Until some time ago, business decisions could be taken in absence of a fundamental understanding of technology. One could afford to outsource the underpinning information security required to ensure robust data systems. Changing an accounting system or storing company data would be talked about as a ‘fait accompli’, very much like going to a supermarket shopping for the best value product – ‘not too expensive but with an acceptable degree of quality’.
I’m a technologist living in the business world and I’m often surprised by the way business owners are unaware of the complexity of technology and the risks software engineering brings with it. It is, of course, lack of understanding which brings about a secondary perilous action: underinvestment.
Technology moves at a fast pace and much of the code that developers write today can be rendered obsolete within months, requiring frequent patch work called releases. Releases often contain bug fixes as well as addressing security vulnerabilities. A useful way of regarding technology is to visualise thousands of lines of code sitting on top of each other, written by people from all over the world, many of whom are employed by different companies. People move, companies evolve and release priorities change, leaving most software that is not mainstream prone to extensive issues and vulnerabilities. As time rolls by, the vulnerabilities become more critical and the software we’re running more obsolete. A yardstick measure would be 3-5 years for the technology to be considered outdated, very much inline with GAAP rules dealing with intangible asset amortisation.
There is a common misconception that ‘useful life’ is a practical way of extending the software’s life. It’s not: whilst your Windows Server 2012 may still be running, Microsoft stopped supporting it in October 2023. In simple terms, the software is vulnerable to any new security vulnerabilities that emerged the day after. This is Microsoft we’re talking about, not some small development company.
Custom engineered software systems are increasingly vulnerable to complex cyberattacks. Prime targets this year include the retail and services sectors, both heavily reliant on legacy accounting solutions and Enterprise Resource Planning systems (ERPs). These industries often handle sensitive customer data, financial transactions, and operational information, making them lucrative targets for ransomware attacks. The typical attack involves encrypting critical data, including backups, and demanding hefty ransoms to be transferred in untraceable cryptocurrency. These attacks often leverage advanced techniques like phishing, malware, and social engineering to gain unauthorised access to networks.
The financial implications of such attacks are severe. Beyond the direct ransom payment, businesses face substantial costs associated with data recovery, system restoration, legal fees, and reputational damage. Some businesses opt not to take a risk and they simply amputate older systems. This year alone, Porsche is killing two more models because they are unable to comply with the new European Union cybersecurity regulations. The platform that the 718 Cayman and Boxster are designed upon are vulnerable to cyberattacks. Porsche, notably, opted to reduce sales that can incur the risk of a security breach.
The boardroom composure needs to change in large businesses as well as in small companies. No business decisions nowadays can be taken without keeping cybersecurity in mind. Cybersecurity needs to become an essential part of the critical thinking process just as much as making profit does. in operations will lead to lost revenue, decreased productivity, and erosion of customer trust. System lifecycle and, if need be, replacement, should be high on the investment agenda. Outdated systems are particularly vulnerable due to a lack of critical security patches and updates. These vulnerabilities provide easy entry points for hackers to infiltrate networks, steal data, and deploy ransomware. Once maliciously encrypted, critical business functions like sales, inventory management, customer relationship management, and financial reporting grind to a halt.
The harsh reality is that affected businesses are left to operate with little more than pen and paper, with a single attack sending operations back to pre-information technology age. The financial consequences for retail and service businesses can be catastrophic. In severe cases, businesses may be forced to close temporarily or permanently.
If you arestarting to feel uncomfortable with the thought of information security risks in your business I would recommend the following three points as an interim measure:
One.
Develop a proper network and technology architecture detailing all the components of your business, including any endpoints – that would mean up to mobile phones connected to email systems and internal networks. Version control is an essential part of this documentation as it will allow judgement on whether software is obsolete.
Two.
Understand key business processes and document them to understand how to de-risk the business, which parts to change and the cost and duration of the transition.
Three.
If you don’t have the internal resources to execute point 1 and 2, or don’t trust the internal resources to get it done in time and effectively – get external help. There are ample EU and national funds to upscale infrastructure which can help the transition. A solid consulting firm will ensure you maximise time and investment.
If you have already experienced a cyberattack or feel it’s time to strengthen your cybersecurity posture, we encourage you to reach out. We’re a dynamic team of management consultants who can provide invaluable guidance on designing a comprehensive business strategy including business process design, software solutions, supplier selection and network hardening. In the last years we’ve worked hand in hand with tested IT and security experts and can upscale your business without impacting operations.
ABOUT THE AUTHOR
Damian Xuereb is a Director at Credence Consulting Limited.
You can get in touch with Damian via email, or through his LinkedIn page.