Author: Laura Parri Royo, Marketing Director, TJC Group | Co-author: Audren Butery, SAP Consultant at TJC Group.
Legacy system decommissioning is one of the areas of IT infrastructure management that commonly gets neglected. It’s not exactly exciting and cutting-edge compared with other projects, so this tendency is unsurprising. Yet in today’s world, where levels of cybercrime continue to grow exponentially, this is possibly the single most expensive mistake a CTO can make. Legacy system decommissioning is a strategic IT issue—for lots of reasons.
This article explains why this topic is so strategically important and, if you are thinking about decommissioning your legacy systems as part of the move to S/4 HANA, how to source solutions that make the entire project significantly more straightforward.
Table of contents
- Legacy systems attract hackers
- SAP ECC maintenance deadline is approaching
- Avoid a data breach in your organisation
- Don’t breach data privacy laws
- Make better use of IT skillsets
- Don’t waste energy
- Best practice: How to go about legacy system decommissioning?
- Introducing Enterprise Legacy System Application
- Take the next step
Legacy systems attract hackers
Security is at the top of the list of risk factors. Organisations with legacy systems left unchecked can be particularly vulnerable to attacks from hackers and cybercriminals, but that’s not all. This article illustrates a real-life example of a US company whose legacy systems were at the epicentre of the ransomware. At a time when many current SAP ECC users are evaluating the optimal migration path to SAP S/4 HANA, organisations may be tempted to ‘do nothing’ with their legacy ERP. But aside from the security risks, there are many other good reasons to invest in legacy systems decommissioning with experts.
Legacy data can become a high cybersecurity risk because it may not be encrypted or protected by other access controls. Legacy systems are prone to receive attacks from hackers if not kept up to date.
Keeping up with patches and system updates is a real challenge for IT professionals, as reported by SAPinsider Cybersecurity Report 2023. Unfortunately, this is the bread and butter for IT security teams working on SAP systems; the list of SAP vulnerabilities to keep a close eye on is long.
TJC Group CISO wrote about it in this article: SAP vulnerabilities and why it is not safe to keep legacy data in an old SAP system.
SAP ECC maintenance deadline is approaching
For those organisations migrating to SAP S/4HANA, SAP will end maintenance by 2027 – 2025 for those on EPH5. Beware unpatched systems are one of the biggest challenges organizations face in securing their SAP systems, as per SAPinsider Cybersecurity report from 2023. Hence, the end of maintenance of SAP legacy systems and/or the lack of patching has become a security concern.
This leaves SAP and its ECC customers in a challenging position. SAP might delay the end of maintenance dates again, but if this is the case, they will wait for as long as possible. That’s why our advice is to come up with a plan to handle legacy systems and historical data in the most cost-effective and compliant way.
Avoid a data breach in your organisation
First, let’s consider the security implications of leaving legacy systems running indefinitely. We touched on the vulnerability risks already. Legacy systems are much more prone to data security breaches because they may no longer receive updates and patches from vendors. Even if a vendor is still offering maintenance updates, perhaps the user organization has stopped implementing them – another common mistake – maybe because they no longer have the right skills in-house or simply because the new systems get all the attention. This practice leaves critical data highly exposed to cyber threats and is one of the most common ways hackers can breach a company firewall.
Data breaches are currently one of the fastest-growing targets for hackers. According to MIT expert Professor Stuart Madnick, “data breaches continue to increase year-on-year and a 20% increase in data breaches from 2022 to 2023 was measured”. As part of this study conducted by Harvard Business Review, it was identified that one of the most popular ways for hackers to gain access is via security gaps in vendor systems and especially the legacy ones.
Don’t breach data privacy laws
In addition to the security implications, there are compliance considerations when legacy systems are left unchecked too. These are just as critical. Keeping outdated systems running instead of decommissioning them can lead to non-compliance with modern regulatory standards like GDPR, leaving an organisation exposed to receiving a multi-million Euro penalty fine and legal challenges from regulators. We have written about the serious financial risks of GDPR fines in the past.
“Data protection within SAP systems is of utmost concern. This emphasis is reasonable considering the critical data housed in these systems that form the core assets of a company, covering essential elements like partner and customer information, financial documents, transaction records, banking connections, and even personal identifiable information of employees.”
