Legacy IT software is costing the taxpayer, it’s damaging the security of public services infrastructure and it’s bad for the environment—something governments drastically need to address in the next 10 years if we’re to stop the earth’s temperature from rising by 1.5 degrees. These are just a few of the reasons why the public sector must stop relying on legacy hardware systems now to survive constant cyberattacks.
In the UK, the Hackney London Borough Council fell victim to a brutal ransomware attack that targeted its legacy IT system; almost one year later and it is still reeling from the effects. But this is not just a UK problem—every sector around the world is being targeted by cybercriminals hoping to get their hands on the large volumes of sensitive data. Cybercrime has become so common in the U.S., in fact, that the National Institute of Standards and Technology (NIST) has decided to collaborate with industry and other partners in an attempt to fight back. For the public sector, in particular, moving away from legacy hardware systems is imperative to fighting cybercrime and ensuring data security.
What are legacy IT systems and are they disappearing?
Legacy IT refers to any software, hardware or related process that is outdated, unsafe and no longer fit-for-purpose. One reason systems are considered ‘legacy’ may be because updates and support from the vendor or supplier are no longer available. And unfortunately, these systems are still incredibly common and widely used.
The Government Accounting Office (GAO) in the United States analyzed 65 federal legacy systems and revealed the 10 most critical systems were eight to 51 years old. In response, the U.S. government plans to spend over $100 billion this year on IT; most of that will go toward maintaining those older systems.
What governments should be doing is migrating away from these outdated systems.
Legacy IT systems are not safe. Software updates, such as identifying and sealing back doors hackers can exploit, are essential for data security. A report from Cato Networks revealed that cyberattacks exploiting vulnerabilities in unpatched legacy systems may be a bigger risk to the average organization than novel zero-days attacks. The report showed that gaps in legacy hardware and software are commonly targeted by cybercriminals looking to gain easy access to systems. And without security patching updates, which legacy IT often cannot accomplish, governments leave themselves vulnerable to attack.
Accenture’s 2020 report, The green behind the cloud, made a case for companies migrating to the cloud to reduce their carbon footprint. In fact, they said “Migrations to the public cloud can reduce CO2 emissions by 59 million tons per year which equates to taking 22 million cars off the road. With environmental, social and corporate governance (ESG) becoming pivotal to business success and also brand image, moving away from legacy systems that use more energy to run—and, therefore, contribute to generating more CO2—must also be a priority.
On June 8, 2021, over one million young people in the UK booked COVID-19 vaccinations through the National Health Service (NHS) website’s online booking service. With more services being offered online as the NHS and other public sector services undergo digital transformations, being able to quickly and efficiently scale to allow such extreme increases and decreases in traffic is not just imperative for the service, but for those whose lives are directly affected. Legacy IT systems often cannot handle the bandwidth required for such a service, nor can they quickly change to add new or remove old services and products.
A recent report from the UK Cabinet Office, called Organising for Digital Delivery, warns that the UK government could end up spending between £13 billion and £22 billion over the next five years on legacy systems. It is already spending £2.3 billion on patching systems—half of its total IT budget.
The UK government is not adequately monitoring the performance of computer systems, a shortcoming identified by another recent Cabinet Office report. In fact, the performance management system they put in place in 2012 is now obsolete and vulnerable to a cyberattack. This puts the UK population’s sensitive information at risk, but also means those working in government are being forced to use IT systems that cannot reliably deliver services, and are therefore not fit-for-purpose.
What’s Next for the Public Sector?
The vast amount of data and documents that currently exist creates an obvious aversion and fear in organizations when it comes to migrating to the cloud. However, choosing cloud over on-premises hosting is the safest and cheapest option in the long run. To move away from legacy IT systems, the public sector must focus on filling its digital skills gap immediately and efficiently; rather than replacing unskilled workers they should focus on retraining them with the skills they need to move their systems forward. Focusing on migrating to the cloud while retraining staff will be more cost-effective to governments and tax-paying residents. Any issues holding back such digital transformation—whether from fear or simply an unwillingness to change—must be identified and rectified now.
The security risks the public sector is leaving itself open to by continuing to use legacy IT systems is vast and opens countries up to potentially economy-crippling cyberattacks. Increased security in a cloud environment can help assuage those worries—although training staff on how to identify cyberattacks and use digital technology is a must for that migration and secure ecosystem to truly work.