Top Takeaways from the KPMG Cyber Survey for Orgs Using Legacy IT

The 2024 KPMG Cyber Survey sheds light on the evolving landscape of cybersecurity, particularly for organizations grappling with legacy IT systems such as Windows Server 2012. Here are the top five takeaways from the survey, coupled with insights on how these findings impact businesses reliant on outdated technology.

1. Confidence Gap Amidst Challenges

A significant minority of C-Suite security leaders express a lack of confidence in their Security Operations Centers (SOCs). About 31% don’t understand their vulnerabilities, yet 91% claim full visibility across their risk areas. This gap speaks to the importance of visibility in mitigating risks, especially those associated with outdated systems.

2. Escalating Malware Threats

There is significant concern (76%) about the growing sophistication of new cyber threats, especially malware. As malware evolves, it becomes more adept at bypassing traditional defenses, posing a severe risk to legacy systems. These systems, often lacking modern protective measures, are especially vulnerable to such advanced threats, underscoring the need not only for robust, updated cybersecurity practices but for real solutions that harden server workloads.

3. Increasing Cyber Threat Sophistication

Security leaders are increasingly worried about the sophistication of cyber threats. Despite high confidence in their security measures, 40% of organizations experienced a cyberattack resulting in a breach last year. This highlights the pressing need for continuous improvement in cybersecurity strategies, especially in the face of complex threats like malware and insider attacks. Traditional Endpoint Detection and Response (EDR) solutions can miss up to 30% of attacks, leaving a sizable gap of vulnerability. For legacy IT systems, this risk is significantly higher.

4. Operational and Performance Challenges

Legacy IT systems exacerbate several operational challenges. Security data quality issues, alert fatigue, and the complexity of IT environments hinder effective threat detection and response. Furthermore, measuring SOC performance remains problematic, with leaders struggling to collect relevant data and analyze SOC effectiveness comprehensively. While two-thirds (64%) of survey respondents report being satisfied with the time it takes to remediate their vulnerabilities, that leaves more than ⅓ with concerns about remediation time - and likely a good portion of those organizations are still using legacy IT.

5. Threat Assessment Fatigue

30% of security leaders report fatigue in navigating low-fidelity alerts versus real threats. This challenge is particularly pronounced in environments with legacy IT systems, where outdated technology generates numerous false positives, overwhelming security teams and hindering their ability to focus on genuine threats. Improving the accuracy of threat detection and streamlining alert management are essential to mitigate this issue.


The KPMG Cyber Survey underscores the dual nature of cybersecurity for organizations using legacy IT. While there's notable confidence in current security operations, the increasing sophistication of cyber threats and operational challenges demand relentless vigilance and adaptation. Leveraging AI, addressing talent shortages, and improving data quality are pivotal steps toward fortifying defenses against the ever-evolving cyber threat landscape.

For more insights on mitigating the security risks of legacy IT systems, check out Virsec’s newest tools: TrustSight and TrustGuardian.

Don't miss our security insights, and subscribe to our blog now.

Subscribe to Our Blog