Share This Article
Many SMEs are still running legacy systems for example think Windows XP, Windows 7 or any other outdated industrial controllers, or bespoke software that can’t be upgraded immediately.
But using legacy doesn’t have to mean non-compliant. Your business can work toward and achieve Cyber Essentials certification even while using outdated operating systems in, if you apply the right strategies.
In this article, we walk you through how to align your legacy systems with Cyber Essentials requirements, drawing on best practices and lessons from the IT experts.
Because of this, they raise the risk profile and complicate compliance with the five technical controls of Cyber Essentials, but they don’t make certification impossible.
Here are key approaches you should take:
Document every device, OS and application, especially old ones. Compare versions to vendor support lists. Anything unsupported or unpatchable should be flagged as legacy.
Then decide whether these systems can be excluded from the core scope by defining a sub‑set (a segregated zone) under the Cyber Essentials scoping rules.
When done correctly, you can treat that sub‑segment as “out of scope” (or limited scope) in your Cyber Essentials self‑assessment, as long as the isolation is robust.
Place legacy systems in a segmented VLAN or isolated network zone, separated from your critical systems. Use firewall rules or DMZs to restrict their access. This limits lateral movement if they’re compromised.
Even legacy systems often have some available updates or mitigations. Apply every security patch still available.
Where the vendor support has ended, consider community updates, hotfixes, or compensating controls (e.g. wrapper protection).
Host‑based firewall / HIPS (if supported)
Application whitelisting
Disabling unnecessary services
Strong account control (least privilege)
Monitoring / intrusion detection for that segment
These compensating controls help show an assessor you’ve reduced the risk.
All traffic into/out of your legacy zone should pass through a properly configured firewall. Use inbound/outbound filtering, stateful inspection, and deny by default policies.
Ensure the firewall is up to standard (e.g. rule hygiene, no default passwords).
Limit who can access legacy systems. Use strong, unique credentials, and enforce MFA (if possible) for access to that subnetwork. Use jump hosts or bastion servers to mediate access.
Avoid having legacy machines with direct access to the internet or other critical assets.
Where possible, deploy antivirus or endpoint agents on legacy nodes. If they cannot run up‑to-date AV, focus on scanning at gateways or network level.
Ensure that malware protection covers traffic to/from that segment.
Even if legacy systems have limited logging, try to collect whatever logs are available and funnel them to a central security monitoring system.
Use IDS/IPS or anomaly detection at the network boundary.
Alert on suspicious behaviour and review logs regularly.
In your Cyber Essentials self‑assessment, carefully document:
This transparency helps the assessor understand your risk approach.
Legacy compliance is a stopgap, not forever. Maintain a roadmap to replace or migrate legacy systems over time. Use new systems that align easily with Cyber Essentials.
The UK government guidance recommends reducing legacy IT over time and integrating contract requirements for upgradability.
At Syn-Star we understand the importance of business continuity with legacy systems when needed but we want to ensure yor business can conmtinue to use these legacy operating systems while remaining secure.
When explaining the ins and outs of achieving Cyber Essentials with legacy devices, we may have dipped into technical language, but don’t worry if it didn’t all make sense!
At Syn-Star, we’re passionate about helping businesses secure their systems, and we never expect you to tackle it alone.
We’ve supported hundreds of organisations in meeting Cyber Essentials requirements, even with older tech. No heavy lifting needed from you or your team, that’s exactly what we’re here for.
Read our practical steps for disabling unused services, strict firewalling, minimal installed software, controlled access.
You can adapt those steps to wrap a legacy Windows XP system in a hardened, isolated envelope, then apply the above strategies to align with Cyber Essentials controls.
Achieving Cyber Essentials with legacy systems is challenging but possible, if you:
Yes, but only if the legacy systems are properly isolated, hardened, and do not pose a risk to the rest of your IT environment. These systems must be strictly segmented and protected with compensating controls.
