Great Plains Security Risks: Why End-of-Life ERP Software Becomes a Prime Attack Vector
This article was inspired by our recent webinar, Great Plains Migration Roadmap for Nonprofits, where we discussed the growing security and compliance risks of staying on end-of-life ERP systems.
For many organizations, Microsoft Dynamics Great Plains has been a steady presence for years — in some cases, decades. It’s familiar, deeply embedded, and on the surface, continues to support day-to-day operations.
And with Great Plains end-of-life expected in 2029, it’s easy for that date to feel far off.
But when you work backwards from what a transition actually takes, it becomes clear that security and compliance risks don’t arrive all at once. They accumulate long before the final support date ever appears on the calendar.
This is why end-of-life ERP systems don’t just age out. They attract attention, and not the kind organizations want.
The Problem with “Still Working”
One of the easiest patterns to fall into is assuming there’s no urgency to change until a crisis makes it unavoidable.
Even when Great Plains appears stable day to day, the risk can still be growing underneath. Transactions post. Reports run. From the outside, everything can look normal—right up until the point it doesn’t.
Security risk is often invisible until it’s exploited.
And as an end-of-life date gets closer, legacy systems can become more attractive targets. Threat actors pay attention to public support timelines because they know security updates and vendor attention will eventually slow down. Over time, that can create a widening gap between modern threats and what an older platform can reasonably defend against.
As a platform nears end-of-life, the protective layer around it starts to thin. Roadmaps move forward, and security investment naturally concentrates on current platforms. That can mean fewer improvements, slower fixes, and a widening gap between modern threats and what a legacy architecture can realistically absorb.
Attackers notice that gap long before most organizations do.
And this isn’t a theoretical concern. Statistics Canada reports that about 16% (roughly one in six) businesses were impacted by cybersecurity incidents in 2023, and spending on recovery doubled from 2021 to 2023, a signal that even when fewer organizations report being hit, the consequences can be more costly when it happens.
That context matters, because it reframes the decision. The question isn’t whether cyber threats exist. It’s whether a well-intentioned “we’re fine for now” posture is gradually increasing exposure, especially when the system in question is approaching the end of its supported life.
Why End-of-Life Software Draws the Wrong Kind of Attention
Threat actors rarely pick targets at random. They look for advantage, and they pay attention to timing.
That is why end-of-life announcements matter. They are public signals. They tell the market what is being maintained, what is being phased out, and where security work may slow down over time. To an attacker, that kind of clarity can be useful because it helps narrow down which environments may become easier to exploit as support winds down.
As one Sparkrock expert put it while discussing the Great Plains timeline:
“The closer and closer we get to this deadline, the more and more people are going to be looking at this as an opportunity or a potential attack vector.”
The key point is that risk does not begin on the end-of-life date. It builds as the deadline approaches, especially when organizations assume they have lots of runway because the system still appears stable.
This is also consistent with how supply chain threats have evolved. Research on software supply chains has noted that well-resourced threat actors do not always need to break through perimeter defenses. Instead, they can compromise third-party software and products that will eventually be deployed inside the target environment.
Cybersecurity agencies describes a similar pattern. Their guidance explains that supply chain attacks target third-party software suppliers, and that attackers can exploit the trusted relationship between a customer and a supplier to gain persistent access, sometimes without detection for long periods.
For organizations running Great Plains near end-of-life, the concern is not just about missing future improvements. The real issue is that exposure becomes harder to manage at the exact moment the threat environment is least forgiving, and the time to reduce risk tends to get shorter, not longer.
The Windows Comparison Everyone Understands
Most organizations have already lived through this cycle with operating systems.
Windows XP. Windows 7. Windows 10.
Each time, the conversation followed a familiar arc. At first, the end-of-life announcement felt distant. Then IT teams began raising concerns. Then auditors started asking questions. Eventually, running unsupported operating systems became unacceptable—not because they stopped working, but because the risk was no longer defensible.
Great Plains is following the same path, but with higher stakes.
ERP systems sit at the center of financial operations. They store payroll data, vendor banking details, grant and fund information, and personally identifiable information. In many organizations, they are among the most sensitive systems in the entire technology stack.
If unsupported operating systems are considered a risk, unsupported financial systems demand even closer scrutiny.
Security Risk Doesn’t Start on the Final Day
End-of-life is a date on a roadmap. Risk is a curve.
