Authors: Laura Parri Royo, Marketing Director at TJC Group, and Audren Butery, SAP Consultant at TJC Group.
Legacy system decommissioning is one of the areas of IT infrastructure management that commonly gets neglected. It’s not exactly exciting and cutting edge compared with other projects, so this tendency is unsurprising. Yet in today’s world, where levels of cybercrime continue to grow exponentially, this is possibly the single most expensive mistake a CTO can make. Legacy system decommissioning is a strategic IT issue – for lots of reasons.
This article explains why this topic is so strategically important and, if you are thinking about decommissioning your legacy systems as part of the move to S/4 HANA, how to source solutions that make the entire project significantly more straightforward.
Legacy systems attrack hackers
Security is at the top of the list of risk factors. Organisations with legacy systems left unchecked can be particularly vulnerable to attacks from hackers and cybercriminals, but that’s not all. This article illustrates a real-life example of a US company whose legacy systems were at the epicentre of the ransomware. At a time when many current SAP ECC users are evaluating the optimal migration path to SAP S/4 HANA, organisations may be tempted to ‘do nothing’ with their legacy ERP. But aside from the security risks, there are many other good reasons to invest in legacy systems decommissioning with experts.
Legacy data can become a high cybersecurity risk because it may not be encrypted or protected by other access controls. Legacy systems are prone to receive attacks from hackers if not kept up to date.
Keeping up with patches and system updates is a real challenge for IT professionals, as reported by SAPinsider Cybersecurity Report 2023. Unfortunately, this is the bread and butter for IT security teams working on SAP systems; the list of SAP vulnerabilities to keep a close eye on is long. TJC Group CISO wrote about it in this article: SAP vulnerabilities and why it is not safe to keep legacy data in an old SAP system.
SAP ECC maintenance deadline is approaching
For those organisations migrating to SAP S/4HANA, SAP will end maintenance by 2027 – 2025 for those on EPH5. Beware unpatched systems are one of the biggest challenges organizations face in securing their SAP systems, as per SAPinsider Cybersecurity report from 2023. Hence, the end of maintenance of SAP legacy systems and/or the lack of patching has become a security concern.
This leaves SAP and its ECC customers in a challenging position. SAP might delay the end of maintenance dates again, but if this is the case, they will wait for as long as possible. That’s why our advice is to come up with a plan to handle legacy systems and historical data in the most cost-effective and compliant way. Contact us if you have any questions.
Avoid a data breach in your organisation
Firstly, let’s consider the security implications of leaving legacy systems running indefinitely. We touched on the vulnerability risks already. Legacy systems are much more prone to data security breaches because they may no longer receive updates and patches from vendors. Even if a vendor is still offering maintenance updates, perhaps the user organization has stopped implementing them – another common mistake – maybe because they no longer have the right skills in-house or simply because the new systems get all the attention. This practice leaves critical data highly exposed to cyber threats and is one of the most common ways hackers can breach a company firewall.
Data breaches are currently one of the fastest-growing targets for hackers. According to MIT expert Professor Stuart Madnick, “data breaches continue to increase year-on-year and a 20% increase in data breaches from 2022 to 2023 was measured”. As part of this study conducted by Harvard Business Review, it was identified that one of the most popular ways for hackers to gain access is via security gaps in vendor systems and especially the legacy ones.
Don’t breach data privacy laws
In addition to the security implications, there are compliance considerations when legacy systems are left unchecked too. These are just as critical. Keeping outdated systems running instead of decommissioning them can lead to non-compliance with modern regulatory standards like GDPR, leaving an organisation exposed to receiving a multi-million Euro penalty fine and legal challenges from regulators. We have written about the serious financial risks of GDPR fines in the past.
“Data protection within SAP systems is of utmost concern. This emphasis is reasonable considering the critical data housed in these systems that form the core assets of a company, covering essential elements like partner and customer information, financial documents, transaction records, banking connections, and even personal identifiable information of employees.”
