Your company may be greatly held back by outdated but mission-critical systems that have been in use for years. Often, it can be just a number of employees, or at most one, who actually understand how such systems function. And that is a huge risk if those appointed people retire, leave the organization, or become unavailable.
In this article, we are delving into the primary risks posed by legacy systems and key-person dependency with corresponding consequences for your business, as well as strategies for mitigating these risks.
Key risks of legacy systems and knowledge concentration
1. Key developer/manager dependency
When a system has been manned by one developer or IT manager for a long period of time, the loss of that person creates a massive knowledge vacuum. This can lead to significant challenges, including inability to troubleshoot the system quickly, as the rest of the team may not have the needed expertise to understand and treat a problem adequately. This shift can also lead to delays in development and system upgrades, as it takes time for new people to familiarize themselves with the existing infrastructure. Apart from that, organizations may face higher costs, often needing emergency support from outside consultants, which can further strain budgets and slow down progress.
Real case example from our experience:
A small manufacturing company, with around 50 employees, has their daily operations relied on custom software that handled inventory, production schedules, and order management. And there was only one individual who knew how to maintain this company's software. When this developer suddenly became unavailable, the company faced an immediate crisis:
- Production came to a standstill due to employees' inability to access the system that controlled orders and inventory.
- No one understood the code, so the possibility of making fixes quickly or applying some sort of temporary patches was next to nothing.
- Finding another developer took weeks, during which the business suffered financial losses, and customers experienced some inconveniences due to delayed orders.
For larger companies, it is relatively easier to handle operational risk management, taking into consideration they have larger IT teams, documented procedures, and systems redundancies. However, for a small business, the unexpected loss of an important IT expert can cripple operations, damage customer relationships, and ultimately, present business-threatening circumstances.
Moreover, small organizations lack tech resources to transition to newer technologies. According to the Gartner report of 2022, human resource constraints were the most considerable obstacle in adopting 64% of emerging technologies—an impediment not only to the application of such technologies but also to innovation and growth of the organizations. Small to medium businesses (SMBs) that do not have enough technical resources can potentially lag behind when it comes to industry changes, which means missed opportunity and reduced competitiveness for them.
2. Hiring challenges for outdated technologies
Many of the legacy systems nowadays use outdated programming languages or frameworks which most modern developers are unfamiliar with, making the hiring process very tough and expensive. Companies struggle to find a skilled workforce due to the scarcity of talents and have to wait very long for them. Moreover, the skill set required in such cases is a niche one, which means developers tend to demand huge salaries.
Additional time and resources spent on training new hires of such older technologies only delay productivity. In most instances, businesses have to turn to contractors in order to carry out maintenance and development work, which further leads to increases in costs and vulnerability to both security and operational risks.
This problem becomes even more pronounced with older technologies like Delphi or VBA. Stack Overflow Developer Survey 2024 indicates that of 60,171 respondents, 1.8% develops with Delphi. The figures do not change much for senior developers, with a 1.8% rate in the same sample. However, only 0.8% of those learning to code chose Delphi. This underscores a growing severity on the road ahead for organizations dependent on this technology.
3. Resistance to change
Long-term employees working for legacy systems are among the foremost individuals, if not the most, that resist change. Employees suspect that the modernization effort will do away with their specialization, thus making their expertise no longer necessary, making their expertise no longer needed or creating redundancies in their role.
Another kind of ambiguity comes from the potential complexity that entails the transition into modern solutions, especially if employees feel it will be time-consuming, disruptive, or difficult to adapt to. Many professionals tend to develop that strong sense of comfort with the known tools, even if they are obsolete and inefficient. At least, they are familiar with the ways that make them successful with those tools, so they would rather not learn entirely new technologies. This aversion to change can act as a headwind in the digital transformation journey.
View a short checklist on what to take into account when preparing your team for change during software migration.
Open checklist4. Over-reliance on one employee for data recovery and backups
Data backups should never be managed by a solo employee. Relying on a single person makes data restoration quite dangerous for the business in case of disaster. Whether intentionally or not, the crucial data held for the organization may be deleted, making it difficult or impossible to retrieve without the professionals.
