If it’s not broke, don’t fix it

Many people think that as long as their computer is running at a good speed and everything is working, there is no need to upgrade. Why spend money when you don’t have to, right? Wrong! The technology world cannot run on the mantra “if it’s not broke, don’t fix it” because in reality, it is broken and you just don’t know it. The proof can be seen when WannaCry ransomware was unleashed on the world in May 2017.

It crippled over 300,000 machines in 150 countries by targeting vulnerabilities in Windows operating systems, hitting Windows 7 the most. While Windows patched many of these vulnerabilities, their focus was, and still is, on their active operating systems, primarily Windows 10. According to Windows “every Windows product has a lifecycle. The lifecycle begins when a product is released and ends when it’s no longer supported.”[1] What does this mean for your security?

Operating SystemAvailability DateEnd of Life DateEnd of Mainstream Support DateEnd of Extended Support Date
Windows XPOctober 25, 2001January 9, 2007April 14, 2009April 8, 2014
Windows VistaJanuary 30, 2007October 22, 2010April 10, 2012April 11, 2017
Windows 7October 22, 2009October 31, 2013January 13, 2015January 14, 2020
Windows 8October 26, 2012October 31, 2014January 8, 2018January 10, 2023
Windows 8.1October 18, 2013September 1, 2015January 8, 2018January 10, 2023

Windows Lifecycle

According to Windows’ lifecycle policy[2], a product is designed to have a 5 year mainstream support lifecycle followed by a 5 year extended support cycle. During the mainstream support, consumers have access to free incident support, security update support and the ability to request non-security updates. When a product moves to the extended support stage, security updates are still provided but no new features or design changes are available, and not all products are covered.

After the end of extended support, security updates greatly decrease. According to Microsoft, “the Extended Security Update (ESU) program is a last resort option for customers who need to run certain legacy Microsoft products past the end of support. It includes Critical and/or Important security updates for a maximum of three years after the product’s End of Extended Support date.” Who determines what is critical and important? Microsoft of course. It would have to be a huge security breach, such as WannaCry, to justify the amount of money it would take to push out an update.

Image from Windows end of XP Support[3]

What’s the risk?

If you are running an antiquated system on your home computer, that is a risk to your security and your personal information. Not smart, but not a worldwide catastrophe. However, having one device on your work network running an old system could be devastating.

Though Windows created security updates to counter WannaCry, it is still active on over 145,000 devices worldwide according to a survey by Armis[4]. If even one device on your network is infected, it creates a gateway for hackers to breach your security.

Armis discovered that within the past 6 months, 60% of organization in the manufacturing industry and 40% in the healthcare industry experienced at least one WannaCry attack. Why? Because they tend to have older technology which makes them an easy target.

Percentage of old Windows OS versions by industry type (Retail, Technology, Healthcare, Manufacturing)4

What’s the cost?

It is estimated that the global effort to counter the original WannaCry attack in 2017 cost around $4 billion, including $325 million paid out in ransoms. The combined efforts to stop the attacks created the false sense of security that WannaCry is no longer a threat. This is just not true.

In the same way that tech companies develop better, faster and more efficient software, the criminals do too. Hackers do not stay docile. If one means to infiltrate your system fails, they look for a different back door. Having the most up to date software means that Windows is fighting those battles for you. Keeping an unsupported operating system is the same as lowering the drawbridge to the attacking army.

According to IBM’s Cost of a Breach Report 2019, the average cost of a breach in the United States is $8.2 million. With the average size of a breach being 25,575 records, that equates to $242 per record. Lost business was the biggest contributor to this total cost, with the average business losing $1.42 million[5]. It is hard to recover from the lack of trust a customer feels when their information was stolen on your watch.

Next steps

Where do you go from here? Even with these numbers, you may be asking yourself, can we really afford to find and update every device that is out of date? The bigger question is, can your business survive the cost of a breach if you don’t?

Start with our Cyber Quick Check to see what your cybersecurity score is. Our Security Risk Assessment includes multiple scans that pinpoint weak areas that are most vulnerable, including a full inventory of what is on your network. Don’t let your records be held ransom. Fight back with the right security.  If you’re still running Windows XP, Windows 7 or Windows Vista start an upgrade program today.  Replace your computers that have the oldest versions of Windows with new computers with the latest version of Windows as you can afford it.

Check your cyber score at here

 

[1] https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet

[2] https://support.microsoft.com/en-us/help/14085

[3] https://www.microsoft.com/en-us/microsoft-365/windows/end-of-windows-xp-support

[4] https://armis.com/wannacry/

[5] IBM Security and Ponemon Institute. Cost of a Data Breach Report 2019. https://www.ibm.com/downloads/cas/ZBZLY7KL

https://www.googletagmanager.com/gtag/js?id=UA-58281542-1