Outdated technology is threatening more than business growth for Australian SMEs and it’s opening the door to online criminals.
The Australian Cyber Security Centre has issued a staunch warning that so-called ‘dinosaur tech,’ or legacy hardware and software no longer supported by the manufacturer, is a significant strategic liability.
Many Australian small-to-medium businesses have retained these systems – ranging from old accounting software to ageing on-site servers – because they still work and replacement costs are prohibitive. But choosing to retain unsupported systems can create a “technical debt” that compounds over time, causing cybersecurity vulnerabilities, operational fragility and an incompatibility with AI platforms. To remain competitive, SME leaders are urged to audit their tech stack and farewell anything past its use-by-date.
Retaining Old Tech May Cost More Than You Think
The ACSC defines legacy technology as end-of-life devices, software programs and protocols that lack vendor support, don’t meet modern security standards and are less useful for achieving business goals. Common examples in Australian SMEs include bespoke Point of Sale systems with limited cloud connectivity or older servers running operating systems that no longer receive security patches.
The retention of these systems is rarely an oversight. SME owners often cite budget constraints or the fear of disruption during migration as reasons for retaining ageing systems.
However, the cost of doing nothing is enormous. Research indicates that businesses worldwide waste US $370 million per year on maintaining outdated applications. Meanwhile, 70 per cent of organisations attempting upgrades report that legacy infrastructure has slowed progress, acting as an Achilles heel for digital transformation.
There’s also a reputational cost from the increased likelihood of systems going offline, service delivery being disrupted or data lost. In short, it’s much harder to modernise workflows if the backbone of the business is outdated.
Legacy Tech Leaves The Door Open For Hackers
While cyber threats abound in the online world, the ACSC says legacy tech puts businesses at even greater risk of compromise. Because unsupported systems do not receive security patches, known vulnerabilities remain permanently open to exploitation. Furthermore, these systems often cannot support modern protective measures like Multi-Factor Authentication (MFA) or Zero-Trust architectures.
A NSW council learned the hard way in 2022 when legacy systems allowed hackers to encrypt critical data with ransomware. The fallout was on a scale few SMEs could survive: staff worked 40-80 hours of overtime per week and operational disruption lasted for nearly a month.
Data confirms the broad reach of cyber criminals in Australia. In 2024-25, the ACSC answered more than 42,500 calls to its cyber security hotline and received more than 1,700 notifications of potentially malicious cyber activity – an 83 per cent increase on the year before. The average cost of cyber crime in Australia is $56,600 for a small business and $97,200 for a medium enterprise business – a burden SMEs can ill-afford.
Legacy digital systems can be a barrier to AI connectivity, acting as the ultimate bottleneck. Older infrastructure often lacks the modern APIs (Application Programming Interfaces) required for AI integration, and data trapped in “silos” within old software is often of too poor quality for AI to process.
Before You Replace, You Can Reduce Risk
For SMEs that cannot replace every system immediately, the ACSC recommends several interim risk-reduction strategies:
- Network Segmentation: Isolate legacy systems from the rest of the business network to prevent a single breach from spreading.
- Access Controls: Implement strict MFA where possible and reduce the online exposure of unsupported systems.
- Asset Register: Maintain an accurate inventory of all hardware and software to track vendor support timelines and plan for end-of-life dates well in advance.
SME owners can prioritise by determining where technology risks and business goals most closely align. But they’re wanted to keep in mind that a cyber attack will require a full replacement on the spot, making a preemptive upgrade a comparative bargain.
