Learn about legacy system cybersecurity risks for your enterprise resource planning systems and what you can do to protect against those risks.
In brief:
- A lack of vendor support, missing security patches, and outdated defenses increase your legacy system cybersecurity risks.
- Weak access controls turn every login into a risk when systems lack multifactor authentication, role-based permissions, or modern single sign-on protocols.
- Legacy systems can’t detect suspicious logins, flag data theft attempts, or alert you when attackers are downloading your sensitive information.
- Integration gaps force you into insecure workarounds because older systems can’t connect safely to modern cloud services or use secure application programming interfaces (APIs).
- Protect yourself now with network segmentation, user access reviews, and risk assessments while planning your long-term migration to modern, cloud-based solutions.
Your legacy ERP system creates vulnerabilities that could put your company’s and your customers’ data at risk.
Attackers have already cracked many older security systems, making your legacy system vulnerable to attackers looking for an easy way past your defenses. While your legacy ERP may still be plugging along and relatively issue-free, it’s a blessing and a curse: Its troves of sensitive information combined with security faults may bring more downsides than benefits to your organization.
The reality is stark. Each legacy system in your environment represents a potential entry point that cybercriminals understand better than your own security team. They’ve had years to study these older platforms, map their weaknesses, and develop attack strategies specifically designed to exploit outdated defenses.
But here’s the good news: By understanding the cyber risks that legacy ERPs present and how to reduce them, you can continue using an older solution to power your organization while dramatically improving your security posture. The key is knowing where you’re vulnerable and acting immediately to close those gaps.
Why Companies Hang On to Outdated Systems Despite Real-World Consequences
Many companies have already fallen victim to attacks on legacy ERPs, and unless your organization acts now, it can be the next target.
For example, Oracle E-Business Suite (Oracle EBS), a legacy ERP system, was compromised by attackers who exploited a critical flaw in the software’s Web Applications Desktop Integrator. This enables attackers to execute remote code using HTTP. They could execute the attack without proper authentication, making it a vulnerability that almost any attacker could attempt to exploit.
The good news is that Oracle addressed and fixed this vulnerability in January 2023. The bad news is that if your organization still uses an outdated version of Oracle EBS, you may be putting sensitive information and systems at risk.
This is only one example. While there’s no shortage of legacy system cybersecurity risks, many companies are either unaware of the risk or willing to take their chances. But why?
Here are some reasons companies hang on despite the dangers that legacy ERP software presents:
- It’s costly to replace an older ERP. The costs may start with the software itself, but they don’t stop there. The expenses associated with implementation, data transformation, and cleaning and moving data from the old to the new system add up quickly.
- “If it ain’t broke, don’t fix it.” Many people think since their company hasn’t experienced a damaging attack — and the legacy system still performs well — there’s no reason to replace or upgrade it.
- Migration can disrupt operations. Even when you’ve outgrown your ERP, you may not want to risk disrupting your operations in the short term while migrating to a new system. You could also face long-term consequences of changing ERP solutions. For example, employees may struggle to adapt to the new system, resulting in significant productivity issues. Or the system may not integrate with that of another business unit or a future merger or acquisition target.
Our NetSuite and Oracle solutions lead Kevin Corder says additional reasons we’ve seen clients resist an update include employee knowledge of the system, unique customizations built for current business process and skepticism if it would work in a more modern ERP, and a lack of vision within an organization of what it could be with a more modern ERP.
Despite the considerable cost of replacing your legacy ERP and the disruption that comes with migration, it’s still important to carefully assess the risks that a legacy system may introduce. In some cases, a legacy ERP may be the weakest link in your ecosystem.
Your Legacy ERP Might Be Your Biggest Cybersecurity Vulnerability
Legacy system cybersecurity risks can be sobering, especially considering the central role ERPs often play in an organization. Here are some of the biggest cybersecurity risks that your legacy ERP poses:
No Longer Supported by Vendors
Lack of vendor support is one of the most critical vulnerabilities because after a legacy system has reached its end of life, the vendor may no longer provide:
- Security patches to fix newly discovered vulnerabilities that their cybersecurity team discovers
- Security updates, including enhancements designed to improve an ERP’s defenses against attackers
- Technical support, without which you may be on your own if you experience a security incident
You should also consider outdated — or missing — regulatory compliance controls. Regulatory controls are typically integrated into modern systems, and they’re regularly updated as compliance requirements change. But older systems may have outdated controls or lack them altogether. This could put your organization’s finances and reputation at risk.
Weak Access Controls
Many legacy systems were designed before the introduction of advanced access and identity management services and tools. For instance, a legacy system may lack:
- Multifactor Authentication (MFA): Without MFA, a legacy system may be penetrable with just a username and password.
- Role-Based Access Controls (RBAC): Modern systems let you implement granular, role-based access that grants access only to employees with specific job roles. However, legacy systems may not provide RBAC and could allow someone with access credentials to access all segments of the ERP, even those they shouldn’t be able to work with.
- Modern Single Sign-On (SSO) Protocols: A legacy system may make it difficult — or impossible — to use SSO protocols. As a result, you may be stuck with less secure, time-consuming, and siloed access controls.
