Your critical infrastructure is running out of time

Cyber attackers often succeed not because they are inventive, but because the systems they target are old. A new report by Cisco shows how unsupported technology inside national infrastructure creates openings that attackers can exploit repeatedly. The findings show how widespread this problem has become and how much it influences national resilience.

A growing problem that is hard to ignore

Nearly half of global business network assets were already ageing or obsolete as far back as 2020, and the problem has grown since. In the United Kingdom, 228 legacy systems were identified across government in 2024, and over one in four carried a high likelihood of operational or security failure. Once systems fall out of support, they stop receiving security fixes and become steady points of weakness.

This issue is not limited to old equipment quietly running in the background. Unsupported systems often sit at the edges of networks where exposure is highest. Threat actors take advantage of this. In the European Union, 60% of breaches in 2022 and 2023 came from vulnerabilities that already had available patches that were not applied.

National vulnerability compared

To understand the scale of the problem, the report evaluates End of Life exposure across five major economies. The United Kingdom ranks highest at 92, followed by the United States at 88, Germany at 87.8, France at 83 and Japan at 65. Japan’s lower score reflects a diverse infrastructure base, stronger national standards and a focus on digital resilience. In contrast, the United Kingdom shows greater exposure to unsupported systems and highly concentrated critical sectors, which increases the potential impact of failures.

Frequent attacks are not the only marker of national risk. Structural factors such as the volume of unsupported technology in use, the number of operators in essential services and the likely impact of outages matter just as much. Healthcare is an obvious example. Across all five geographies it presents the highest relative risk. One cited finding shows that 60% of French hospitals were still using Windows 7 in 2022, two years after support for that system ended.

Sector pressures that continue to mount

Healthcare is the most exposed sector in almost every country assessed, driven by life critical services, interconnected systems, long refresh cycles and sensitive data. In both the United States and the United Kingdom it carries the highest risk score.

Water and energy systems also face ongoing threat activity. Several governments have warned that state backed groups are exploring these networks for long term access. The report recalls the February 2024 advisory that revealed widespread attempts by the group known as Volt Typhoon to compromise American water, energy, transportation and communications networks.

Manufacturing and finance sectors appear somewhat more stable but still carry significant risk. Various operators rely on similar technology stacks. Shared components can turn a single vulnerability into a wider incident if updates are delayed or unsupported systems remain in use.

The rising cost of technical debt

Technical debt has become a national burden. The United States government spent $100 billion on IT and cybersecurity in 2023. Estimates show that $80 billion of this went toward operating and maintaining existing systems, including legacy environments. In the United Kingdom, nearly half of the planned 2019 government IT spend had the same purpose, which left fewer resources for modernization.

“The initial point of entry for attackers launching debilitating cyberattacks often involves IT that is unpatched or too old to patch. This is known as “technical debt”— the shadow liability from outdated technology that cannot be patched or operated securely,” said Jeff Campbell, SVP and Chief Government Strategy Officer, Cisco.

Downtime adds another layer of cost. Large companies lose $9,000 for every minute of system outages, and 56% of that downtime stems from cybersecurity incidents. 54% of executives admitted to intentionally leaving the root causes of downtime unfixed to limit the cost of legacy systems.

Organizations now average about seven months to return to full operations and those that invest less in resilience take far longer. One example is the 2024 attack on Synnovis, which interrupted over 11,000 patient interactions and resulted in costs of over $39 million.