James Steidl - Fotolia
One reason companies keep legacy hardware such as older model servers, solid-state drives and networking components is the replacement cost. The number of servers needed to support a modest business would run you in the neighborhood of $1 million per year if purchased new.
Other organizations keep legacy appliances such as minicomputers and mainframes because they signed long-term service contracts. They're still using the old hardware because they still have a service contract with the provider -- even if it's no longer the original vendor.
Some organizations retain legacy hardware because it contains data or software that's no longer in production, but is used for "lookup only." It's possible organizations must keep old hardware for legal or regulatory reasons, but, usually, it's because admins haven't done a full inventory and analysis of all their hardware and data, so it remains.
The risks of legacy hardware usage
There are legal, financial and operational risks to using legacy hardware to power any organization. Older hardware will struggle to run the 21st-century technology that today's organizations need to function, leading to productivity loss and employee attrition. There are also significant security risks to keeping legacy hardware in a tech stack.
Malware attacks. Each generation of server hardware, networking components and software brings new technology to prevent or mitigate growing malware threats. Vendors typically have end-of-life dates that remove support for hardware, software or driver updates.
Any business that uses these legacy devices risks leaving itself open to general malware attacks because they no longer have the latest code fixes or updated protections. Any data on these devices is at risk -- especially in industries such as healthcare or finance.
Data loss. Once legacy hardware compromises a network, it's open to the more sophisticated malware attacks that hackers use to jeopardize infrastructure or steal end user data. Threat actors can gain access to legacy hardware that's still used for production because the security is outdated, or they could gain access to the lookup only hardware devices that store historical data. A common modus operandi for hackers is injection attacks with SQL databases.
Some IT teams may think they can skip their established hardware disposal processes because the hardware is outdated. Businesses could suffer critical data theft on legacy devices they dispose of improperly.
"Outdated hardware has increasingly become the target of choice [of criminals]. It is urgent that outdated devices be replaced -- and then responsibly destroyed," said John Shegerian, co-founder and executive chairman of ERI.
Preventing cybersecurity attacks
One step in preventing cybersecurity attacks on legacy hardware is to understand which appliances the data center still uses. Aggregate electronic asset reports from online monitoring systems, and see if it is possible to integrate more updated security options. Then, compare the reports to physical walkthroughs of the data centers and create a master list.
Ensure that the entire list -- electronic plus physical walkthrough -- is regularly reviewed. It'll be a time-consuming task, especially if an organization has hardware assets that don't show up on electronic reports, but it's worth it. Depending on how extensive an organization's legacy hardware catalog is, admins can do a walkthrough biquarterly or annually.
Legacy hardware review and retirement
Legacy hardware updates and maintenance are challenging and expensive, even if there is a policy that supports review and replacement. Many organizations let it build up until it's a mammoth task that no one wants to do or pay for.
Rather than tackling it all at once, dedicate the time to keep inventory review at a manageable level. Ensure the reviews are done regularly and the information is funneled up to purchasing managers, so they're more apt to buy the new hardware. This reinforces the practice of handling legacy hardware turnover in smaller chunks of time, effort and budget, which makes it more palatable for everyone.
Regular review also helps IT teams establish policies for sunsetting hardware that no longer serves the business. Once an organization decides to retire a certain piece of hardware, admins must find a suitable replacement and begin the process of data transfer and decommissioning. Depending on the hardware's importance, this could take at least several months, and inventory review makes it a more proactive process.