Long before official support ends, the environment around a legacy system begins to shift. Security updates may still be available, but investment naturally moves forward. Over time, fixes can become more limited, enhancements slow down, and the gap between modern threat patterns and older architecture widens.
At the same time, the ecosystem that supports a legacy platform starts to thin as partners and skilled resources shift their focus to newer solutions. Expertise becomes harder to find, and environments with customizations or complex integrations can take more effort to maintain, troubleshoot, and secure over time.
This is where risk compounds.
Exposure increases while the capacity to respond — technically and operationally — gradually shrinks.
What Boards and Auditors Are Actually Evaluating
Security conversations look different than they did even a few years ago. Boards and auditors still care about controls, but they are paying closer attention to something upstream of the controls themselves: whether leadership understands its technology exposure and has a credible plan to manage it.
In that lens, the questions get very practical:
- Are core systems supported by vendors?
- Is there a documented plan for known end-of-life platforms?
- How long will the organization remain exposed?
- Who owns the decision to stay or move?
This is why running Great Plains past its end-of-life without a clear, communicated plan becomes more than a technical issue. It turns into a governance issue. Even in the absence of a breach, the lack of an articulated strategy can surface as a finding on its own.
Why Waiting to Move off Great Plains Makes Everything Harder
There is also a practical reality that often gets overlooked in security conversations.
As Great Plains approaches its end-of-life date, more organizations will move at the same time. Implementation partners will be in higher demand, timelines will stretch, and costs will rise. Organizations that delayed planning will find themselves making rushed decisions under pressure.
Industry estimates suggest around 17,000 organizations could still be running Great Plains as that window approaches. And for most teams, an ERP migration isn’t a quick switch—vendor selection and implementation often takes 12–18 months, especially when you factor in data cleanup, testing, training, and change management alongside day-to-day work.
The challenge is that capacity won’t scale up to match demand. As Great Plains winds down, many implementation firms will shift their teams toward cloud platforms and newer ERP ecosystems. That means fewer Great Plains–experienced resources are available at the same time more organizations are looking for help.
From a risk perspective, that combination is brutal: exposure increases at the same time flexibility disappears.
Security incidents don’t align themselves with project plans, and audits rarely pause because timelines feel inconvenient.
Architecture Matters More Than Patching
Migrating off Great Plains can feel like a big project. The upside is that it opens the door to a more modern security foundation.
Today’s cloud-based ERP platforms are built for continuous updates and cloud-first security. Identity controls, monitoring, and ongoing improvements are part of how the platform operates—not add-ons you have to layer in later. Great Plains was built in a different era, and while updates can help, patching doesn’t change what the system was designed to handle.
That’s why end-of-life planning can be a positive turning point. It’s a chance to move to a platform that’s designed for the way organizations work—and the way threats operate—today.
Turning an Inevitable Deadline into a Controlled Decision
This isn’t about panic. It’s about planning. Great Plains end-of-life is a known event, and known events are manageable when they’re treated that way.
Organizations that take Great Plains security risks seriously early gain something that is easy to lose later: control. They get to set the pace instead of reacting to it. They can make decisions with time to test, train, and adjust, rather than rushing because capacity has tightened and the deadline feels close. They also put themselves in a stronger position with boards and auditors, because they can show that technology risk is being managed with intent, not postponed until it becomes unavoidable.
Just as importantly, they avoid the false comfort that comes from systems that look stable on the surface while the underlying exposure grows.
This is especially relevant in the Canadian cybersecurity environment. Recent industry research points to a climate where ransomware and supply chain threats continue to pressure organizations, particularly when critical systems are difficult to update and slow to change.
In that context, staying on end-of-life software is not a neutral choice. It is a decision that increases exposure at a moment when resilience is becoming a baseline expectation.
Waiting Is Not a Security Strategy
Great Plains has played an important role for many organizations, and that history deserves respect. Still, longevity is not the same thing as safety.
End-of-life software doesn’t fail loudly. It fails by becoming predictable. And predictability is exactly what attackers look for.
Or, as the warning goes:
“The closer we get to this deadline, it becomes an opportunity — a potential attack vector.”
If moving off of Great Plains is on your roadmap, it’s worth having the conversation early. Our team can help you think through timing, risk, and what a realistic transition plan looks like for your organization, without rushing you into a decision.