The 2024-25 ASD Threat Report highlights legacy IT as one of the top risks facing organizations today. And they’re right to do so.
On the surface, “patch and update your systems” sounds simple.
But once you map out their full set of recommendations, the scale of the challenge becomes clear.
I’ve seen networks with hundreds of unsupported operating systems.
Millions of known vulnerabilities.
And business-critical apps that were never tested or updated.
That’s just the starting point.
The deeper issue is why systems stay unpatched:
No SLAs.
High cost of change.
Vendors refusing to patch legacy apps because the fixes would require a total rewrite.
One of the worst cases I’ve seen involved a third-party application, exposed to the internet, holding over a million PII and PHI records. The vendor knew about the vulnerabilities but declined to patch them. Fixing the issues would require a full architectural overhaul - and they weren’t willing to make the investment.
This is where leadership matters most.
Not with a quick fix, but with long-term commitment.
Repairing relationships.
Finding small wins.
Showing up to every meeting, month after month, until things begin to change.