The hidden costs of legacy systems: Why outdated technology can drain your budget and compromise security

Consider this scenario: a foreign threat actor seeks to gain access to a large enterprise’s data and systems. Rather than the more common, and increasingly sophisticated, approach of a phishing attack on team members, the threat actor discovers an easier path. The organization, like many, has a legacy system problem.

By compromising a legacy, non-production test account, and using this to gain a foothold, the threat actor then accesses a small percentage of corporate email accounts, including members of the executive team and cybersecurity, legal, and other functions, exfiltrating emails and documents.  

While this may sound like a hapless organization with poor IT practices getting its comeuppance, this is actually the story of the “Midnight Blizzard” attack on Microsoft earlier this year, where the upper management of one of the most sophisticated technology companies in the world fell victim to this very common vulnerability. Legacy systems are that big a threat.

If your organization has a legacy system problem, a damaging hack isn’t the only issue you should consider. Legacy systems cost your business more than modern equivalents, in terms of ongoing maintenance, loss of efficiency, loss of productivity, and opportunity cost. They can also lead or contribute to employee churn. Let’s dive in.

‍

The financial burden of legacy systems

IT budgets are getting eaten up by legacy application costs, money that could be used somewhere else, or for IT transformation. Unlike the data breach risk, these costs are not theoretical; they are being incurred by any organizations with legacy applications.

By 2025, companies will be spending 40% of their IT budgets on simply maintaining technical debt, according to Gartner. While technical debt goes beyond legacy applications, given that application costs can make up to 80% of the entire IT budget, retiring legacy applications can lead to substantial cost savings.  

Plus, consider the case for doing nothing: maintaining legacy apps leads to increasing costs for support and maintenance over time. In 2019, the US Federal government spent 80 percent of the IT budget on Operations and Maintenance. This spending mainly included aging legacy systems, which posed efficiency, cybersecurity, and mission risk issues. To put that into context, only 20 percent of the IT funding was assigned to Development, Modernization, and Enhancement.

‍

Maintenance costs

Legacy applications require a lot of help to continue operating in an optimal way. This maintenance can take the form of:

• Patching, especially security patches.

• Customizations and integrations to ensure disparate systems can interoperate.

• Specialist technical support for applications which require old code.

• Operational downtime when issues need to be fixed.

It can cost over $30M to operate and maintain one legacy system, and by conservative calculations at least $1.14 trillion is spent on maintenance of existing IT investments including legacy systems.

Inefficiencies act as a drag on productivity

Slow, inefficient legacy applications lower productivity, impacting overall business performance. In studies in the UK, 48% of the study population wasted three hours or more per day due to inefficient systems, which over a year costs the average UK business at least £28,000. Forcing your staff to develop workarounds or waste time waiting for processes to complete is not a recipe for an agile, innovative organization.

A Total Economic Forum study by Forrester showed that retiring old legacy systems could reduce hardware and operational running costs by 65%. This is to say nothing of the gains in efficiency, scalability, and agility through strategic application alignment with modern IT environments.

Opportunity costs

Organizations that spend time and money wrangling legacy applications are missing other opportunities to innovate and grow.

90% of IT decision makers say legacy systems are holding their organizations back from using digital technologies to innovate or make operational efficiencies. Modernizing legacy applications can liberate organizations from these constraints, freeing up time and money for more strategic initiatives.

Increased risk of data breaches and security threats

Increased security vulnerability

Legacy vulnerabilities may be the biggest enterprise cyber risk. Outdated security and lack of updates make legacy apps prime targets for cyber threats, as attackers actively exploit unpatched, end of life (EOL), and legacy systems. As the Microsoft example illustrates, many bad actors unsurprisingly target vulnerable, overlooked systems to gain initial access to target systems.

In its 2019 study of several critical federal government systems, GAO noted that several of the legacy systems were operating with known security vulnerabilities and unsupported hardware and software.  

Compliance Risks

Outdated technology can impair your ability to comply with regulations, increasing your compliance risk.

Legacy systems’ lack of compliance with stringent data privacy laws like the General Data Protection Act (GDPR), the California Consumer Privacy Act (CCPA), or the Health Insurance Portability and Accountability Act (HIPAA) complicate the management and protection of sensitive customer data. A study from the Capgemini Research Institute found that when executives were asked to rate the top challenges organizations face while preparing for the CCPA, legacy IT (42%) emerged as critical.

Companies that fail to meet these obligations could face penalties and steep fines. In fact, violations of GDPR alone cost companies over $2 billion in 2023. As state-level privacy regulations continue to be enacted, this concern will only grow more relevant in the future.

