Microsoft’s announcement that it will no longer support Windows 10 operating systems from October 14, 2025, has raised significant security concerns surrounding legacy IT.
After this deadline, Microsoft will stop providing security updates to Windows 10, thereby leaving newly discovered vulnerabilities affecting these systems unpatched.
Microsoft customers are being urged to upgrade to Windows 11 before Windows 10 reaches it end of life date.
The consequences of failing to upgrade such systems can have dire consequences. The UK’s National Cyber Security Centre (NCSC) highlighted that many Microsoft customers continued with the legacy Windows XP system after it reached its end-of-life date in 2014 – a reality that allowed attackers to launch the notorious global WannaCry ransomware attack in 2017 by exploiting unknown vulnerabilities in XP systems.
Fast forward to 2025 and the NCSC has warned that many organizations are “reticent” to upgrade Windows 10, putting a large number of firms at high risk of compromise.
The urgency of the warnings around support ending for Windows 10 is symptomatic of broader security concerns about reliance on legacy IT systems, devices and applications. This issue is pervasive in organizations across all industries, including critical national infrastructure and the public sector.
For example, a National Audit Office (NAO) report in January 2025 identified 228 legacy IT systems across UK government departments, 28% of which were “red rated”, meaning there was a high likelihood of operational and security risks occurring.
There are several reasons why many organizations rely extensively on unsupported legacy systems. These include feeling comfortable with an existing technology and not seeing a need to change, not willing to face any business disruption from replacing these systems and simply not being aware of the scale of legacy IT within the tech stack.
It is vital that organizations understand the scale of the cybersecurity risks posed by relying on legacy IT and develop a strategy to address it as a matter of urgency.
It will be incumbent on security leaders to drive this change, making the case to the boardroom to prioritize legacy IT upgrades and developing a comprehensive strategy to undertake this often complex and disruptive process.
Attacker Exploitation of Legacy Systems
Security researchers have observed a growing focus from threat actors on exploiting legacy systems, which are often an easier way to achieve aims such as data theft, ransomware and espionage.
This is largely due to the discovery of vulnerabilities that affect systems and devices no longer supported by vendor patches.
In addition to vulnerability exploitation on unsupported systems, legacy IT often has weaker security measures compared to updated technologies. This includes the use of outdated authentication and encryption protocols and a lack of support for modern security monitoring, logging and incident response tools.
Rik Ferguson, VP of threat intelligence at Forescout, explained: “Threat actors now assume that legacy systems will be present, weakly segmented and lack effective monitoring. That assumption is often correct. What we are seeing is not just the reuse of old exploits but the deliberate integration of legacy weaknesses into modern attack paths.”
These factors make it harder for defenders to detect and respond to threats to such systems, providing a major advantage to attackers.
There has been a growing number of legacy Internet of Things (IoT) devices in organizations in recent years, in addition to more traditional IT systems, such as workstations and servers that have reached their end of life. Daniel dos Santos, head of research at Forescout, noted that these IoT devices are particularly problematic as they involve multiple vendors and are connected to the internet.
Why Replacing Legacy IT Tech is a Challenge
Despite the substantial cyber risks to enterprises from legacy IT, security teams face significant barriers to replacing these systems and devices.
Cost and Resources
The cost, effort and disruption resulting from migrating from legacy tech to new systems can be a difficult sell to business leadership.
Kam Karaji, director of cybersecurity and risk management at the NFL, told Infosecurity that the core challenge is that legacy systems often sit at the intersection of critical operations, bespoke configurations and institutional knowledge.
“Replacing them is rarely a simple lift-and-shift,” he said, “There are frequently deep integrations with business processes, contractual obligations with third parties and a real fear of operational disruption.”
“Identifying, prioritizing and resourcing upgrades across a fragmented estate requires time, investment and cross-functional coordination,” he added.
Katell Thielemann, VP and distinguished analyst at Gartner, explained that if users, engineers and executives cannot see a tangible reason to update systems based on performance or user interface improvements, they are unlikely to undertake the resource-intensive efforts required to replace them.
Lack of Visibility
Another major problem is a lack of oversight and responsibility for legacy IT.
Ferguson noted that a significant number of IT devices are introduced to organizations that lack update paths, are invisible to security tooling or are deployed without clear ownership.
