are pulled away from their primary responsibilities to ensure the application works as before.

Often, there is a lack of standardized testing processes for software systems and legacy systems in particular. The old systems may have been customized over the years with little documentation or formalized testing procedures. If these developers aren’t accessible anymore, even ad-hoc testing catches errors and malfunctions.

Security – Driving Force Behind Patching?

When did Windows 7 reach its end-of-life support? Yes, it was January 2020. The machines still work, but Microsoft doesn’t provide security patches anymore. Eventually, you can save the money to patch 100s of PCs across your company, right? Well, this approach is dead wrong. Cybersecurity threats constantly evolve, and old and unpatched systems are particularly vulnerable to attacks.

IT leaders must ensure all the entry ports to the company’s intranet are up-to-date, supported, and timely patched and/or upgraded. They should never forgo plans to upgrade on time. It is not uncommon to run still Windows 7 – some estimates suggest more than 100 million PCs globally run on this unsupported operating system.

Cyber Threats

Cyber-attacks threaten outdated systems and target entire landscapes with new methods emerging daily. The hackers use the ever-increasing CPU power to launch sophisticated ransomware and phishing attacks with unseen algorithms. While you can read about the WannaCry ransomware attack in 2017, I typically trick my students during my courses at Villanova into clicking a link with very simple means. Indeed, I’m not using sophisticated methods and tools to mimic an ‘attack.’

The pranks I launch don’t harm them – it’s only for educational purposes. However, in many cases, businesses still rely on legacy systems for critical operations. A successful cyber-attack can result in data loss, operational downtime (ransomware), and/or financial penalties by regulators (healthcare or finance).

Regulatory Compliance

The General Data Protection Regulation (GDPR) impacts any company that processes and stores data in the EU, independent of the industry. Other regulations target certain data rights of persons, such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States.

These laws and regulations mean to ‘encourage’ businesses to implement specific security measures to protect sensitive data.

Failure to comply with these regulations can result in significant legal and financial penalties. Under GDPR, businesses can be fined up to 4% of their global annual revenue for serious data breaches. These penalties, combined with the potential for reputational damage, make it imperative for businesses to prioritize the security of their systems.

A Proactive Approach to Security

To mitigate the risks associated with IT systems, businesses (and IT leaders) must be proactive by implementing regular security updates and keeping all their systems under support from their respective software vendors. Waiting five years to address vulnerabilities is only a very short-sighted savings approach. Security updates and operating system upgrades must be established and communicated as an ongoing process throughout the calendar year.

By keeping IT systems current, cyber-attackers have fewer chances to succeed.

Strategies for Managing the Patching Process

Given the challenges and importance of patching IT systems, effective strategies for managing the process are needed. The problem I saw with many clients is that patching and upgrading is like an insurance policy. You pay your premium yearly, and, in the absence of any ‘insurance case’, its enterprise value isn’t always apparent to everybody. Assuming hypothetical costs for system-down situations during the arguments is indeed tricky. However, one question can always drive an answer: which business unit pays for a system-down situation that would cost the company a lot of money? Here are some tangible actions to establish a ‘patch awareness.’

1. Establish a Patch Management Policy

A formal patch management policy outlines how patches are identified, tested, and deployed. It also defines roles and responsibilities, ensuring that IT and business units understand the necessity and their obligations.

Preferably, a quality system for documenting records of patches applied, testing results, and any issues encountered helps to adhere to compliance and audits.

2. Prioritizing Patches Based on Risk

Patches that address critical vulnerabilities pose immediate risks and must be prioritized for immediate testing and deployment.

3. Automating the Testing and Deployment Process

One of the most effective ways to stay up-to-date is automated testing and deployment of patches. These automated testing frameworks can simulate complete end-to-end business processes and ensure that software updates do not introduce new issues or disrupt existing functionalities.Automated deployment tools ensure that software updates are rolled out consistently across the organization.

Conclusion: The Necessity of Patching Old Systems

Patching old systems may be expensive, time-consuming, and seemingly thankless, with no business value to its users. However, it is an essential task for any organization that relies on technology. The risks of neglecting system updates are far too great to ignore. Security breaches and operational failures can result in system-down situations, causing unplanned costs and unsatisfied bosses and customers.

A structured patch management strategy prioritizes updates based on risk levels and leverages automation for fast deployment.

One last thought: The company’s employees represent the Human Firewall. Therefore, continuous awareness training for cyber security must be at the forefront to protect the company’s entry doors from cyber threats that can’t always be managed with technology. Each and every individual of the company working inside its firewalls must be aware of the daily risks that come through Social Engineering or phishing attempts.