In the silent cogs of our digital daily life, the mainframes discreetly ensure the proper functioning of the most common operations.
Cash withdrawals, flight reservations, insurance reimbursement management or administrative data processing is among these numerous operations. Long considered “intrinsically secure”, especially in comparison with the cloud, mainframes benefit from a solid reputation. However, this excessive confidence can lead the computer teams to lower their guard, because despite their resilience, they are not inviolable.
Cyberattacks are generalized
Data violations are multiplying and regularly invited themselves into the news. In 2024, the CNIL was notified of 5,629 violations of personal data, 20 % more than in 2023. Beyond this significant increase, the most worrying trend is that of a resurgence of very large-scale compromises. The number of them affecting more than a million people has doubled in a year, going from around twenty to forty successful attacks, and all sectors of activity are concerned. These attacks do not only aim at mainframes, but they underline a reality: no infrastructure can today save active protection.
Given the volume and sensitivity of the data processed, the slightest flaw can have disproportionate consequences. The problem ? Many Mainframe applications are still accessible via obsolete methods, such as terminal emulators, protected by simple passwords, a very fragile rampart in the face of cybercriminals techniques. Between the boom in attacks powered by artificial intelligence and the resurgence of internal risks, mainframes are no longer safe.
Three major threats today weigh on mainframes
Under the surface, several types of threats converge and weaken them mainframes, starting with those which emanate from the very interior of organizations. It may be a distracted employee who clicks on a border trapped or discloses his identifiers, or a malicious collaborator in a sensitive post. In both cases, the damage can be significant, especially if this person has transversal access to systems. From the simple oblivion of good practice to the elaborate scam, the lack of modern access control and active supervision makes mainframes vulnerable from the inside.
Added to this is the growing use of AI by cybercriminals, allowing them to deploy more targeted and more credible attacks. Through Deepfake vocal calls or hyper-personalized phishing, social engineering type attacks become more convincing and more difficult to detect and among the five most used techniques in cybercrime campaigns targeting the European Union according to ENISA.
In addition, a worrying development was observed over the past year. Generative technologies facilitate the design of credible content on a large scale, making scams more difficult to detect, even by experienced users. In some cases, attacks combine vocal cloning and simulation of hierarchical chains, exploiting internal confidence to trigger transfers or exfiltrate identifiers. Ease access to AI tools makes it possible to manipulate the victims, usurp identities and bypass the verification mechanisms. Without reinforced authentication or identity management system, mainframes become easy targets.
Finally, security regulations are increasingly strict and this, all over the world, the authorities impose new cybersecurity rules and shorter compliance deadlines, with reinforced sanctions, including for mainframes.
In Europe, NIS2, applicable since October 2024, requires strict safety, risk assessment and rapid notification obligations of incidents, with fines of up to 2 % of global turnover of the companies concerned. For its part, the Digital Operational Resilience Act (Dora), which entered into force in January 2025, imposed on financial institutions an operational compliance from start to finish: ICT risk management, resilience tests, supervision of third -party providers, and notification of major incidents within 4 hours.
The European authorities, such as the ECB and the EBA, also strengthen practical recommendations by publishing guidelines to supervise externalization to the cloud and critical providers. Finally, in France, the ANSSI has aligned its requirements with these texts, in particular in terms of incident notification and providers’ management, as part of the transposition of the NIS2 directive. In summary, complying now rhymes with securing Legacy, mainframes inclusive environments.
Strengthen the safety of mainframe environments
Faced with the growing complexity and regulations of threats, companies must now favor three concrete actions to better protect their Mainframe environments:
- Modernize user access modes
Under the aging appearance of mainframes are critical access to highly sensitive data. These must be protected with the same requirements as the most recent systems. Companies must favor terminal emulators accessible by browser, or secure connections via VPN. These solutions must imperatively support current security standards such as TLS 1.3 and multifactorial authentication (MFA).
- Monitor abnormal behavior and create complete traceability
Unusual connections, outside normal hours or from unexpected places, may indicate compromise. Continuous behavioral surveillance, coupled with an automated analysis, must apply to all users, including those who access mainframes directly. A well -integrated identity and access management system (IAM) not only makes it possible to apply strict access rules, but also to generate detailed audit newspapers to detect incidents and meet compliance obligations.
- Collaborate with responsible suppliers throughout the channel
Software providers must also guarantee the security of their products throughout the development cycle. Any flaw in their code can open a breach in the system. It is essential to ensure that they apply robust safety practices, from design to deployment, and that they follow the evolution of regulatory obligations.
Long considered out of reach, mainframes are now exposed to the same risks as the rest of the computer landscape. Their importance is no longer a shield, it is a responsibility. What now matters is not only the way they are built, but also the way they are maintained, accessible and monitored over time.
