I run into this situation all the time when pen-testing.
Me: “I found this system that is running Windows XP, you need to decommission this one.”
Client: “We can’t, that system is running a custom Access application that was written by a former employee. He left the company 10 years ago and nobody knows to to update his code.”
Later we discover the system has been hijacked for years and is hosting stolen identity documents, and spamming the customers of a French ISP.
MAR