SAPinsider 2024 Buyer’s Guide Cybersecurity
Let’s consider the costs, because an article exploring the consequences of not decommissioning legacy systems would be incomplete without considering the cost efficiency implications. We are in the midst of an IT skills shortage and one that experts are predicting will continue to intensify. According to IDC, the growing IT skills shortage is impacting organisations in all industries and across all regions. Nearly two-thirds of executives surveyed for a recent research report said that a lack of skills has resulted in missed revenue growth objectives, quality problems, and a general decline in customer satisfaction. IDC predicts that by 2026, more than 90% of organisations worldwide will feel the pain of the IT skills crisis, amounting to some $5.5 trillion in losses.
According to IDC, the growing IT skills shortage is impacting organisations in all industries and across all regions.
Make better use of IT skillsets
It is difficult to employ and retain good IT professionals at the best of times and when their skillsets are more specialised, the situation becomes more problematic. Many legacy systems are dependent on a small pool of IT experts within an organisation to maintain them, posing a risk if these resources become unavailable. Rather than tie up essential IT budgets with legacy skillsets, decommissioning old systems or applications allows IT resources to be reallocated towards more strategic projects that will positively contribute to driving business growth and innovation.
The following article sheds some light on how to retire an old system, from sunsetting to decommissioning: https://www.tjc-group.com/blogs/legacy-systems-a-journey-from-sunsetting-to-decommissioning/
Don’t waste energy
The other very important factor to weigh up is the environmental cost (and waste) of powering legacy systems unnecessarily. It is well known that data centres have become the single biggest consumer of electricity in the world today and as the volume of data being stored keeps rising, so do power consumption levels. Keeping legacy systems going when they could be decommissioned wastes a great deal of power and at a time when companies everywhere are under pressure to reduce their carbon footprints, this could be an easy win. We have written about the carbon positive impact of data volume management in the past.
Best practice: How to go about legacy system decommissioning?
Having illustrated the importance of decommissioning legacy systems, what steps can IT professionals take to make the process of safely removing them as straightforward as possible? One of the foundational objections made within an organisation considering legacy system decommissioning relates to ‘what happens if we need the data again?’ This concern is understandable, especially given the requirement for organisations in some industries to retain historical records for tax, audit or compliance purposes. Thankfully there are dedicated solutions available to enable this, including ELSA from TJC Group.
Click on the banner below to learn the 7 key strategies for decommissioning legacy systems effortlessly.
Introducing Enterprise Legacy System Application
ELSA (Enterprise Legacy System Application), is a unique, SAP certified solution that makes accessing any SAP and non-SAP legacy systems that are no longer required for day-to-day business transactions as simple as possible. Developed exclusively by TJC Group to overcome decommissioning challenges when migrating to S/4 HANA or any other ERP, it can be delivered on premise through SAP Business Technology Platform or as a SaaS.
ELSA works by giving end users easy access to legacy data, documents, and historical transactions after an old ERP system has been shut down. Allowing end users to gain direct access is significant because it ensures that IT departments are not responsible for facilitating access to legacy data, a waste of IT resource time.
ELSA includes UI masking features to hide sensitive information on user interfaces, preventing unauthorized users from viewing confidential data, reducing the risk of data leakage or exposure.
The solution is powerful enough to decommission 100% of legacy systems within an organisation – from a single ERP database to hundreds of apps – and can maintain full traceability logs to ensure future compliance with local tax laws and data privacy regulations including data privacy laws. ELSA can also be integrated with automated data archiving solutions, to ensure that full information lifecycle management is implemented, ensuring that your organisation can get data volume growth permanently under control for the long term.
Take the next step
Investing in the decommissioning of legacy systems is an important strategic activity for every large organisation. It mitigates security and compliance risks and reduces costs and carbon footprint. Fortunately, cutting-edge technology is now readily available to tackle the problem. Consider the benefits to your organisation and talk to the experts about the next steps.
TJC Group comes with an expertise of 25+ years in overall data management. With dedicated solutions for decommissioning legacy systems like the Enterprise Legacy System Application (ELSA), we also offer automated software for data archiving, e-invoicing, and more. TJC Group is an ISO27001 certified organisations, adhering and maintaining the highest practices of cybersecurity as well as data privacy.
Contact us today for more information and get your obsolete systems retired seamlessly!
Sources of information
- IT Skills Shortage Expected to Impact Nine out of Ten Organizations by 2026 with a Cost of $5.5 Trillion in Delays, Quality Issues and Revenue Loss. IDC.
- Why data breaches spiked in 2023. Harvard Business Review.
- SAPinsider Buyers Guide, Cybersecurity 2024. SAPinsider.
- SAPinsider Cybersecurity report 2023. SAPinsider.
Commonly asked questions
Q1. Why is legacy system decommissioning considered a strategic IT move?
