A different kind of vulnerability: 3 hidden security risks of legacy collections systems | Flexys

News & Opinion

A different kind of vulnerability: 3 hidden security risks of legacy collections systems

by David Scholefield

Flexys Chief Operating Officer and information security expert, Dr David Scholefield, measures the potential risk of ageing debt collection systems against the protection and functionality offered by modern, low maintenance SaaS systems. 

It’s an open secret that time is running out for legacy collections systems. With their roots in the pre-internet age, the speed of cloud-native software evolution has left these long-in-the-tooth systems significantly behind the curve and in some cases, no longer economically viable, supportable or maintainable. Why does this matter to you?

When systems are no longer maintained, cybercriminals are able to exploit any vulnerabilities, and if the systems are no longer monitored or receiving updates, these vulnerabilities will not be fixed or patched. This leaves affected organisations with a major decision to make, and I would advise, make without delay. 

While the case for change can easily be made in regards to the vastly increased functionality of modern systems, in my opinion, security should also be at the top of your agenda when weighing up the options. Security breaches represent a financial and reputational disaster, the extent and longevity of which is often not fully appreciated until after the event. I have set out what I consider to be the most pressing risks. I hope you find them useful in your deliberations. 

  1. Software vulnerability management

With on-premise (or client-hosted) collections systems, the end-user is normally responsible for ensuring that security patches are applied to the computer systems that host the software, as well as managing the updating cycle of the software itself. Even with a software support contract that includes the application of updates, much of the disruption and effort of running an onsite update project will naturally rest with the user. To aggravate matters, there is often a significant lag between a security patch being made available and the painful process of software updating and testing. During this period, the software may be vulnerable to security attacks that could significantly compromise the confidentiality or availability of highly sensitive personal data belonging to organisations and their customers.

With SaaS services such as Flexys Control+, software patching and updating is managed centrally by security experts and is a seamless improvement to the security status of the service without significant and risky delays, and without costly investment in time and resources by the client. Of course, I have mentioned security issues around the lack of timeliness of on-premise upgrades but this is only part of the story, the lack of ability to easily take advantage of the speed and agility of an ever-improving product feature set makes continuing with on-premise systems a questionable choice from the outset.

  1. Compliance

Security and data compliance is becoming ever more complex, and it may be difficult for clients to remain informed about, and ahead of, data security compliance requirements, particularly in the complex field of computer software and operations. This can be a significant risk, especially in the highly sensitive world of collections and financial services. 

For traditional on-premise or hybrid software services, much of the responsibility for this compliance management lies with the end-user and not the software provider. For example, ensuring that the hosting computers operating systems are always updated, that local storage of data is effectively protected against attackers and confidentiality compromise, and ensuring the hosting computers are fully supported by the operating system provider. These are just some of the complex compliance responsibilities that rest with the software user. 

With SaaS systems, the software provider is responsible for almost all aspects of data security and related compliance requirements because the data is stored off-premise. In managed cloud storage and processing systems, the software and service provider’s compliance experts can be leveraged by the end-user at little or no additional cost, and much of the associated liability and risk is transferred to the provider.

  1. Support challenges

Many traditional on-premise systems are either very slowly updated or, in some cases, never updated. They often rely on old versions of operating systems, browsers, or other legacy and unsupported software. Not only is this a significant security and compliance risk but over time it becomes very difficult to support this software and to find internal resources who understand how to manage such tangled systems effectively, leaving you dependent on expensive external resource. Legacy software is literally ageing itself out of support. 

Not only does SaaS software overcome this issue by always leveraging the latest and most secure software technology, but it also removes the need for local support completely; planning for long term support of outdated legacy systems simply disappears. In most scenarios, the reduced TCO resulting from removing support costs from the user is enough of an advantage in itself to justify the move to a managed SaaS solution and this is without the additional benefits of easily and transparently controlling security and compliance risk.

As your current collections platform reaches the end of its useful life, there are three realistic choices:

  • keep running outdated and unsupported software– a significant operational and security risk
  • pay for a costly upgrade to legacy software that temporarily delays rather than solves the issue, or
  • safely migrate to a futureproof, cloud-native collections system that offers vastly improved performance, cost-effectiveness and security.

If you would like to discuss these considerations in more detail, we are ready to answer your questions, whatever your existing system or current supplier. 

New call-to-action

About the author:

Dr David Scholefield is a CISSP and OPST-certified security specialist. He has worked with a range of organisations to achieve their ISO27001 and PCI-DSS compliance, as well as carrying out penetration testing and risk management. Previously the Chief Information Security Officer at Flexys, David ensures that all the processes of the company, technical and non-technical, maintain a level of security concomitant with the value of the data they are processing. He makes recommendations on where and how to minimise risk and provides guidance on the use of technology as well as genuinely enhancing the security knowledge of everyone within the team. As Chief Operating Officer, David now leads the operational side of Flexys, from information security and risk management to delivery and client support.