Why legacy systems have become cybersecurity's least trusted zone

Most large Australian organisations still rely on systems that were built more than a decade ago. Legacy investment platforms, policy administration systems, industrial control environments and enterprise resource planning stacks continue to underpin daily operations. They process critical data, support revenue, and in many cases cannot be easily replaced.

Age is not what makes them risky. What makes them risky is that they are no longer fully understood.

Over time, these systems have been modified, extended and integrated into newer environments. Teams that originally built them have moved on. Documentation is incomplete or outdated. Workarounds become permanent. Access layers are added to connect them to cloud services, customer interfaces and third-party platforms.

The system remains operational, but the understanding of how it actually behaves degrades. This creates a zone of ambiguity inside the organisation: a system that is critical to operations but not fully visible, not consistently governed, and often excluded from modern security controls.

That is where the risk sits.

Attackers do not target legacy systems because they are old. They target them because these systems provide predictable points of uncertainty. They are areas with low visibility, unclear ownership and inconsistent control frameworks.

As outlined in the Australian Cyber Security Centre’s Annual Cyber Threat Report 2024–25, legacy technology is explicitly identified as a priority risk area, with organisations urged to replace it as part of core mitigation strategies. At the same time, incidents and exposure continue to rise. The ACSC responded to more than 1200 cyber incidents in the past year, issued over 1700 proactive threat notifications and recorded more than 84,700 cybercrime reports, roughly one every six minutes.

In recent Australian incidents across sectors including finance, health care and infrastructure, compromise has often involved movement through environments that were partially modernised but still anchored to older systems. The breach does not begin with the legacy platform itself. It emerges at the boundary between old and new, where integration has outpaced governance.

From a board perspective, this is difficult to detect. Most reporting still reflects the modern estate. Cloud posture, endpoint coverage and identity controls are measured and presented in detail. Legacy environments are frequently reported in more general terms, if at all. They sit outside the dashboards that drive executive visibility.

This creates a false sense of security. An organisation can report strong security metrics across its modern infrastructure while carrying material exposure in the systems that matter most. The core platforms that hold sensitive data or enable critical operations are often the least instrumented and the least tested under current threat models.

The issue is not neglect; it is structural.

Modernisation strategies typically prioritise customer-facing systems, data platforms and digital services. Investment follows growth and efficiency objectives. Legacy systems are stabilised, wrapped or partially migrated, but rarely subjected to the same level of continuous scrutiny.

Over time, they become trusted by necessity rather than by assurance.

This is where the framing needs to change. Legacy systems should not be treated as residual technology debt. They should be treated as high-consequence assets operating under reduced visibility. That distinction matters because it changes how capital is allocated.

Instead of focusing solely on replacement timelines, organisations need to invest in understanding. That means mapping how these systems connect to the broader environment, identifying where privilege accumulates, and making explicit which controls do and do not apply.

It also requires clearer ownership. In many organisations, responsibility for legacy platforms is fragmented across technology, operations and third-party vendors.

The financial lens is instructive here. If a company held a critical asset on its balance sheet but could not clearly articulate how it was governed, who controlled access to it, or how it interacted with the rest of the business, it would be flagged immediately. Yet, that is effectively how many legacy systems operate today.

They are central to value creation, but peripheral to modern governance. This is why they have become cybersecurity’s least trusted zone: not because they are inherently insecure, but because they exist in a gap between what organisations rely on and what they can confidently verify.

Until that gap is closed, modernisation will continue to layer new capability on top of old uncertainty. The surface may improve, but the underlying exposure will remain.

Image credit: iStock.com/Just_Super