Incident Costs

Legacy systems often lack current oversight, leaving you unaware of stored ROT, duplicates, and sensitive data at risk. This can lead to significant dangers like breaches, data loss, or regulatory issues. Proactive data minimization and defensible disposal is a key way to reduce low value, at risk data in the event of a breach or cyber-attack.

In addition to the Microsoft example mentioned above, there have been many examples of outdated or unpatched technology causing major data breaches.

The Equifax data breach in 2017, which exposed the personal information of approximately 147 million people, was attributed to a failure to patch a known vulnerability in the Apache Struts framework, which was a part of their legacy system.

And also in 2017, the WannaCry ransomware attack affected numerous organizations around the world, including the UK’s National Health Service, by exploiting a vulnerability in an unpatched version of Microsoft Windows.  

In 2020-2021, the Accellion file transfer appliance, considered legacy software by the company itself, was exploited, affecting multiple organizations and exposing sensitive data. A series of breaches at customers around the world began in late 2020 and continued into early 2021. The company had already been moving customers off the appliance, planned to end support for the appliance in April 2021, and had discontinued support for its operating system in November 2020.

Reputational damage

Customer Trust

While data breaches and system failures are becoming more common, each one is still devastating for the victim in terms of customer trust and reputation. Customers trust organizations to treat their data carefully and can rightly feel betrayed when a data breach occurs, and it becomes clear that the organization mishandled their data.

According to a survey by Forbes, 80% of consumers in developed countries will abandon a business if their personally identifiable information is compromised in a security breach. In the same survey, 92% of respondents believe companies must be proactive about data protection, rather than waiting for government regulation.

Brand Impact

Along with eroding customer trust, data breaches caused by outdated technology can lead to significant reputational damage for the victim.

United States mobile service provider T-Mobile has fallen victim nine data breaches in the period between 2018 and 2023. Each of these breaches, no matter the size, impacts the company’s brand, further painting the company as one which does not properly safeguard customer data.

In 2018, hotel conglomerate Marriott International discovered that attackers had compromised its reservation system, gaining access to information from 500 million guest records, exposing the personal information of hundreds of millions of individual guests from around the world. The cause of the breach stemmed from legacy systems that were part of the company’s 2016 acquisition of Starwood, showing the importance of cybersecurity during mergers and acquisitions (M&As). In addition to a more than 5% drop in its share price, the company was also hit with an £18.4 million GDPR fine for failing to secure millions of guests’ personal details, further damaging Marriott’s brand.  

Making the case for modernization

One of the issues with legacy applications is that senior leadership can be blind to their everyday issues, risk, and hidden costs, and it can be difficult to obtain buy-in for migration or application retirement, which to them may represent a seemingly significant capital expenditure to merely maintain the status quo.

Benefits of migration or application retirement

In many organizations, senior leadership view IT primarily as a cost center, and so they may be focused on limiting operational expenditure. This kind of short-term thinking can lead to poor decisions that impact security and compliance. In addition, money spent on legacy applications is money that by definition is not going to innovation.

Cost-benefit analysis

When making the argument to retire a legacy application, it is important to include all the ongoing costs, rather than the obvious licensing or subscription costs. We need to compare apples to apples, so ensure you record all the costs of a legacy application. These hidden costs may include:

• The amount of time your staff spends fielding support enquiries or resolving issues.

• Development or maintenance of custom integrations or interfaces.

• Workarounds deployed to overcome the shortcomings of the legacy application.

If you have specific examples or figures from your organization, use these, otherwise quote the numbers mentioned earlier in this piece. It is highly unlikely that your organization is immune from these trends—make sure this point is not lost on your executive team or board.

To make this process easier, we have created a calculator allowing you to estimate the cost of decommissioning legacy applications.

Summing up

Before we retire—a review.

Legacy systems represent a significant cybersecurity risk to every organization, along with an ongoing drag on efficiency, costs, and productivity. All organizations, from a small business to a technology leader like Microsoft, suffer from problems with legacy applications, amidst wider issues with technical debt.

Due to the nature of legacy applications, it can be tough to make the argument that change is necessary. Legacy systems’ licensing costs are predictable, and the impact on productivity and efficiency can go unnoticed. The systems begin to feel like a part of the furniture. But modernization and legacy application retirement are crucial to improving security, compliance, and productivity, and reducing risk and overall cost.

It is time to assess your own systems, so you can chart your own path to modernization. Learn more about how decommissioning legacy applications is the next step to reduced IT budget and innovation.

‍

💸 See how much legacy applications are costing you with our application retirement calculator.