Answer:
Legacy system decommissioning is a strategic IT move because unpatched legacy systems pose significant cybersecurity risks, compliance challenges, and unnecessary costs. In today’s environment of exponentially growing cybercrime, neglecting legacy systems can be one of the most expensive mistakes a CTO can make.
Q2. How do legacy systems increase cybersecurity vulnerabilities?
Answer:
Legacy systems are particularly vulnerable to cyberattacks because they often lack current security patches and updates. They may not be encrypted or protected by modern access controls, making them prime targets for hackers looking to breach company firewalls and access sensitive data.
Q3. What are the implications of SAP ECC maintenance ending?
Answer:
SAP will end maintenance for ECC systems by 2027 (2025 for those on EPH5). Unpatched systems are one of the biggest security challenges organisations face. Without ongoing maintenance, these systems become increasingly vulnerable to cyber threats, making decommissioning or migration essential.
Q4. How do legacy systems contribute to data breaches?
Answer:
Legacy systems are more prone to data security breaches because they may no longer receive updates and patches from vendors. Even when updates are available, organisations may not implement them due to skill shortages or shifting priorities, leaving critical data highly exposed to cyberthreats.
Q5. What compliance risks do organisations face by keeping legacy systems operational?
Answer:
Keeping outdated systems running instead of decommissioning them can lead to non-compliance with modern regulatory standards like GDPR. This exposes organisations to potential multi-million Euro penalty fines and legal challenges from regulators.
Q6. How does the IT skills shortage impact legacy system management?
Answer:
The growing IT skills shortage makes it difficult to maintain legacy systems that depend on specialised knowledge. As these skills become scarcer, organisations face increased risk if key personnel leave. IDC predicts that by 2026, more than 90% of organisations worldwide will feel the pain of the IT skills crisis, potentially resulting in $5.5 trillion in losses.
Q7. What are the environmental implications of maintaining legacy systems?
Answer:
Data centres have become one of the world’s largest consumers of electricity. Keeping legacy systems operational unnecessarily wastes significant power. Decommissioning these systems can help organisations reduce their carbon footprint and meet sustainability targets.
Q8. What is ELSA and how does it help with legacy system decommissioning?
Answer:
ELSA (Enterprise Legacy System Application) is an SAP-certified solution developed by TJC Group that enables easy access to legacy data, documents, and historical transactions after an old ERP system has been shut down. It can be delivered on-premise through SAP Business Technology Platform or as a SaaS solution.
Q9. How does ELSA address data privacy concerns?
Answer:
ELSA includes UI masking features to hide sensitive information on user interfaces, preventing unauthorised users from viewing confidential data. This reduces the risk of data leakage or exposure while still maintaining necessary access to historical information.
Q10. What percentage of legacy systems can be decommissioned using solutions like ELSA?
Answer:
Solutions like ELSA are powerful enough to decommission 100% of legacy systems within an organisation, from a single ERP database to hundreds of applications, while maintaining full traceability logs to ensure compliance with local tax laws and data privacy regulations.
Q11. How does legacy system decommissioning impact IT resource allocation?
Answer:
Decommissioning old systems or applications allows IT resources to be reallocated towards more strategic projects that positively contribute to business growth and innovation, rather than tying up essential IT budgets with maintaining legacy skillsets.
Q12. What are the common objections to legacy system decommissioning?
Answer:
One of the foundational objections relates to data accessibility – “what happens if we need the data again?” This concern is understandable, especially for organisations that need to retain historical records for tax, audit, or compliance purposes. Solutions like ELSA address this by providing continued access to legacy data after systems are decommissioned.
Q13. How do hackers typically exploit legacy systems?
Answer:
According to studies, including one conducted by Harvard Business Review, one of the most popular ways for hackers to gain access is via security gaps in vendor systems, especially legacy ones. Unpatched vulnerabilities in these systems provide entry points for cybercriminals.
Q14. What is the relationship between legacy system decommissioning and S/4HANA migration?
Answer:
For organisations migrating to SAP S/4HANA, decommissioning legacy systems is an important consideration. Rather than doing nothing with legacy ERPs during migration, organisations should develop a plan to handle legacy systems and historical data in the most cost-effective and compliant way.
Q15. How can organisations ensure regulatory compliance when decommissioning legacy systems?
Answer:
Organisations can ensure compliance by implementing solutions that maintain full traceability logs and adhere to local tax laws and data privacy regulations. These solutions should be integrated with automated data archiving to implement complete information lifecycle management, ensuring that data volume growth remains under control for the long term.
