BDO’s new study of public sector cybersecurity warns that the IT systems of government agencies and critical infrastructures around the world are inherently at cybersecurity risk due to legacy technology being used and pending retirement of government staff who have historically maintained these IT systems, by 2023.
BDO warns that operational knowledge of legacy systems is under danger of being lost as employees who have historically maintained them retire. 14% Of US federal employees are currently eligible to retire according to government data – a figure expected to double and reach 30% by 2024. Of the US’ General Services Administration’s mission-critical IT staff, which includes cybersecurity employees, 20 to 50 percent will be eligible. In the UK 66% of UK companies have too few cybersecurity personnel; yet only 12% of UK cybersecurity workforce is under 35. In Australia, cyber security workers are between 35 and 65. Worldwide, Gen X and Baby Boomers make up 49% of the cybersecurity workforce.
BDO points to the key challenges of replacing legacy systems. Twenty years ago, IT systems were built using proprietary technology with a lifecycle of at least 15 years. In the UK, 46 percent of British local authorities’ systems are still running outdated software dating back to 2000. In the EU 28, early generations of mobile networks still rely on protocols designed decades ago, without attention for modern day cybersecurity implications.
A blanket re-platforming for improved cybersecurity of public services’ legacy systems is highly risky because of the unpredictability of consequences, due to the inextricable intertwinement of IT systems over the past decades.
A gigantic opportunity cost is now the elephant in the room at governments everywhere. In 2018, the US government-wide cost for legacy systems operations and maintenance accounted for 70% of the total IT budget of $85.2 billion, compared to 68% in 2015.
Evolving technology creates bridges between public sector agencies, their industry partners and in doing so increases vulnerabilities for cyber threats. With legacy systems not modernized and without the staff to manage them, the public sector is unable to efficiently coordinate cybersecurity operations and adequately protect people against evolving cyber threats.
For a copy of the Report click here.