Contact us for support achieving cyber essentials using legacy devices
A legacy system is typically one that is no longer supported by the manufacturer, receives no regular security updates, or runs outdated software or hardware incompatible with modern security tools (e.g. antivirus or MFA).
Contact us for support achieving cyber essentials using legacy devices
Not necessarily. You must prove that any legacy systems are not part of the certified environment or have sufficient compensating controls in place. However, full isolation and documentation are crucial for CE Plus due to the external technical audit.
Contact us for support achieving cyber essentials using legacy devices
Yes this is strongly discouraged. Legacy systems connected directly to the internet are at high risk of being compromised. Best practice is to disconnect them from the internet and use firewall-restricted jump hosts for access.
Contact us for support achieving cyber essentials using legacy devices
Possibly. Some legacy systems can run lightweight antivirus software, but compatibility varies.
Contact us for support achieving cyber essentials using legacy devices
Anne-Marie Blazdell is a Marketing & Communications Manager with expertise in digital marketing, content creation, and IT solutions. With a strong foundation in graphic design, she trained at Farnborough College of Technology and Southampton Solent University before advancing into marketing and business IT support.
Since joining Syn-Star in 2022, Anne-Marie has specialised in crafting SEO-optimised website content, managing social media, and helping businesses navigate the complexities of IT. Her work bridges the gap between technology and business, making IT more accessible and effective.
Learn more about IT Support
Share this article
Sign up to our newsletter
Partnerships
You’re device is on an Unsupported Windows OS for your security, please contact us.
Team Productivity:
You and your team are able to see where they are using their time and how productive they are actually being. Also they are able to clock in and out, so really good for flexi-working.
Team Monitoring:
If you would like to know what your team is doing and how productive they are being, we are able to monitor them and create screenshots of what they are working on. This can be run in normal or stealth mode.
Book a FREE fact finding session to discuss the different options.
We proactively seek opportunities to support good causes for our community.
From sponsoring local community football teams, to engaging with charity fundraiser days, we believe it’s important to continually strive to do good for the better of others.
We have members who volunteer with youth organisations, are engaged with the Round Table, run marathons and volunteer at events where we may be needed. Every charity receives a discounted IT and Telecoms service too.
Protecting your digital data is crucial for every business and this can start with the industry-leading security we offer. The Syn-Star specialists can help with identifying any vulnerabilities within your IT systems and act accordingly to ensure cyber-attacks and data breaches are mitigated.
Your business will never fall behind with its technology when you work with Syn-Star.
We understand IT and Telecoms for your business is an investment, but it’s important to use the best resources available to enable the growth of your business. Our IT Consultancy and Virtual IT Director Services are available to support you with how you use your business technology for years to come.
Syn-Star can conduct quick and easy phishing exercises to identify people within your team who need to improve on their knowledge around fraudulent emails and how they can be alerted to these threats.
At Syn-Star, our experts can proactively work to understand exactly what software you need to support with the business operations. Whether you need a listening ear on what software to choose, or would like to seek some specialist knowledge, we’re here to help where we can.
At Syn-Star, we keep Telecoms simple. There’s so much available to help UK companies with their communications. VoIP systems, fixed landline, cloud phone systems, SIP trunking and more. Contact us for further details.
Desk phones, cordless phones or conference phones, Syn-Star can provide you with whatever you need.
From conference calling facilities to the headsets which work best for your team, we’re able to provide all the equipment you need and complete any telecoms job from start to finish.
There is no need to be in the office to make and receive phone calls from your company’s number. Our market-leading Telecoms platform gives you the flexibility of desk phones, soft phones and mobile apps as standard.
Whether your team works remotely, or perhaps staff are on a business trip anywhere in the world, calls can still be made, and people are reachable via phone wherever they go.
With a range of products, our team can support you by installing exactly what you need for internet connectivity. We work with the very best products to provide speedy bandwidths which play a part in the increased productivity of your team.
