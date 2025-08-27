Microsoft’s announcement that it will no longer support Windows 10 operating systems from October 14, 2025, has raised significant security concerns surrounding legacy IT. After this deadline, Microsoft will stop providing security updates to Windows 10, thereby leaving newly discovered vulnerabilities affecting these systems unpatched. Microsoft customers are being urged to upgrade to Windows 11 before Windows 10 reaches it end of life date. The consequences of failing to upgrade such systems can have dire consequences. The UK’s National Cyber Security Centre (NCSC) highlighted that many Microsoft customers continued with the legacy Windows XP system after it reached its end-of-life date in 2014 – a reality that allowed attackers to launch the notorious global WannaCry ransomware attack in 2017 by exploiting unknown vulnerabilities in XP systems. Fast forward to 2025 and the NCSC has warned that many organizations are “reticent” to upgrade Windows 10, putting a large number of firms at high risk of compromise. The urgency of the warnings around support ending for Windows 10 is symptomatic of broader security concerns about reliance on legacy IT systems, devices and applications. This issue is pervasive in organizations across all industries, including critical national infrastructure and the public sector. For example, a National Audit Office (NAO) report in January 2025 identified 228 legacy IT systems across UK government departments, 28% of which were “red rated”, meaning there was a high likelihood of operational and security risks occurring. There are several reasons why many organizations rely extensively on unsupported legacy systems. These include feeling comfortable with an existing technology and not seeing a need to change, not willing to face any business disruption from replacing these systems and simply not being aware of the scale of legacy IT within the tech stack. It is vital that organizations understand the scale of the cybersecurity risks posed by relying on legacy IT and develop a strategy to address it as a matter of urgency. It will be incumbent on security leaders to drive this change, making the case to the boardroom to prioritize legacy IT upgrades and developing a comprehensive strategy to undertake this often complex and disruptive process.

Image credit: Daniel Chetroni / Shutterstock.com

Attacker Exploitation of Legacy Systems Security researchers have observed a growing focus from threat actors on exploiting legacy systems, which are often an easier way to achieve aims such as data theft, ransomware and espionage. This is largely due to the discovery of vulnerabilities that affect systems and devices no longer supported by vendor patches. In addition to vulnerability exploitation on unsupported systems, legacy IT often has weaker security measures compared to updated technologies. This includes the use of outdated authentication and encryption protocols and a lack of support for modern security monitoring, logging and incident response tools. Rik Ferguson, VP of threat intelligence at Forescout, explained: “Threat actors now assume that legacy systems will be present, weakly segmented and lack effective monitoring. That assumption is often correct. What we are seeing is not just the reuse of old exploits but the deliberate integration of legacy weaknesses into modern attack paths.” These factors make it harder for defenders to detect and respond to threats to such systems, providing a major advantage to attackers. There has been a growing number of legacy Internet of Things (IoT) devices in organizations in recent years, in addition to more traditional IT systems, such as workstations and servers that have reached their end of life. Daniel dos Santos, head of research at Forescout, noted that these IoT devices are particularly problematic as they involve multiple vendors and are connected to the internet. Why Replacing Legacy IT Tech is a Challenge Despite the substantial cyber risks to enterprises from legacy IT, security teams face significant barriers to replacing these systems and devices. Cost and Resources The cost, effort and disruption resulting from migrating from legacy tech to new systems can be a difficult sell to business leadership. Kam Karaji, director of cybersecurity and risk management at the NFL, told Infosecurity that the core challenge is that legacy systems often sit at the intersection of critical operations, bespoke configurations and institutional knowledge. “Replacing them is rarely a simple lift-and-shift,” he said, “There are frequently deep integrations with business processes, contractual obligations with third parties and a real fear of operational disruption.” “Identifying, prioritizing and resourcing upgrades across a fragmented estate requires time, investment and cross-functional coordination,” he added. Katell Thielemann, VP and distinguished analyst at Gartner, explained that if users, engineers and executives cannot see a tangible reason to update systems based on performance or user interface improvements, they are unlikely to undertake the resource-intensive efforts required to replace them. Lack of Visibility Another major problem is a lack of oversight and responsibility for legacy IT. Ferguson noted that a significant number of IT devices are introduced to organizations that lack update paths, are invisible to security tooling or are deployed without clear ownership. This lack of oversight makes it very difficult to create an overarching strategy for migration and upgrades. “Many legacy, or non-traditional, systems aren't managed by IT or cybersecurity teams. They fall under facilities, operations, clinical engineering or other business functions. When no one is clearly accountable, these systems often sit outside formal risk discussions and security processes,” Ferguson said. Approaches to Make Legacy IT Migration a Business Priority Given the significant cybersecurity weaknesses presented by legacy IT, upgrading such systems must be a priority for security leaders. Undertaking this process requires significant investment and backing from the wider business. Security leaders need to make the case for upgrade efforts effectively, with business needs in mind. The NFL’s Karaji emphasized the need to quantify the risk posed by legacy technology and connect it to business value to attract the attention of business leadership. This can encompass areas such as reputational damage, regulatory fines, customer trust and financial exposure.

"The most compelling business case is one that demonstrates the cost of inaction"