Legacy tech continues to plague businesses, with backlogs of outdated tech hindering business growth and hampering modernization goals. But the risks of legacy technology must also be at the top of the list for any IT leaders, as legacy stacks can obscure attack surfaces and open organizations up to attacks that exploit known vulnerabilities.
In 2017, McKinsey spoke with over 50 global institutions to get a sense of their biggest hurdles in digitization and risk management. 85% pointed to "legacy IT" as their top roadblock. Six years on, that struggle hasn’t gone away, with 40% of CIOs in an Experseo Research report still seeing legacy systems as a major growth bottleneck.
"Organizations often take an 'if it’s working, leave it alone' approach with legacy technology," says Thomas Richards, principal consultant at Synopsys. "After pouring so much money and energy into their existing systems, the cost of replacing or rearchitecting them seems higher than the risk of keeping them in place."
"Organizations often take an 'if it’s working, leave it alone' approach with legacy technology," says Thomas Richards, principal consultant at Synopsys. "After pouring so much money and energy into their existing systems, the cost of replacing or rearchitecting them seems higher than the risk of keeping them in place."
Richards’ evaluation is something many CIOs know all too well—it’s practically an open secret in the tech world. That is until a security disaster takes advantage of the weaknesses in unpatched legacy systems. WannaCry, for instance, disrupted critical IT infrastructure across 150 countries and 200,000 computers, all because companies were still relying on end of life (EOL) systems like Windows 7 and Windows XP running outdated, vulnerable versions of the server message block (SMB) protocol.
It wasn’t the first or last attack to reveal the vulnerabilities of legacy IT. Still, many organizations choose to continue using these outdated technologies.
It wasn’t the first or last attack to reveal the vulnerabilities of legacy IT. Still, many organizations choose to continue using these outdated technologies.
The looming risks of legacy technology
A legacy system refers to software or hardware that has been in use for over a decade, often because it still delivers value. This could include everything from Intel 286 computers and older operating systems to servers, smartphones, Oracle databases, and even the Microsoft Office Suite from the 1990s, still in use by a million companies worldwide.
What makes legacy IT an Achilles' heel for CIOs is the tendency toward “risk avoidance” and the low ROI associated with updating legacy IT. Brian Chapell, VP of product management at One Identity, puts it this way: “We still encounter COBOL systems that we expected to be phased out long ago. They keep running year after year, thanks to the value they deliver.”
Many IT teams take shortcuts using Martin Fowler’s “Strangler Pattern,” reusing logic from their mainframes instead of opting for direct modernization. In other cases, legacy IT systems get overlooked during updates due to shadow IT and ineffective asset management.
NTT Data backs this up with research showing that two-thirds of UK organizations still operate with obsolete or aging network assets, even after decades. Add in a resistance to change and an organizational culture focused on “band-aid solutions” than overhauling IT, and you can see why these systems persist.
Top legacy technology risks in 2024
1. Unpatched vulnerabilities
Many high-profile vulnerabilities of this year like Fortinet SSL VPN Path Traversal and the Heartbleed date back at least six years. While modern IT setups can patch these issues, legacy systems miss the boat on updates. Chapell refers to this as the “jinx of legacy systems.” These older technologies are often isolated and air-gapped from the modern tech stack with many of them long passing their support dates by the time vulnerabilities emerge. In fact, when the Log4j vulnerability was discovered, 50% of its installations were already past their support date, making them sitting ducks for attacks.
No support and lack of integration quickly expands the risk of attacks as seen in the 2018 FedEx breach where an unsecured Amazon S3 server—likely a legacy system from a prior acquisition—exposed the sensitive data of 120,000 FedEx customers.
2. Downtime
Legacy IT might slip by without getting hit by attacks from unpatched vulnerabilities, but they end up facing downtime anyway. These systems usually run on old hardware and software that can be prone to unplanned outages. No wonder 56% of businesses said their revenue took a hit due to technology downtime from legacy infrastructure in a recent Forrester thought leadership report [PDF] commissioned by Hitachi Vantara.
As components age, they become more prone to failure or overheating, no matter how hard the support team works to keep everything running smoothly. When things go south, a major crash is pretty much unavoidable—especially if those parts are no longer being made or emergency replacements aren't on hand.
Just look at the latest Crowdstrike security mishap – the firm fixed the patch in just 79 minutes, but it took its clients weeks to bring all its critical services back online. What starts as a small issue can quickly spiral into a catastrophe, made even worse by limited vendor support, outdated documentation, and fewer experts who know how the system works.
What’s more, a lot of these technologies were not built with multi-factor authentication (MFA) in mind which makes them a prime target for network breaches. Add in misconfigured firewalls, and you’ve got a recipe for chaos that not only disrupts workflows but can also cause major service downtime.
3. Technical debt
Legacy IT leaves behind a trail of spaghetti code, rigid architecture, and a fragmented IT ecosystem. These loose ends pile up so much technical debt that it starts eating up to 40% of IT budgets, per McKinsey data, with chief information officers (CIOs) dedicating 20% of their funds for innovation and growth to just managing this debt.
Businesses often hold back on adopting newer technologies, fearing the downtime and costs associated with migration. Instead, they stick to patching up their outdated systems, only to add more complexity and debt along the way.
The constant pile of legacy systems slows IT processes and forces developers to focus more on reducing time to market. In the rush to meet deadlines, they sometimes ship code that’s under-tested, lacks security controls, and might experience failure during peak usage. Now that’s a nightmare for any retail customer.
As Faki Saadi from SOTI notes, this technical debt doesn’t just impact customers; it hits employees hard too. In its latest report, Code Digital: WIll Healthcare Thrive or Survive, the firm found UK healthcare workers lose an average of 3.9 hours of productivity each week dealing with outdated systems—time that should be spent on patient care and improving the bottom line, not fixing tech issues.
4. Data governance
In conversations about legacy system risks, Iwona Sikora, SVP EMEA at Iron Mountain, doesn’t hesitate to name data governance as the most underrated threat. Many legacy technologies simply don’t offer the monitoring and visibility that businesses need to manage their data effectively. “As of now, 52% of produced enterprise data is unknown,” Sikora explains. That’s a recipe for disaster for companies with old systems and bulky physical archives where unknown data can just sit for years and explode into a data breach.
Implementing data protection policies can feel daunting when there’s so much data trapped in legacy systems. Most of these setups lack automation and real-time enforcement, making it tough to ensure regulatory compliance with the latest data privacy laws.
“Businesses that take proactive steps to handle their data—whether it’s managing, storing, or protecting it—are the ones who’ll turn challenges into advantages,” says Sikora. “If you don’t, you might just get left behind.”
