In the fast-paced world of digital transformation, legacy systems—those old, outdated technologies still running critical applications—often lurk quietly in the background of organisations, doing their job without much fuss. But don’t let their silence fool you. These aging systems come with serious baggage: security holes, operational fragility, mounting costs, and strategic dead-ends.
So why are they still around? Often, they underpin essential business functions, and replacing them is complex, expensive, and disruptive. But the longer they linger, the more they become ticking time bombs. Let’s explore the real risks of legacy systems, and why modernising isn’t just an IT upgrade—it’s a risk management imperative.
Security: Our First and Greatest Concern
The biggest issue with legacy systems is security. Once a system is no longer supported by vendors, it stops receiving patches and updates. This leaves known vulnerabilities wide open for attackers.
A perfect example is the 2017 WannaCry ransomware attack, which hit organisations across the globe. The UK’s NHS was particularly hard-hit, partly due to its continued use of Windows XP—a system Microsoft had retired years earlier.
Legacy systems also often lack support for modern security practices like encryption, multi-factor authentication, or secure APIs. Worse, they may still use outdated protocols like Telnet, FTP, or SMBv1.
Operational Fragility
Legacy hardware and software often rely on discontinued components. Spare parts may no longer be available, or only obtainable at exorbitant prices. Failures become more common over time, and repair becomes more difficult.
System downtime, slow performance, and poor integration with newer technologies become the norm. This increases the risk of catastrophic failure—something many businesses are one malfunction away from experiencing.
Talent and Knowledge Drain
With each passing year, fewer professionals are trained on old systems like AS/400, COBOL, or even early versions of Unix. The people who built and maintained these systems are retiring, and younger IT staff may never have touched such platforms.
This knowledge gap leads to poor support, slow recovery from failures, and dangerous reliance on a handful of ageing experts.
Regulatory and Legal Risk
Modern data protection laws such as NZ’s Privacy Act 2020, (American) HIPAA, and (European) GDPR require strict controls around access logging, encryption, and data retention. Most legacy systems fall short on all three.
Worse, many of these systems can’t produce comprehensive audit logs. If your organisation suffers a breach, you may not be able to determine how it happened—or prove due diligence to regulators. Legal exposure in such cases is a significant and often overlooked risk.
Integration Headaches
Legacy systems are notoriously difficult to integrate with modern technologies. Many lack APIs, use obscure data formats, or are locked into outdated architecture. This limits your ability to deploy business intelligence tools, automate workflows, or leverage cloud services.
As digital transformation strategies gain traction, legacy systems act as bottlenecks to innovation.
Cost vs. Value
While many organisations retain legacy systems to avoid the upfront cost of replacement, long-term maintenance often becomes more expensive. You may need niche contractors, custom code patches, or even to run obsolete environments in parallel.
There’s also a hidden opportunity cost—every dollar spent keeping legacy systems alive is a dollar not invested in innovation or efficiency.
The Business / Organisation Cultural Challenge
Sometimes the biggest hurdle is internal resistance. Users grow attached to familiar systems. Management may adopt a "don't fix what isn't broken" stance. But this approach underestimates the silent risks of doing nothing.
Change management and clear communication are key to overcoming internal inertia.
Mitigation: What Can Be Done?
If replacing a legacy system immediately isn’t an option, there are still mitigation steps you can take:
Network Segmentation: Place legacy systems on isolated networks to contain any compromise.
Access Controls: Lock down who can interact with the system—and how.
Monitoring: Use external tools to log and alert on suspicious behaviour.
Plan Your Exit: Begin documenting a phased migration or modernisation plan. It doesn’t need to be all at once—but it does need to start.
Moving Forward
Legacy systems are more than outdated tech—they’re potential liabilities with cascading consequences. From cybersecurity risks and mounting costs to compliance failures and talent shortages, the costs of clinging to the past are growing every year.
Addressing legacy infrastructure requires more than just money. It takes strategic vision, risk awareness, and the courage to lead change. But the alternative—remaining vulnerable, inefficient, and brittle—is far riskier in today’s threat landscape.
