The strategic imperative: Decommissioning legacy systems for better cybersecurity

02-07-2024 | 7 min read | Cybersecurity, Decommissioning of Legacy Systems, Enterprise Legacy System Application (ELSA)

Authors: Laura Parri Royo, Marketing Director at TJC Group, and Audren Butery, SAP Consultant at TJC Group.

Security is at the top of the list of risk factors. Organisations with legacy systems left unchecked can be particularly vulnerable to attacks from hackers and cybercriminals, but that’s not all. This article illustrates a real-life example of a US company whose legacy systems were at the epicentre of the ransomware. At a time when many current SAP ECC users are evaluating the optimal migration path to SAP S/4 HANA, organisations may be tempted to ‘do nothing’ with their legacy ERP. But aside from the security risks, there are many other good reasons to invest in legacy systems decommissioning with experts.

Keeping up with patches and system updates is a real challenge for IT professionals, as reported by SAPinsider Cybersecurity Report 2023. Unfortunately, this is the bread and butter for IT security teams working on SAP systems; the list of SAP vulnerabilities to keep a close eye on is long. TJC Group CISO wrote about it in this article: SAP vulnerabilities and why it is not safe to keep legacy data in an old SAP system.

Figure 1 SAP vulnerabilities, CVE. Source: CVE details.

For those organisations migrating to SAP S/4HANA, SAP will end maintenance by 2027 – 2025 for those on EPH5. Beware unpatched systems are one of the biggest challenges organizations face in securing their SAP systems, as per SAPinsider Cybersecurity report from 2023. Hence, the end of maintenance of SAP legacy systems and/or the lack of patching has become a security concern.

This leaves SAP and its ECC customers in a challenging position. SAP might delay the end of maintenance dates again, but if this is the case, they will wait for as long as possible. That’s why our advice is to come up with a plan to handle legacy systems and historical data in the most cost-effective and compliant way. Contact us if you have any questions.

Firstly, let’s consider the security implications of leaving legacy systems running indefinitely. We touched on the vulnerability risks already. Legacy systems are much more prone to data security breaches because they may no longer receive updates and patches from vendors. Even if a vendor is still offering maintenance updates, perhaps the user organization has stopped implementing them – another common mistake – maybe because they no longer have the right skills in-house or simply because the new systems get all the attention. This practice leaves critical data highly exposed to cyber threats and is one of the most common ways hackers can breach a company firewall.

Data breaches are currently one of the fastest-growing targets for hackers. According to MIT expert Professor Stuart Madnick, “data breaches continue to increase year-on-year and a 20% increase in data breaches from 2022 to 2023 was measured”. As part of this study conducted by Harvard Business Review, it was identified that one of the most popular ways for hackers to gain access is via security gaps in vendor systems and especially the legacy ones.

In addition to the security implications, there are compliance considerations when legacy systems are left unchecked too. These are just as critical. Keeping outdated systems running instead of decommissioning them can lead to non-compliance with modern regulatory standards like GDPR, leaving an organisation exposed to receiving a multi-million Euro penalty fine and legal challenges from regulators. We have written about the serious financial risks of GDPR fines in the past.

Let’s consider the costs, because an article exploring the consequences of not decommissioning legacy systems would be incomplete without considering the cost efficiency implications. We are in the midst of an IT skills shortage and one that experts are predicting will continue to intensify. According to IDC, the growing IT skills shortage is impacting organisations in all industries and across all regions. Nearly two-thirds of executives surveyed for a recent research report said that a lack of skills has resulted in missed revenue growth objectives, quality problems, and a general decline in customer satisfaction. IDC predicts that by 2026, more than 90% of organisations worldwide will feel the pain of the IT skills crisis, amounting to some $5.5 trillion in losses.

It is difficult to employ and retain good IT professionals at the best of times and when their skillsets are more specialised, the situation becomes more problematic. Many legacy systems are dependent on a small pool of IT experts within an organisation to maintain them, posing a risk if these resources become unavailable. Rather than tie up essential IT budgets with legacy skillsets, decommissioning old systems or applications allows IT resources to be reallocated towards more strategic projects that will positively contribute to driving business growth and innovation.

The other very important factor to weigh up is the environmental cost (and waste) of powering legacy systems unnecessarily. It is well known that data centres have become the single biggest consumer of electricity in the world today and as the volume of data being stored keeps rising, so do power consumption levels. Keeping legacy systems going when they could be decommissioned wastes a great deal of power and at a time when companies everywhere are under pressure to reduce their carbon footprints, this could be an easy win. We have written about the carbon positive impact of data volume management in the past.

Having illustrated the importance of decommissioning legacy systems, what steps can IT professionals take to make the process of safely removing them as straightforward as possible? One of the foundational objections made within an organisation considering legacy system decommissioning relates to ‘what happens if we need the data again?’ This concern is understandable, especially given the requirement for organisations in some industries to retain historical records for tax, audit or compliance purposes. Thankfully there are dedicated solutions available to enable this, including ELSA from TJC Group.

The following article sheds some light on how to retire an old system, from sunsetting to decommissioning:

ELSA (Enterprise Legacy System Application), is a unique, SAP certified solution that makes accessing any SAP and non-SAP legacy systems that are no longer required for day-to-day business transactions as simple as possible. Developed exclusively by TJC to overcome decommissioning challenges when migrating to S/4 HANA or any other ERP, it can be delivered on premise through SAP Business Technology Platform or as a SaaS.

ELSA works by giving end users easy access to legacy data, documents, and historical transactions after an old ERP system has been shut down. Allowing end users to gain direct access is significant because it ensures that IT departments are not responsible for facilitating access to legacy data, a waste of IT resource time.

The solution is powerful enough to decommission 100% of legacy systems within an organisation – from a single ERP database to hundreds of apps – and can maintain full traceability logs to ensure future compliance with local tax laws and data privacy regulations including data privacy laws. ELSA can also be integrated with automated data archiving solutions, to ensure that full information lifecycle management is implemented, ensuring that your organisation can get data volume growth permanently under control for the long term.

Investing in the decommissioning of legacy systems is an important strategic activity for every large organisation. It mitigates security and compliance risks and reduces costs and carbon footprint. Fortunately, cutting-edge technology is now readily available to tackle the problem. Consider the benefits to your organisation and talk to the experts about the next steps.

Sources of information