A ransomware attack or other forms of cyber incidents could similarly encrypt or corrupt crucial data necessary for operations, and without adequate knowledge of retrieval methods with various team members, operations could be delayed or rendered impossible for restoration. Furthermore, if one of the key employees leaves the company unexpectedly, the absence of documented procedures or shared knowledge could mean chaos, expensive disruptions, and the possible permanent loss of data.
Real case example from our experience:
Twenty retail stores that employ a total of approximately 150 people depend on a point-of-sale (POS) system managed by one IT professional who is also responsible for backups, security patches, and server maintenance.
What happened:
- The IT technician spontaneously left the company.
- A month later, the company faced a ransomware attack which encrypted all sales data.
- No one knew how to properly restore the backups, losing critical files forever.
- The business lost $200,000 in sales figures, as well as reputation, due to double charges and missing orders.
A study by Veeam found that 22% of businesses that were hit with ransomware attacks actually had to go out of business, while 17% lived through 25+ hours of downtime—some up to 100+ hours. This could spell disaster for any organization that relies on legacy systems and does not have the size of IT capabilities needed, which goes along with a loss of money and leaving a smear on the organization's reputation.
5. Over-reliance on external contractors
Through outsourcing maintenance of legacy systems to outside vendors, businesses may inject weaknesses into their level of control, costs, and security. The rising dependence on third-party providers will invariably cause ever-mounting costs, as the charges for specialized legacy support are rather high, given the dwindling number of professionals adapted to old technologies. Moreover, that compromises the capability of the host organization to oversee critical systems effectively, as it gets cumbersome to link workflows with approved processes and guidelines, and to combine updating with issue resolution.
Relying on external suppliers for critical systems may further infuse security loopholes. As there would be an absence of visibility for companies toward handling, storage, or protection of their data, they could unintentionally open the gates for unwarranted infiltration, data breaches, or regulation-related compliance issues. Managing risks nowadays requires companies to maintain internal process control systems and establish strong security protocols with third-party vendors.
Real case example from our experience:
One freelance engineer was in charge of the administration and maintenance of a company's essential software system, which was vital to the organization's operations and supported an important customer contract. This individual handled the release of software updates, solving problems, and provided ongoing support throughout the production system.
What went wrong:
- The engineer decided to leave the job under the workload constraints, leaving the company with no direct replacement for this position.
- There was a major shortage in terms of support and expertise needed for that system within the company, since no other in-house person knew the software system.
- The contract of the company with a key customer was in danger of being canceled, as it is based mainly on stability and support for the software system. As no replacement had been made, it meant that the system's potential for functionality cannot be guaranteed by the company.
- Although the engineer had some handover sessions before leaving, the transfer of knowledge was incomplete.
- The company was very uncertain about its future operations, with various projects running far behind schedule and no clear plan to deal with all the technical challenges caused by a sudden departure.
While large companies often adopt well-documented processes and use a mix of vendors to manage risks, small companies face even more significant concerns. Some of the factors that make it even harder for small companies are that they tend to put all their dependence in just one contractor. When all the IT processes are controlled by just one person, even a short disruption can endanger the running of the business. This company's entire operation depended on the expertise of one engineer, and the unexpected loss of the expert jeopardized the business as a whole.
This was also precisely the case for an air traffic control (ATC) company struggling to maintain their legacy display system, originally developed by a previous vendor. As they did not carry the kind of expertise required to manage the outdated code themselves, they needed a reliable technology partner to take full responsibility for the system maintenance. TYMIQ stepped in to perform this function, assuming complete ownership of the legacy system while also migrating the system from .NET Framework to .NET Core and managing the modernized version.
Ready to take control of your IT operations? Read the TYMIQ case on how we maintained and modernized a mission-critical legacy system.