Legacy systems may have built your business—but they shouldn’t hold it hostage. It's time to weigh the hidden risks against the visible comforts, and make strategic decisions that position your organisation for the future, not the past.
CyberForensics can help you with your legacy system challenges. We have strategies in place that will securely adapt and secure your legacy software.
Case in point- Waikato District Health Board (DHB) Cybersecurity Crisis (2021)
In May 2021, the Waikato DHB—responsible for delivering public healthcare to over 400,000 people—was hit by a crippling ransomware attack that brought hospital operations across the region to a halt.
What happened?
All major IT systems were taken offline—patient records, email, radiology, laboratory systems, appointment bookings, and phones.
• Staff reverted to pen-and-paper methods.
• Surgeries were postponed and critical services were disrupted.
• Sensitive patient and staff data was later posted on the dark web.
• It took months to fully restore systems, with significant long-term impact on patient care and staff workloads.
Red flags:
Six months prior to the attack, an internal risk assessment highlighted glaring vulnerabilities in Waikato DHB’s IT environment:
• Multiple systems still ran Windows XP and other legacy platforms no longer supported by vendors.
• No incident response plan or cybersecurity roadmap existed.
• The network relied on outdated perimeter defences, with minimal monitoring or segmentation.
• Critical systems could not be patched or secured with modern protections.
• There was no full-time cybersecurity specialist on staff, and little internal capability to manage or respond to a cyber incident.
"Some of the legacy systems do not have security setups that can be modernised to protect against current security threats."
— Internal report, Waikato DHB (2020)
These warnings were not acted on.
The ransomware attack—widely believed to have been carried out by a criminal group exploiting well-known system weaknesses—was predictable and avoidable.
Cost Over Time
At first glance, maintaining a legacy system may seem cost-effective. There’s no capital outlay for new infrastructure. But over time, the real cost becomes clear:
• Rising support and maintenance bills
• Emergency outsourcing to specialist contractors
• Inefficient manual workarounds
• Security incidents and legal fallout
In response to the Waikato breach, the New Zealand government allocated $75.7 million to improve cybersecurity across the national health sector. This reactionary spending could have been far more effectively used on prevention and modernisation.
Lessons from Waikato: Don’t Wait for the Breach
The Waikato DHB ransomware event should be a wake-up call for all organisations operating legacy infrastructure. The attack didn’t happen in a vacuum—it was warned about, documented, and left unresolved.
Healthcare, education, utilities, and local government are especially vulnerable sectors where legacy systems are common. If you rely on outdated platforms to run core services, it’s not a matter of if they will fail—but when.
CyberForensics can help you with your legacy system challenges.
We understand that many organisations still rely on critical applications built on outdated platforms. These systems often carry valuable business logic, proprietary workflows, and decades of institutional knowledge.
Unfortunately, the hardware and software environments they depend on are increasingly fragile, insecure, and unsupported.
Replacing or rewriting such systems is frequently too costly, time-consuming, or risky—especially when there are no guarantees of full compatibility or data integrity.
At CyberForensics, we specialise in developing secure, robust strategies that allow modern infrastructure to support these legacy applications—without requiring changes to the original codebase.
Our approach avoids the “rip-and-replace” trap, offering a path forward that balances operational continuity with modern security expectations. We ensure your critical systems can continue to function safely and reliably, while the underlying technology stack is updated to meet today’s cybersecurity, compliance, and performance standards.
Rather than expose your business to the risks of unsupported operating systems, obsolete protocols, and failing hardware, we offer tailored solutions that bridge the gap between legacy and modern without disruption. Our team works discreetly and securely, ensuring business continuity while significantly reducing your risk profile.
If you’re facing the challenge of keeping old software running in an increasingly modern world, we invite you to talk with us. Let’s explore a secure, future-focused way to safeguard your systems and data—without needing to rewrite what already works.
If you have legacy software and would like a no obligation assessment, contact us: info@cyberforensics.co.nz
CyberForensics Blog Author:
Dr Bryce Antony
Chief Information Security Officer
Our leading practitioner of information security management, compliance, governance and cyber forensics.
Bryce enjoys taking on a challenge and uses his experience and passion both to head the security of our business and guide our emerging leaders in the technology field.