Securing Ecommerce: Protecting Supply Chains from Cyberattacks

Legacy systems are invaluable assets for businesses, storing critical data that is often difficult and costly to migrate to more modern technologies. However, these systems present significant security risks due to their obsolescence, lack of effective monitoring, and vulnerabilities when interacting with newer systems. As e-commerce continues to expand and digital transformation accelerates, businesses must focus on securing these infrastructures to prevent cyberattacks that could compromise operations and customer trust.

“It is difficult for companies to invest in legacy systems if they do not see a return on investment (ROI). They invest in frontend technologies but tend to neglect the backend,” says Carlos Carrillo, Director of Cybersecurity Consulting Services, ONESEC.

 This approach, while seemingly cost-effective in the short term, becomes problematic over time as legacy systems grow increasingly difficult to manage and maintain. “The risk of not upgrading technology is that eventually, it becomes impossible to find people who can manage the equipment,” Carrillo explains.

“You have many systems operating for years, and integrating them with new technologies, even those considered trendy, is difficult because the scope of what they can do is often not fully understood,” says Alejandro Tinoco, Chief Information Security Officer at San Pablo Farmacia. This lack of understanding can result in security vulnerabilities, especially when legacy systems are involved.

As both experts point out, the issue is not just about upgrading for the sake of modernization, but ensuring that security is maintained throughout the process. Carrillo emphasizes that proper inventory management is crucial for mitigating risks. "It is important to have a detailed inventory of everything you have—from APIs to their versions. This is key to understanding where vulnerabilities lie," he says.

Without an accurate inventory, businesses cannot fully assess their exposure to cyber threats. Yet, monitoring legacy systems remains a pressing challenge. "How do you monitor systems that weren’t designed to be monitored?" Carrillo asks. Without built-in security protocols, older systems are harder to protect from modern cyberattacks.

“It is not just about cybersecurity; it is about managing information security risk. Mexico is a country with high levels of insecurity, fraud, and social engineering. Businesses must take a hard look at their security practices. It is essential to shift from a ‘trust everyone’ model to one with zero tolerance for security breaches," says Jardany Navarrete, Information Security and Operations Technology Manager, The Swatch Group Mexico.

The challenge of transitioning to more secure systems is compounded by the fact that many organizations are still using legacy systems that were not designed for modern security standards. “You have to manage the obsolescence of these systems. Legacy systems have outdated security controls that are no longer adequate,” Tinoco points out. This makes it crucial for businesses to not only modernize but also ensure that their security measures are up to date.

“In security, there is a clear shortage of information professionals. It is also important to consider the configuration of specialized teams because different generations work differently,” explains Tinoco. 

Despite these challenges, Navarrete emphasizes that modernizing to more secure systems is ultimately an investment. “The ideal solution is to begin migrating to more modern systems, which, although costly, should be seen as an investment, not an expense,” he asserts.

The reality is that no system is completely risk-free, but proactive risk management can significantly reduce exposure to cyberattacks. Both Carrillo and Navarrete stress the importance of preparation. Carrillo notes that regular testing and response plan drills are key to minimizing the impact of an incident. "The incident response plan is not just for the events themselves; it must be practiced at least once a year," he advises. By regularly testing security measures and ensuring the organization is ready to respond to incidents, businesses can better protect their operations and data.