Two-thirds of UK businesses and two-fifths of US firms are still running Windows 7, according to new research released on the day the operating system, and Windows Server 2008, reach their end-of-support deadline.
Organizations that fail to upgrade their operating systems or invest in costly extended support from Microsoft will no longer receive patches from the vendor, exposing themselves to unnecessary cyber risk, according to Kollective, which issued the research.
“It took many businesses up to three years to move from XP to Windows 7 and we can expect a similar timeline for the move to Windows 10. While a lot of companies have migrated the majority of their systems away from Windows 7, being “almost there” isn’t good enough,” argued Jon O’Connor, solution architect at Kollective.
“It only takes a handful of unsecured devices to launch a full-scale cyber-attack, so having even one or two Windows 7 PCs on your network could pose a serious risk. IT teams need to know for certain that every single device on their networks is off of Windows 7 — but the reality is that most simply don’t know.”
As if to emphasize the potential risks of staying on unsupported operating system versions, news emerged this week that Microsoft is shipping a fix today for a critical flaw in a core Windows component, which could have wide-ranging consequences if left unpatched. The bug is so bad that reports suggest Redmond has already secretly supplied the patch to high-value customers.
Carl Wearn, head of e-crime at Mimecast, urged organizations to ensure they have third-party security tools in place to help shield any exposure to threats.
“As organization’s move their operations to the cloud, legacy support issues like this will likely become a thing of the past in the next 10 to 15 years, but as Windows 7 remains in use across many organisations at present people should be aware of the increased vulnerability which this OS will now experience as it is no longer supported,” he continued.
“Ensuring good cyber hygiene and the use of fallback facilities, as-well as ensuring the updating of a good antivirus solution, becomes even more critical to an organization if it continues to use an unsupported OS.”
Trend Micro argued that “virtual patching,” or intrusion prevention technology, can also help in these circumstances, by protecting unsupported and unpatched operating systems.
“Speaking to numerous businesses over recent weeks, a worryingly high number are prepared to adopt a wait-and-see policy following the end of Server 2008 support on 14 January 2020,” argued VP of sales, Ross Baker.
“This amounts to an extreme hedging of bets and something we would definitely not recommend.”
Some organizations may not be able to upgrade to new OS versions if they have compatibility issues with business-critical legacy applications, or, for example, if Windows has been embedded in OT systems by a manufacturer, added VP of security research, Rik Ferguson.