As global trade realigns in response to tariffs, geopolitics, and localized shocks, supply chain leaders are under mounting pressure to relocate or redesign networks with little time to spare. But in this race to adapt, many are unintentionally paving the way for cyber vulnerabilities — especially when legacy systems are involved.

In a written reply to The Supply Chainer, Paolo Palumbo, Vice President of WithSecure Intelligence, flagged the operational and security minefields companies often stumble into when executing rapid facility deployments. “Insufficient risk assessment, inadequate supplier vetting, and overlooked compliance issues are only part of the picture,” said Palumbo. “The real threat surfaces when legacy technologies — already fragile — are hurriedly inserted into unfamiliar environments without the guardrails modern systems have.”

The issues he describes are not theoretical. A 2024 study by the European Union Agency for Cybersecurity (ENISA) found that 41% of supply chain cyber incidents in the past year involved legacy technologies that were either insufficiently patched or lacked adequate monitoring when introduced into new facilities. Beyond the hardware, it's often the human and structural elements that are forgotten. “We’ve seen companies underestimate cultural differences or misjudge regulatory compliance when switching regions under pressure,” Palumbo noted. “And if contingency planning is treated like a checklist item instead of a living process, it’s only a matter of time before something breaks.”

To mitigate these risks, Palumbo recommends a multi-layered defense that begins before the first truck is dispatched or the new supplier onboarded. WithSecure’s own Exposure Management (XM) and Detection & Response (D&R) solutions aim to bring legacy systems into a protected visibility layer, giving defenders actionable insights, not just a flood of alerts. "When you relocate a 15-year-old ERP server to a new facility in Southeast Asia, you’re not just moving hardware — you’re moving attack surface,” he said. “And unless there’s elite-level threat hunting and exposure mapping running from Day One, it’s like driving a classic car on a Formula One track.”

This approach aligns with insights shared by Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, who recently warned:

Palumbo emphasized that incident response must be treated as a preemptive investment, not a reactive expense. “Especially during transition phases, investing in IR readiness and MDR services can mean the difference between a minor incident and a multimillion-dollar crisis,” he said.

For SMEs, which often rely on legacy systems out of necessity, this might sound daunting. But Palumbo is clear: “Security is not about being perfect; it’s about being ready.”