Custom-built software can be hard to let go of. Tailored to your organisation’s specific needs, it offers myriad benefits for productivity and innovation.

However, if your company has been around for a while, then your custom-built software is likely outdated, and as a result, it could pose a serious security risk.

‘Unsupported (or end-of-life) software’ ranks first place in the Cybersecurity and Infrastructure Security Agency’s list of security bad practices, while over half of IT professionals in critical industries say that legacy systems represent their biggest security challenge.

Cyberattackers today are targeting legacy software because they know it harbours blind spots and vulnerabilities that they can exploit to steal critical data and extort massive sums of money. If they’re successful, you could incur heavy financial and legal penalties. This is why more businesses are now migrating to secure cloud-based environments. Perhaps it’s time for you to upgrade too.

Why do companies hold on to legacy software?

Legacy custom-built software is likely embedded deep within your day-to-day operations. If this is the case, ripping it out for a newer model will likely require a complete system overhaul and significant downtime. This doesn’t exactly please stakeholders or map to strict product roadmaps, and it’s why many companies delay important software upgrades and migration plans – sometimes indefinitely.

But this fear of change comes back to bite in one way or another. More than half of chief information officers say that they spend up to 60% of their time managing legacy technology. And when the average cost of a data breach is over AU $6.5 million, the benefits of upgrading become painfully clear.

The Australian Government puts it bluntly: “The most effective way to mitigate the risks associated with legacy IT is to replace it.”

The top 5 security risks of legacy software

Over 20,000 vulnerabilities have been discovered in 2024 so far – a figure set to be the highest ever recorded. Attackers are finding increasingly sophisticated ways to breach systems using tools and techniques such as ransomware, malware, phishing scams, and authentication flaws, and legacy software makes their lives a lot easier. Here’s why:

1. Legacy software is no longer supported

Legacy software eventually stops receiving support from the original developers, vendors, or manufacturers. This means you won’t receive official updates or bug fixes that protect you against new and evolving cyber threats, your documentation will go out of date (if it even exists at all), and you’ll struggle to find professionals skilled enough to help you at a decent price. Even informal communities built around solving legacy software issues eventually disappear. This all creates a perfect storm of confusion that leaves your vulnerabilities exposed and lets attackers catch your scent.

2. Legacy software lacks modern security controls

In just the past few years, the cyber threat landscape has evolved dramatically. To keep pace with the latest attack methods, your software needs to include several security controls (at minimum), including:

• Multi-factor authentication (MFA)

• Zero trust model

• Modern encryption algorithms and secure communication protocols

• Monitoring and reporting tools 

Security controls like these help prevent attackers accessing your network, escalating their privileges, and reaching critical data and resources. Unfortunately, legacy software is often designed to work independently, meaning it cannot integrate with modern tools, networks, or mobile applications. This prevents you from backing up or recovering your systems and devices, which makes it easy for attackers to infiltrate your network without raising suspicion and means that if they’re successful, you could lose everything.

3. Legacy software creates blind spots

Visibility is key to good cybersecurity. If you can’t see what’s going on inside your network, how can you expect to spot suspicious behaviour? The architecture of legacy software is often complicated and monolithic. This means that while it may be home to many users, privileges, applications, and third parties, IT teams cannot always keep track of them. But it’s through these unmonitored access points that attackers can infiltrate your network.

Case study

Legacy accounts that aren’t protected by authentication controls such as MFA or monitored by administrators are prime targets for attackers. The massive attack on Medibank in 2022, which leaked the sensitive information of nearly 9.7 million customers and could carry fines into the trillions of dollars, is a key example.

If your software is making life difficult for your teams, they’re more likely to leave things exposed. After all, employees grappling with the day-to-day issues of legacy software may not be vigilant of phishing attempts, good password hygiene, or safe remote working practices, while admins and security teams may lack the tools to audit their network environment and assign the correct access permissions to users.

4. Legacy software makes life easy for insider threats

Legacy software can also be damaged from within by your own employees. These insider threats can cause even more damage than attacks coming from outside your network. Insider threat incidents are on the rise in Australia, and they cost businesses an average of more than AU $20 million each time.

Insider threats have privileged access to networks, systems, and data. This makes it quicker and easier for them to deploy malware, for instance, into the heart of your software without alerting security teams – especially if your software lacks the proper security controls or architecture to recognise suspicious behaviour.

Here’s a twist: insider threats aren’t always malicious. If your software is defective or confusing, employees can accidentally alter critical system controls, exploit unpatched vulnerabilities, or leak personal and business data – inadvertently damaging your system from within and opening the door to threats lurking outside.

Case studies

Malicious insider threat: In 2023, two former staff members at Tesla breached the sensitive information of nearly 76,000 employees and shared it with a German newspaper.

Accidental insider threat: An insider source blamed the major Optus breach, which affected up to 10 million customers and leaked personal data from the defence and prime minister’s office, on human error.

5. Legacy software leads to non-compliance

Leaving security holes in your software exposed can have serious legal, financial, and reputational consequences. This is because most companies – especially those in sensitive industries such as healthcare, manufacturing, and finance – are subject to data privacy and security regulations including:

• General Data Protection Regulation (GDPR)
• Payment Card Industry Data Security Standard (PCI DSS)
• Health Insurance Portability and Accountability Act (HIPAA)
• Australian Privacy Act
• Security of Critical Infrastructure (SOCI) Act

These regulations are growing stricter as cyber threats grow more sophisticated. The Australian Privacy Act, for example, is reforming its laws around data management following the major Optus and Medibank breaches of 2022, and The Governance Institute of Australia predicts more class-action lawsuits from victims of cyberattacks in the coming year. These lawsuits can be serious – fines have been known to reach billions. Money aside, data security is a top concern for customers and suppliers today before deciding to trust a business.

Most cybersecurity frameworks and regulations state that companies have a duty to protect their software, safeguard sensitive data, and prove that they’re properly maintaining customer records. This is difficult (if not impossible) with outdated software. Nonetheless, if your system or data is compromised and the audit logs show that legacy software is to blame, you can be heavily penalised.

Now is the time to act

Strong cybersecurity requires fast, lean, and agile software that can scale with your company while fending off fast-evolving cyber threats. The gold standard today is a custom private, public (AWS, Google Cloud, Microsoft Azure), or hybrid cloud environment which includes security features such as:

• State-of-the-art encryption standards (such as TLS/SSL and ES-256)

• Strong authentication mechanisms (such as MFA, passwordless, and single sign-on)

• Behavioural detection and analysis tools

• Regular (and automated) security patches

• Detailed audit logs and compliance monitoring

• Zero trust architecture

• Incident response and reporting measures

Your employees and customers are relying on you. If you think you’re running legacy software, it’s crucial to review your security posture as soon as possible. Undiagnosed vulnerabilities in your system can have devastating consequences.

How Genolis can help

At Genolis, we’re offering a free security assessment to reveal whether your software is putting you at risk. If so, we can help you draw up a migration plan that gives you full protection and peace of mind. Get in touch today for a free consultation.

About us

Modernising your software doesn’t have to be difficult or expensive. At Genolis, we have over 20 years of experience in building innovative, scalable, and secure custom products that help companies across all industries to innovate and grow. With expertise in web services, cloud solutions, desktop and mobile apps, and more, we’ll tailor the perfect product for your business needs.