Legacy systems are the outdated technologies, hardware or software that organisations use even though they cannot be effectively maintained and no longer remain secure. In this blog, we provide advice on some of the risks organisations should consider if using a legacy system, or what to do if they are planning to update or replace the system.
Why do organisations use legacy systems?
The main reasons why organisations continue to use legacy systems include:
- they are part of a core or critical function that the organisation uses, for example, for revenue collection or customer registration. Updating or replacing these systems requires resources (both dollars and people) which the organisation currently doesn’t have, or the organisation believes a change to the system could create a risk of business failure
- inadequate – or lack of – organisational planning for system lifecycle management. System lifecycle management allows for future acquisition, implementation, maintenance, replacement and decommissioning of information technology (IT) assets.
Some organisations have implemented a workaround process for their legacy system so they can continue using it. For example, instead of updating the programs or functions within the system for the approval of transactions within delegation limits, the organisation uses a manual register or develops an approval process outside the system to address risks. This approach however is not only a retrograde step that creates an inefficient process, but it ignores the cyber threat associated with a system that is no longer supported by the original technology supplier.
What are the risks of using legacy systems?
The risks of using legacy systems generally fall into 2 areas: business and technology risks.
Business risks relate to whether the systems continue to meet the current and future needs of the organisation. Legacy systems typically limit an organisation’s ability to:
- advance with new business initiatives or changing requirements and priorities. For example, changes around additional data requirements and system controls to meet policy and legislation updates
- efficiently collect, analyse, and corroborate various types of data to support better decision making and governance
- effectively integrate and/or automate business processes that involve the use of other systems.
The primary technology risks relate to:
- Cyber threats: Organisations increase their risk of cyber breaches and the loss of sensitive information when they continue to use a legacy system. Legacy systems are usually not maintained or supported by the original technology supplier. The supplier is no longer looking for and addressing security loopholes that cyber actors can take advantage of, or providing technology updates such as security patches (programs to address any security gaps). Legacy systems are also limited in supporting modern day better practices around security, such as multifactor authentication, single sign on, more detailed logging and audit trails, and better encryption methods.
- Higher system support, maintenance costs and resource availability: Legacy systems are likely to have been heavily customised or updated over the years, but organisations may not keep relevant documentation supporting such changes. This customisation, coupled with the use of outdated technology, increases the organisation’s dependence on a limited pool of people who can maintain the system. The support from the technology supplier usually also comes at a premium price.
What can organisations do to reduce their risk?
Technology experts recommend a range of approaches that vary in scale and complexity for modernising legacy systems.
- Small scale changes: These are easier to implement as they do not modify the existing programs, features and functions of the system. Rather they move the system to a different – but updated – underlying IT infrastructure, or limit access to the system from IT networks outside the organisation.
- Medium scale changes: These aim to modify and optimise the existing programs within the system through restructuring and rearchitecting.
- Large scale changes: These are more complex and therefore harder to implement. Approaches include rebuilding the legacy system from scratch or replacing the legacy system altogether.
What do organisations need to consider when updating their legacy systems?
Organisations need to consider the following factors when planning to update their legacy systems:
- What modernisation options are available, and which one provides the best value (including cost, timeframe to implement, risk management and the overall organisation business strategy)? This assessment could also include:
- considering what existing and future skills are needed to support a legacy or updated system
- reassessing the design or outputs and outcomes of the business process or function the legacy system is serving.
- What will be the organisation’s roadmap for addressing the risks associated with the legacy system both in the short and long term? For example, an organisation could limit access to the system to a software intermediary. This means having another application interacting with the legacy system as a go-between to minimise risk. This is an example of a short-term, small scale solution. It may mean the system appears to operate like a modern system (and provide an additional layer of security). The organisation, however, will need to understand residual risk and continue paying the maintenance costs of the legacy system.
- What is the risk assessment for individual legacy systems, and the overall portfolio of systems, that the organisation has? This assessment will allow the organisation to make a more informed decision on the risks, potential treatment (including controls), the approach, scale and overall direction needed to update the legacy system.
On a final note, it is important that organisations determine the roadmap for all of their systems, not just their legacy systems. New systems will in time themselves become legacy systems if they do not have adequate planning for their maintenance and future update or replacement.
Reports to parliament
- Delivering successful technology projects (Report 7: 2020–21)
- Queensland Health's new finance and supply chain management system (Report 4: 2020–21)
- Effectiveness of the State Penalties Enforcement Registry ICT reform (Report 10: 2019–20)
- Managing cyber security risks (Report 3: 2019–20)
- Digitising public hospitals (Report 10: 2018–19)
- Monitoring and managing ICT projects (Report 1: 2018–19)
Better practice guides
- QAO better practice guide—Delivering successful technology projects
- QAO better practice guide—Learnings for ICT projects
- Is your information Security Management System helping you mitigate cyber risk?
- Tips on implementing a new ICT system
- Evolving digital services in government
- Learnings for ICT projects
- Lessons learned: Project steering committees for digital transformation projects
- Effectively monitoring and managing projects and programs