Seventy-three percent of companies are using vulnerable, end-of-life networking equipment, up from 60 percent last year, according to a new analysis of more than 212,000 Cisco networking devices at 350 organizations across North America.
"It's amazing how many folks have this issue in their environment," said David Vigna, Cisco practice director at Softchoice, the company that conducted the analysis.
Meanwhile, the share of devices that are end-of-life rose from 4 percent in 2015 to 6 percent this year.
Old equipment that is no longer supported by the vendors who made it are vulnerable because newly-discovered vulnerabilities and other problems are not being patched.
That puts those companies at higher risk of security breaches, network outages and higher future replacement costs.
"If its an older device, there are vulnerabilities against it," he said.
But companies often keep the older equipment around because it still works.
"If something isn't having an issue, we tend to forget about it," Vigna said. "If there isn't pain, there isn't a reason to change a lot at companies."
In addition, the companies might not even be aware that some of their equipment is past its due date.
"Our networks today have grown in fits and starts and we have turnover in IT staff," he said.
Devices located on the perimeter of a corporate network, like firewalls and intrusion detection systems pose a particular danger -- even if they are relatively new.
"The speed at which things change, you might want to be looking at replacing them a little more often," Vigna said.
But even devices located within the corporate network, behind the firewall, can pose a threat.
"Often, the problem we have is phishing attacks or malware attacks, where an outside entity will make it inside the network," he said. Attackers will then try to jump to other internal systems. "You have to protect on the inside just like you have to protect on the outside."
The security risk of any one particular device can vary greatly, he added, based on where it is being used and how it is configured. There might be a problem with one specific feature, and if that feature is not enabled, the device is a bit more secure.
The report also showed that 23 percent of networking devices are no longer being sold. This is down from 51 percent last year.
Vendors typically stop supporting devices two to five years after they stop selling them, according to Softchoice.
This means that companies should start planning to replace those devices as soon as possible, the report said, even when the older devices still seem to work fine.
"There is a danger here, where 'good enough' is the enemy of 'better'," said Vigna.