This lack of oversight makes it very difficult to create an overarching strategy for migration and upgrades.
“Many legacy, or non-traditional, systems aren't managed by IT or cybersecurity teams. They fall under facilities, operations, clinical engineering or other business functions. When no one is clearly accountable, these systems often sit outside formal risk discussions and security processes,” Ferguson said.
Approaches to Make Legacy IT Migration a Business Priority
Given the significant cybersecurity weaknesses presented by legacy IT, upgrading such systems must be a priority for security leaders.
Undertaking this process requires significant investment and backing from the wider business. Security leaders need to make the case for upgrade efforts effectively, with business needs in mind.
The NFL’s Karaji emphasized the need to quantify the risk posed by legacy technology and connect it to business value to attract the attention of business leadership. This can encompass areas such as reputational damage, regulatory fines, customer trust and financial exposure.
"The most compelling business case is one that demonstrates the cost of inaction"
“Use real-world examples to illustrate how legacy vulnerabilities are being exploited across the industry and apply internal data to show how these risks manifest within your own environment. The most compelling business case is one that demonstrates the cost of inaction alongside a clear, phased roadmap for uplift – tied to business continuity, operational efficiency and long-term cost savings,” Karaji advised.
Security considerations are just one determinant aspect of an upgrade strategy and business leaders are likely to weigh up a range of factors.
Gartner’s Thielemann recommended highlighting the potential functionality and other business improvements that new technologies offer and, if necessary, in collaboration with other teams, to make a stronger case for investment.
He added that security leaders should assuage concerns over business impacts of replacing legacy IT by emphasizing mitigation strategies, such as phasing migration over a pre-agreed timeframe.
How to Create an Effective Migration Process for Legacy IT Systems
Gain Visibility
The first stage to developing a plan to migrate legacy systems is gaining a full picture of the scale of the problem in individual organizations.
This requires a dynamic, centralized inventory of all legacy systems, their dependencies and associated risks.
dos Santos recommended using an automated and continuous asset inventory solution that can discover every device connected to the network and what software versions they are running.
Once this information is gathered, an analysis should be undertaken to prioritize these risks based on factors such as threat exposure and business criticality.
“An unsupported router at the network edge is much more likely to be exploited than a patient monitor in a segmented clinical network,” dos Santos noted.
Select Appropriate Approaches and Timeframes
Once the security team has prioritized legacy systems based on their cyber risks, they should collaborate with the wider business to build a shared understanding of timelines and impacts.
To limit business disruption to upgrades and migrations, Thielemann recommended the following approaches:
- Adopting a phased migration approach, including gradually replacing legacy components
- Planning migrations during off-peak hours
- Using parallel run strategies with rollback plans in place
For systems where alternatives or upgrades are not immediately available, Karaji advised applying compensating controls such as segmentation, multi-factor authentication (MFA) and enhanced monitoring.
Thielemann added that organizations should consider middleware or APIs to bridge old and new systems to protect the wider network from attacks on legacy systems in these situations.
Establish an Ongoing Legacy Upgrade Process
Once a plan has been enacted for existing legacy IT, security leaders should establish a strategy to ensure systems are upgraded before reaching their end-of-life date going forward.
Karaji said that lifecycle governance must be embedded into every IT product that is procured to make future migrations easier.
“End-of-life tracking must be embedded within procurement, risk management and technology governance processes. Contracts should include sunset clauses, upgrade roadmaps and exit strategies,” he commented.
Executive oversight, with clear accountability and KPIs around legacy reduction across different types of technology are also important.
“Ultimately, legacy lifecycle management must evolve from a reactive posture to a proactive capability – owned at the executive level and delivered with operational discipline,” Karaji added.
Conclusion
Reliance on legacy technology is one of the biggest security challenges in enterprises today. Attackers are increasingly aware of the weaknesses in legacy IT and the challenges defenders face in detecting threats across these systems, applications and devices.
Security leaders must work closely with the wider business to upgrade and migrate legacy IT. This will require developing a strong business case for the necessary investment and disruption this process will entail.
The strategy must recognize that not all legacy systems and devices can be migrated quickly, with temporary measures required to protect the wider network until the process is completed.