6. Lack of documentation and knowledge sharing
Most legacy systems are insufficiently documented: there is far too much that is learned informally and not recorded systematically. This situation creates significant problems within the organization, especially for new employees who want to understand how the legacy system operates. Newly hired employees have difficulty leaning the architecture and behavior of the system as there are no guidelines or references specific to it, and they often end up completely confused. Intensive training sessions that result from this considerably lengthen and make expensive the overall process of orientation for the organization.
Further, when seasoned developers leave, they cause another problem by taking precious knowledge with them. If not written or transferred, an organization can lose key expertise and not create consistent leads for employees or vendors to maintain, troubleshoot, and improve the legacy systems over time.
7. Single point of failure and business continuity risks
There are increased risks to an organization beyond just availability, especially if only one or two individuals manage its critical systems. This has implications for the actual workload of such individuals, even if there are no other significant changes to their roles. Because they may struggle to oversee system security, availability, up-to-date design features, vulnerabilities, and interdependencies simultaneously.
Having a small pool of specialists results in an increased risk of not identifying any hidden vulnerabilities, delays in updates, or undocumented dependencies, which all deteriorate the stability and security of the system over time. Quality assurance management at that moment is almost impossible since no larger team or processes are employed, which keeps the company susceptible to failures and outages.
Real-world example - Fastly outage (2021)
Fastly, a cloud computing services provider specializing in content delivery networks (CDNs), suffered a pretty extensive outage on the 8th of June 2021, and it took down many big websites including Amazon, Reddit, The Guardian, CNN, PayPal, Spotify, and others.
The issue was caused by a bug in Fastly’s software, which was triggered by a single customer configuration change. This previously unknown bug led to a chain reaction, resulting in Fastly’s global network failing for about 50 minutes before engineers resolved the issue.
Fastly later admitted that the incident had proven the risks attached to centralized dependencies within critical infrastructure and stressed the need for solid testing and failover mechanisms.
This case study stands out as an example where one IT architecture failure could cause widespread disruption, which is a crucial concern for companies that rely on a few people to manage critical systems.
How to mitigate legacy system risks
Addressing the risks associated with legacy systems and key-person dependency requires a proactive approach. Here are some key strategies to minimize disruptions and ensure business continuity:
Encourage knowledge sharing and cross-training
Avoid over-reliance on a single expert by implementing cross-training programs. eam members could regularly rotate responsibilities to allow for knowledge sharing and minimize institutional expertise loss.
Diversify IT expertise and reduce external dependence
If outsourcing IT maintenance, avoid relying on a single contractor. Work with multiple vendors or build in-house expertise to retain control over critical systems.
Document critical systems and processes
Maintain comprehensive documentation for all legacy systems, including architecture, configurations, troubleshooting procedures, and update logs. This helps new team members quickly get up to speed and ensures continuity in case of personnel changes.
Strengthen cybersecurity and backup protocols
Set up an automated backup system that will get the backup data recovered easily by different teams, along with a clear process for recovering that data. Additionally to that, establish robust security measures to protect against cyber threats.
Implement business continuity and disaster recovery plans
Regularly test failover mechanisms, simulate outage scenarios, and establish clear procedures for handling IT disruptions. The presence of redundancy in critical IT functions will prevent from catastrophic downtime.
Invest in IT modernization
Gradually transition away from outdated technologies by adopting modern, well-supported platforms. This reduces dependency on rare skill sets and improves security, performance, and scalability of your system.
By taking these steps, businesses can safeguard their operations, reduce dependency risks, and create a more resilient IT infrastructure. And if you need help implementing these measures to maintain your legacy system, or if you decide not to delay and want to jump into legacy system modernization but need expert guidance, TYMIQ offers the services you need. We deliver four main types of software maintenance: adaptive, corrective, perfective, and preventive.
By the way, if you’re hesitating about the urgency of modernization, we can also guide you in making the right decision—whether it’s time for immediate modernization or if it’s reasonable to maintain your current software, as long as its conditions allow you to wait and better prepare for a less painful incremental migration. Find more information about our software maintenance services here.
.svg)