Poor Visibility
Often, legacy systems don’t have deep logging and monitoring capabilities, which means you may have no idea who’s accessing which facets of your ERP, where they’re accessing it from, or what they’re doing while inside.
For example, with a legacy ERP, an attacker can steal or purchase login credentials and connect from halfway across the world without even using a virtual private network (VPN). You may be completely unaware that someone with a suspicious IP address is connecting to your system.
The same attacker could start downloading tons of sensitive information to a remote server, and you wouldn’t get an alert flagging the potential data exfiltration attack.
Perhaps one of the biggest vulnerabilities some legacy ERPs present is that they don’t give you visibility into suspicious login activity. Someone can try logging in repeatedly, many times over a few minutes. Unfortunately, a legacy system may not issue an alert, automatically block subsequent login attempts, or force them to wait between attempts like a modern system would.
This presents a tangible security risk because it leaves the door open for brute force attacks, which is when an attacker uses one username and password combination after another — until one finally works.
Integration Gaps
Legacy ERPs often make it difficult to integrate with other systems, especially when compared to modern, cloud-based solutions. As a result, a legacy ERP may result in:
- Insecure Connections: Without modern application programming interface (API) capabilities, a legacy ERP may force you to use insecure data-sharing methods.
- Older, Easily Hacked APIs: If a legacy ERP uses APIs, they may not come with the security features of modern APIs, making them easy targets for attackers.
- Cloud Incompatibility: It can be extremely difficult — or impossible — to connect a legacy ERP to cloud services directly. This means you can’t protect your data using cloud security features like advanced encryption or microsegmentation.
High Customization, Low Flexibility
Many legacy ERP systems have had to be customized to meet a business’s needs. This makes them an excellent fit for operations but can introduce security issues, such as:
- Hard-Coded Workarounds: An internal development team may program workarounds into a legacy ERP, but this could introduce backdoors that attackers could use to penetrate your system.
- Security Weaknesses: Some customizations may lack adequate documentation, making it difficult for security teams to identify the risks they could pose.
- Time-Consuming Fixes: If a security fix in a highly customized legacy ERP is possible, it may take many hours to comb through complex code and write fresh code that eliminates each vulnerability.
Even a legacy ERP that functions well may not have been designed for the modern cyberthreat landscape. Attackers have new methods that already take legacy security tools into account. Additionally, modern defense systems often employ a highly integrated approach that may not be compatible with a legacy system. This results in the vulnerabilities above and more.
But you can take steps to mitigate the weaknesses that legacy ERPs introduce.
What You Can Do Now About Legacy System Cybersecurity Risks
You can reduce your risks by taking the steps outlined below without compromising operations. Keep in mind that in many situations, migrating to a different ERP — or a cloud version of a current solution — is the best way to improve security, whether now or in the long run.
Here’s a breakdown of what you can do, divided into short- and long-term steps:
Short-Term, Immediate Actions
In the following days and weeks, you can do a lot to reduce the risk a legacy ERP exposes you to.
- Perform a risk assessment. Your risk assessment identifies the most important legacy ERP software, the data that flows through it, and its vulnerabilities. You should consider configuration issues, access controls, and all points of integration, which are some of the most common attack surfaces.
- Use network segmentation. By isolating your ERP systems from the rest of your network, you can prevent threat actors from penetrating them and then moving laterally through your infrastructure. You can set up firewalls with strict access and traffic rules. For example, firewalls can only allow certain IP addresses to access an ERP.
- Control user access. Take some time to review every account that has access to your legacy ERP and remove anyone who doesn’t absolutely need it to perform their job. In this way, you shrink your attack surface and narrow the pool of potential internal threats.
Long-Term Strategic Planning
By taking a forward-looking approach, you can build a more sustainable ERP system that minimizes your attack surface:
- Conduct an ERP needs assessment. Use this assessment as part of your software selection process when deciding on the best ERP for your business needs and processes.
- Build a detailed plan for modernizing your ERP. This involves deciding which cloud-based ERP to migrate to, when to do so, and which resources you’ll need. It’s best to choose one that’s scalable and flexible. In some cases, your legacy ERP may offer a more modern, cloud-powered option and migration tools to make the transition easier.
- Consider hybrid approaches. It may be best to scaffold your migration by transitioning some systems now and others later on. For instance, you can identify a few critical systems and migrate them to cloud environments to leverage their security features. You can then keep some less-critical systems on-premises and decide the best time to migrate them based on resource availability.
- Partner with ERP cybersecurity and migration experts. Engaging with cybersecurity and ERP migration experts saves time and sets the stage for a smooth migration.
Cybersecurity for critical infrastructure is vital to everyday life, and it’s up to your organization to help keep it secure. Download our white paper for industry-based tips.
At Centric Consulting, our ERP experts can guide you through which elements of your ERP present the most urgent security threats, as well as when and how to migrate to a more secure solution. Our ERP and cybersecurity professionals understand how to help you maintain agility and enable long-term scalability, which can help you choose a system that lasts for years. Contact us
