Share this
by Reflare Research Team on Aug 1, 2023 8:02:00 PM
A recent breach in Nagoya has revealed (again) the illusion that maintaining outdated software is more cost-effective than upgrading to secure systems, particularly in organisations predominantly run by leaders who are comfortable with older technologies.
First Published 1st August 2023
For many executives, ideas of 'the digital future' remain stuck in the past.
3 min read | Reflare Research Team
Your man in Japan
Earlier this month, Paul S. Ziegler, our trusty founder and CEO of Reflare, engaged in an illuminating conversation with the Japan Times. The conversation was originally sparked by the recent ransomware attack on the Port of Nagoya, but it ultimately revealed a more profound issue.
Ziegler stressed an urgent need to revisit and revamp corporate attitudes and culture surrounding cybersecurity. He identified Japan's transition from a catastrophic to a moderate player on the world's cybersecurity stage, yet he also highlighted an undeniable issue that pervades its corporate culture: an aversion to change.
This cultural legacy is not confined to Japan, but is symptomatic of a larger, global phenomenon.
The digital divide
In this vein, a clear divide exists within the realm of IT and cybersecurity, bifurcating into the digital natives and the digital immigrants. Digital natives, those who grew up alongside the Internet, perceive cybersecurity as an inherent part of their professional lives, understanding the value of regular system updates and the danger of using outdated technology.
In contrast, the digital immigrants, already in the midst of their careers during the internet revolution, often struggle to adapt to the continual technological evolution. This discrepancy can lead to weaknesses in a company's digital defences, exposing them to potential cyber threats.
One such global issue that exacerbates this divide is the extensive use of legacy software across corporations.
This problem isn't exclusive to Japan but is prevalent around the world. The tension between maintaining familiar, albeit antiquated systems, versus updating to the latest secure technologies presents a profound dilemma for many corporations. It becomes a balancing act between cost-efficiency and comfort of known technology against the critical need for risk management.
Change aversion ≠ confidence
Legacy software often becomes a preferred choice due to the perceived high costs associated with transitioning to newer, secure systems. The cost of retraining a workforce, especially when a significant proportion is composed of digital immigrants in their 60s, can seem prohibitive. As a result, an illusion often prevails: the risk of a cyber attack is lower than the costs of retraining.
This illusion is especially pervasive in organisations where seniority is highly valued, as is the case with a workforce mainly composed of people in their 60s who are more familiar with systems like Windows Vista than more secure alternatives.
History never repeats (...cough)
This stance, however, has been repeatedly challenged by high-profile cybersecurity breaches. The infamous Equifax breach in 2017 serves as a stark reminder of the perils of relying on outdated software. Equifax, a US-based credit reporting agency, fell prey to one of the most significant data breaches in history due to its reliance on legacy systems. The company's failure to patch a known vulnerability in Apache Struts, a popular open-source framework for Java-based web applications, led to the exposure of nearly 147 million people's personal data. This monumental breach not only led to a $575 million settlement but also caused irreparable reputational damage and led to the resignation of its CEO.
Several other major corporations, including Yahoo, Marriott, and the UK’s National Health Service (NHS), have also suffered from cyber attacks due to outdated systems. The 2013 Yahoo data breach affected nearly three billion user accounts, marking it as one of the largest data breaches in history. Marriott experienced a similar breach in 2018, exposing the personal information of up to 500 million customers. In both these cases, the use of legacy systems played a significant role. The NHS, too, fell victim to the 2017 WannaCry ransomware attack, causing widespread disruption to health services across the UK. The attack was particularly successful because the NHS was extensively using Windows XP, an outdated and unsupported operating system.
These incidents underline the necessity for change. According to the 2021 "Cost of a Data Breach Report" by IBM Security, the average total cost of a data breach was $4.24 million, marking it as the highest in 17 years. This staggering statistic shatters the notion that the cost of retraining exceeds the risk of a cyber attack.
Just do it
For Ziegler, the only solution is for companies to 'leapfrog' digitalisation, moving from outdated systems like floppy disks to secure transmission systems. This leap is not merely a matter of choice, but a necessity for survival. Additionally, a reconsideration of age-oriented hierarchies within organisations is critical. The new generation, adept in IT and cybersecurity, should be allowed to lead the way.
To address these issues, a paradigm shift is needed. Companies worldwide must prioritise IT and cybersecurity expertise over seniority and familiarity. They must invest in retraining their workforce, regardless of age. For this change to occur, a revamp of the corporate culture surrounding cybersecurity is crucial. A corporate environment should be created where every individual, irrespective of their position or age, understands the importance of cybersecurity. Training should be viewed as fundamental to the company's safety and long-term sustainability, not as a burdensome cost.
The generational divide in IT and cybersecurity is a global issue that demands immediate attention. We require a workforce that is not only experienced but also well-versed in the latest secure technologies. Addressing this challenge requires a radical change in corporate culture and attitudes towards cybersecurity, with the first step being the understanding that the cost of ignoring cybersecurity far outweighs the cost of retraining. The future of our digital world depends on it.
Stay up to speed on the latest cybersecurity trends and analysis with your subscription to Reflare's research newsletter. You can also explore some of our related articles to learn more.