.shock - Fotolia
Only 6% of UK financial services firms know when all their infrastructure components will reach their end-of-life date and will no longer be supported by suppliers, a survey has revealed.
This figure dropped to 2% among smaller firms with fewer than 500 employees, while only 22% of companies polled knew the end-of-life dates for most of their applications.
The survey of 200 IT decision-makers in financial services firms by cloud services provider KCOM also revealed that the average firm has 434 server-based applications either partly or fully unsupported and more than 400 applications that are out of support or have end-of-life components.
This represents a security risk because unsupported technology no longer benefits from security updates and a compliance risk because of a lack of ongoing maintenance.
As result, the survey report said firms are putting the business at risk of cyber attacks and regulatory fines, as well as potentially significant delays when introducing new services.
However, the report said financial services organisations are making major investments to modernise their IT infrastructure, with 79% either “definitely” or “probably” using the cloud or cloud-based services to replace on-premise end-of-life products.
To date, only 33% of financial services businesses have migrated half or more of their applications to the cloud, while the rest remain on “legacy” infrastructure, the report said.
According to KCOM, the survey lays bare the effects of legacy infrastructure, with 92% of respondents admitting that maintaining server infrastructure is a challenge and 47% reporting this to be “very challenging”. Nine out of 10 also said that processing bottlenecks are a major capacity challenge, 84% cited insufficient test environments, and 83% insufficient back-up storage.
Read more about cyber security for financial services
- UK finance sector cyber security pros admit shocking practices.
- Information security chiefs in the financial sector say cyber security awareness needs to be a top priority.
- Financial institutions need to rethink security, say analysts.
- The UK’s Financial Conduct Authority voices concerns about weaknesses in banks’ IT systems.
“Many financial services firms do not have a clear and comprehensive view of which components in their IT infrastructure need urgent attention, or where their security issues reside,” said Richard Latham, principal consultant at KCOM.
“A poorly planned and executed cloud migration may simply achieve the continuation of a flawed system. Migrating to the cloud presents a major opportunity for eliminating end-of-life issues and fixing the associated vulnerabilities, but only if it is managed in a holistic, carefully planned manner.”
In light of the security concerns that come from end-of-life components, the research also asked IT directors how often they conduct a risk audit, vulnerability scan or penetration test across their server landscape.
This revealed that 14% of financial companies had not completed any kind of audit in the past year. Only 51% said they had completed the Bank of England stress test, 60% had conducted a PCI audit, 58% held an ISO 27001 certification and 62% felt they were compliant with the Financial Conduct Authority.