Legacy Software: The Hidden Cyber Risk in Your Business

Every piece of software in your business has a lifespan. Developers release updates, fix bugs, patch security vulnerabilities — and eventually, they stop. When a software product reaches its end of life (EOL), the developer stops issuing security updates. Any vulnerability discovered after that point will never be fixed.

This is the hidden risk of legacy software. It's not that old software suddenly becomes dangerous — it's that the world around it keeps changing. New vulnerabilities are discovered. New attack techniques emerge. And your old software, frozen in time, can't be updated to address them.

For Australian small businesses, legacy software is far more common than most owners realise. An outdated version of Windows on a back-office computer. An accounting system that hasn't been updated in three years. A web browser running an old version. Each of these represents an open door that attackers know how to find.

Why Legacy Software Is a Serious Risk

When software reaches end of life, a countdown begins. Security researchers and attackers alike scan for vulnerabilities in that software — knowing that any they find will remain exploitable forever. These vulnerabilities are often published publicly or sold on the dark web.

The ASD's Essential Eight framework — Australia's leading cyber security guidance for businesses — lists patching applications and patching operating systems as two of the eight most critical controls for defending against cyber attacks. The reasoning is simple: most successful attacks exploit known vulnerabilities that patches would have fixed.

Some of the most damaging global cyber incidents have exploited legacy systems. The 2017 WannaCry ransomware attack, which affected organisations across 150 countries, primarily targeted systems running unsupported versions of Windows. The patch had been available for months — but many organisations hadn't applied it.

Common Legacy Software Risks in Small Businesses

End-of-Life Operating Systems

Microsoft ended mainstream support for Windows 10 in October 2025. Businesses still running Windows 10 beyond that point will stop receiving security updates. Windows 7 and Windows 8 have been out of support for years and should not be running in any business environment. If you're unsure what version of Windows your computers are running, check Settings > System > About.

Unsupported Business Applications

Industry-specific software — particularly older accounting, job management, or industry database tools — often lags behind security updates. If you're running software that your vendor no longer actively supports, you're running a risk. Check with your software vendors about their support and update policies.

Outdated Browsers and Plugins

Web browsers are a primary attack surface — they process untrusted content from the internet constantly. Running an outdated browser, or browser plugins like Adobe Flash (now discontinued), is a significant vulnerability. Ensure all browsers on business devices update automatically.

Legacy Server Software

Businesses that run their own on-premise servers — whether for file storage, email, or specific applications — often run server software that hasn't been updated in years. This is particularly risky because servers are often internet-facing, making them directly accessible to attackers.

How to Identify Legacy Software in Your Business

Before you can manage legacy software risk, you need to know what you're dealing with. A basic software inventory involves:

1. Listing all devices in your business — desktops, laptops, servers, tablets, phones
2. Checking the operating system version on each device
3. Listing key applications installed on each device and their version numbers
4. Checking vendor support status — is this version still receiving security updates?

For Windows devices, the Windows Update settings will show whether your system is up to date and supported. For applications, most software has a "Check for updates" or "About" option in the menu.

If you're using Microsoft 365 or Microsoft Intune, these platforms include device management features that can give you a centralised view of software versions across your fleet.

Managing Legacy Software Risk

Prioritise Replacement Over Workarounds

The right long-term answer for unsupported software is replacement. Migration to a modern, supported alternative — even if there are upfront costs — is almost always preferable to the ongoing risk and eventual incident cost of running legacy systems.

If Replacement Isn't Immediate, Isolate the Risk

If a legacy system must remain operational in the short term (perhaps because it controls specialist equipment or runs a critical business function with no immediate alternative), take steps to reduce its exposure:

• Network isolation — put the legacy system on a separate, isolated network segment so it can't be a stepping stone into the rest of your business
• Restrict internet access — remove internet access from devices running legacy software where possible
• Compensating controls — ensure strong monitoring, access controls, and additional logging are in place around legacy systems

Establish a Patching and Review Schedule

For supported software, apply security patches promptly. The ASD's Essential Eight recommends patching critical vulnerabilities within 48 hours of release. For less critical patches, within 30 days is a reasonable target for small businesses.

Set a calendar reminder to review your software inventory quarterly. It takes 30 minutes and keeps you across upcoming end-of-life dates before they become a crisis.

Key Takeaways

• Legacy and end-of-life software no longer receives security patches, leaving known vulnerabilities permanently unaddressed.
• The ASD's Essential Eight includes patching operating systems and applications as two of the most important controls for Australian businesses.
• Common legacy risks include unsupported Windows versions, outdated business applications, old browsers, and unpatched server software.
• Conduct a basic software inventory to identify what you're running and whether it's still supported.
• Prioritise replacing unsupported software. If you can't replace it immediately, isolate it from the rest of your network to limit exposure.
• Patch supported software promptly — critical patches within 48 hours where possible.

Not sure how your software security practices stack up? Run a free cyber risk assessment at flagged.com.au — it takes under 10 minutes and gives you a prioritised action list tailored to your business.