Major risks of having an outdated cybersecurity business model

The need for cybersecurity is one thing that almost everyone agrees on. You need firewalls, anti-malware programs, cryptography, and good password hygiene to withstand criminal threats.


This is a guest article written by Jori Hamilton. The author’s views are entirely her own and may not reflect the views of IT Governance USA.


Agreeing on cybersecurity’s necessity and implementing appropriate measures, however, are two different things.

Too many organizations are still using woefully outdated systems and processes and calling it ‘security’ – and these aren’t just small businesses with limited funds.

In 2017, U.S. federal agencies reported 35,277 cyber incidents. That’s no surprise: The federal government is a valuable target. But Washington is also still using a 48-year-old system, which fails even the most basic cybersecurity tests.

From simple errors to highly sophisticated attacks exploiting artificial intelligence, cybersecurity demands an up-to-date business model for everyone – whether you think you’re a target or not.

Small fish need cybersecurity, too

Many small organizations believe they aren’t valuable targets for cyber criminals. But the size of their bank accounts or data centers isn’t important.

It’s the combination of weak defenses and access to bigger targets (customers or partners) that makes small companies attractive to attackers.

Think back to the Target data breach of 2014: From a consumer standpoint, it was a standalone incident. But although Target ultimately took the blame, the criminal hackers behind the attack didn’t start by trying to breach Target’s firewall.

Instead, they went after a third-party vendor – an HVAC company – and used stolen credentials to get into Target’s network.

This attack subverts the traditional belief that there are some industries that crooks wouldn’t think to target. After all, what could a cyber criminal hope to get out of a heating and cooling subcontractor?

The Target attack answers the question. Even if you’re a one-person start-up or a fledgling SME, you have a duty to protect not only your own data but also that of your customers, partners, and vendors.

Updating old systems needs to be a priority

For some organizations, cybersecurity was once a priority but has become a fix-it-and-forget-it task. In other cases, business is reliant on current systems that updating them would be painful.

It’s not uncommon. Back in 2017, the UK’s Ministry of Defence made international news when some claimed that its nuclear-deterrent submarines ran on Windows XP, a legacy operating system that was no longer being supported.

No, the UK’s nuclear arsenal doesn’t run on XP. What’s more, the submarines have no Internet connection and thus benefit from an air-gapped system.

Even so, the controversy made an important revelation: A huge number of critical systems both in the U.S. and around the world run on very old software. Doing so makes them incompatible with the constantly evolving nature of cybersecurity threats.

Software updates are a cybersecurity baseline, so scheduling them as required to patch security gaps is important.

If updating your software reveals inconsistencies and compatibility issues, it may be wise to take a look at your infrastructure: A holistic, compatible security system with programs that complement one another is much better at patching holes than any one update could be.

Cybersecurity infrastructure needs to include people

Cybersecurity components should complement one another to provide an airtight system. When you think about your cybersecurity strategy, you usually consider the hardware and software involved:

  • Critical infrastructure
  • IoT (Internet of Things) security
  • Network security
  • Cloud security

Do you see what’s missing? A key factor that many organizations miss is people. From the C-suite to the IT department to the front desk, everyone needs to have both an awareness and an understanding of core cybersecurity principles.

The Chubb Cyber Risk Survey for 2019 found that although 80% of respondents were either ‘somewhat’ or ‘very’ concerned about security incidents, only 31% received cybersecurity training at work.

Your organization should focus heavily on cybersecurity education for all stakeholders. That means finding the latest and best IT certifications for your internal team, providing updates and training for all staff that are relevant to their work functions, and reviewing contracts to ensure your vendors and contractors are following baseline standards.

Futureproofing your business could save it

When building a comprehensive cybersecurity program, it’s important to look forward, even if that means letting go of infrastructure you traditionally relied on.

Using outdated software that’s no longer supported is a huge red flag, and it could seriously cost your business. What’s more, up-to-date systems offer better integration, so you can build a cybersecurity infrastructure that works together rather than in a piecemeal fashion.

However, it’s just as important to remember that no matter how much you invest in software and hardware, cybersecurity has a critical human component.

Some of the most common attacks target the people who are supposed to safeguard your system. So for every dollar you invest in software, make sure you invest an equal amount in the people who need to use it.


This article was written by Jori Hamilton. Jori is an experienced writer from the Northwestern U.S.

She covers a wide range of subjects but takes a particular interest in covering topics related to cybersecurity, technology, big data analysis, and AI/machine learning. You can follow Jori on Twitter and LinkedIn.