The recently announced Crown Commercial Service Technology Services 3 framework, a multi-billion-pound UK government ICT procurement process, places significant emphasis on service transformation. Around £260 million is allocated to a range of projects, including the decommissioning and disposal of legacy technology. This ongoing emphasis on legacy systems is significant, given the major challenges it presents to effective, reliable, and secure IT infrastructure and services.
Legacy IT is a perennial problem in any organisation relying on old and outdated systems still in regular use. In many circumstances, legacy tech can remain fit for purpose, effectively fulfilling a role many years after being installed—a classic case of “if it ain’t broke, don’t fix it.” But as these technologies age, they become much more vulnerable to problems only modernisation can address, the most serious of which can result in cybersecurity breaches, interruptions to vital services, and significant remedial cost.
Indeed, last year’s Government Technology Innovation Strategy policy paper reflects on the problems caused by the continued use of legacy operating systems. An important ongoing example relates to Microsoft Windows 7, an operating system still widely used across the public sector that went “end of life” in January of this year. Announced years in advance, this meant Microsoft stopped providing security updates and support for the product, and users were faced with the choice of paying for extended support, upgrading to the current version of Windows, or continuing to use Windows 7 in a legacy role.
Though the strategy paper points out the vital work done to upgrade systems – with over one million Windows 10 licences being implemented across the NHS – the clock is ticking, with Windows 10 expected to go end of life in 2025. Therein lies the essence of the problem created by legacy technology: it never ends.
It also illustrates the danger of reacting to legacy vulnerabilities rather than working ahead of need. 2017’s WannaCry ransomware attack is a classic example of this, as cybercriminals exploited a major vulnerability in legacy IT systems. This resulted in a major disruption for the NHS, with thousands of appointments cancelled, and there was a further blow to public confidence in IT security and a repair bill in the tens of millions of pounds.
You might also like
There’s also the brake legacy technology puts on innovation and renewal. As the policy paper pointed out, the enduring presence of legacy technology is viewed as a barrier “to adopting emerging technologies.” In expanding on the point, it explains, “legacy technology and systems are becoming increasingly less fit for purpose. Through our engagement, we’ve heard that teams often feel they can’t innovate using emerging technologies because of the volume of legacy technology they are carrying.”
Unfortunately, the problems don’t end there. Over time, legacy applications developed to run on legacy infrastructure become incompatible with other, newer systems. Given the significant reliance placed on bespoke and outdated legacy apps across the public sector, compatibility issues can be a major issue for reliability, efficiency, and security. However, rebuilding these applications to work with contemporary technologies can be very expensive. This problem can be exacerbated by a skills and experience gap, as the knowledge needed to maintain legacy technologies becomes scarce and experts move to work with modern systems or even retire. As a result, legacy applications inevitably become more expensive to support.
Looking to the future
Despite these significant challenges, many organisations (public sector included) can now draw on their successful experience of adopting new technology infrastructure despite the difficulties presented by COVID-19. The widespread availability of cloud-based services has significantly accelerated the pace of digital transformation, and there are lessons here for those responsible for replacing legacy systems in the years ahead.
For many organisations – and the public sector in particular – reliance on legacy technology is an inevitability. Not only is the public sector IT estate extremely large (and therefore costly to continually update), but the shifting policy and spending priorities of successive governments mean ubiquitous modernisation is unlikely. However, a proactive and targeted approach designed to identify the most pressing requirements – particularly in advance – will help the public sector protect its systems and data while breaking the hold legacy technology places on innovation and service improvement.