SAPinsider 2024 Buyer’s Guide Cybersecurity
Let’s consider the costs, because an article exploring the consequences of not decommissioning legacy systems would be incomplete without considering the cost efficiency implications. We are in the midst of an IT skills shortage and one that experts are predicting will continue to intensify. According to IDC, the growing IT skills shortage is impacting organisations in all industries and across all regions. Nearly two-thirds of executives surveyed for a recent research report said that a lack of skills has resulted in missed revenue growth objectives, quality problems, and a general decline in customer satisfaction. IDC predicts that by 2026, more than 90% of organisations worldwide will feel the pain of the IT skills crisis, amounting to some $5.5 trillion in losses.
According to IDC, the growing IT skills shortage is impacting organisations in all industries and across all regions.
Make better use of IT skillsets
It is difficult to employ and retain good IT professionals at the best of times and when their skillsets are more specialised, the situation becomes more problematic. Many legacy systems are dependent on a small pool of IT experts within an organisation to maintain them, posing a risk if these resources become unavailable. Rather than tie up essential IT budgets with legacy skillsets, decommissioning old systems or applications allows IT resources to be reallocated towards more strategic projects that will positively contribute to driving business growth and innovation.
Don’t waste energy
The other very important factor to weigh up is the environmental cost (and waste) of powering legacy systems unnecessarily. It is well known that data centres have become the single biggest consumer of electricity in the world today and as the volume of data being stored keeps rising, so do power consumption levels. Keeping legacy systems going when they could be decommissioned wastes a great deal of power and at a time when companies everywhere are under pressure to reduce their carbon footprints, this could be an easy win. We have written about the carbon positive impact of data volume management in the past.
Best practice: How to go about legacy system decommissioning?
Having illustrated the importance of decommissioning legacy systems, what steps can IT professionals take to make the process of safely removing them as straightforward as possible? One of the foundational objections made within an organisation considering legacy system decommissioning relates to ‘what happens if we need the data again?’ This concern is understandable, especially given the requirement for organisations in some industries to retain historical records for tax, audit or compliance purposes. Thankfully there are dedicated solutions available to enable this, including ELSA from TJC Group.
The following article sheds some light on how to retire an old system, from sunsetting to decommissioning: https://www.tjc-group.com/blogs/legacy-systems-a-journey-from-sunsetting-to-decommissioning/
Introducing Enterprise Legacy System Application
ELSA (Enterprise Legacy System Application), is a unique, SAP certified solution that makes accessing any SAP and non-SAP legacy systems that are no longer required for day-to-day business transactions as simple as possible. Developed exclusively by TJC to overcome decommissioning challenges when migrating to S/4 HANA or any other ERP, it can be delivered on premise through SAP Business Technology Platform or as a SaaS.
ELSA works by giving end users easy access to legacy data, documents, and historical transactions after an old ERP system has been shut down. Allowing end users to gain direct access is significant because it ensures that IT departments are not responsible for facilitating access to legacy data, a waste of IT resource time.
ELSA includes UI masking features to hide sensitive information on user interfaces, preventing unauthorized users from viewing confidential data, reducing the risk of data leakage or exposure.
The solution is powerful enough to decommission 100% of legacy systems within an organisation – from a single ERP database to hundreds of apps – and can maintain full traceability logs to ensure future compliance with local tax laws and data privacy regulations including data privacy laws. ELSA can also be integrated with automated data archiving solutions, to ensure that full information lifecycle management is implemented, ensuring that your organisation can get data volume growth permanently under control for the long term.
Take the next step
Investing in the decommissioning of legacy systems is an important strategic activity for every large organisation. It mitigates security and compliance risks and reduces costs and carbon footprint. Fortunately, cutting-edge technology is now readily available to tackle the problem. Consider the benefits to your organisation and talk to the experts about the next steps.
Sources of information
- IT Skills Shortage Expected to Impact Nine out of Ten Organizations by 2026 with a Cost of $5.5 Trillion in Delays, Quality Issues and Revenue Loss. IDC.
- Why data breaches spiked in 2023. Harvard Business Review.
- SAPinsider Buyers Guide, Cybersecurity 2024. SAPinsider.
- SAPinsider Cybersecurity report 2023. SAPinsider.
