If it’s not broke, don’t fix it
Many people think that as long as their computer is running at a good speed and everything is working, there is no need to upgrade. Why spend money when you don’t have to, right? Wrong! The technology world cannot run on the mantra “if it’s not broke, don’t fix it” because in reality, it is broken and you just don’t know it. The proof can be seen when WannaCry ransomware was unleashed on the world in May 2017.
It crippled over 300,000 machines in 150 countries by targeting vulnerabilities in Windows operating systems, hitting Windows 7 the most. While Windows patched many of these vulnerabilities, their focus was, and still is, on their active operating systems, primarily Windows 10. According to Windows “every Windows product has a lifecycle. The lifecycle begins when a product is released and ends when it’s no longer supported.”[1] What does this mean for your security?
| Operating System | Availability Date | End of Life Date | End of Mainstream Support Date | End of Extended Support Date |
| Windows XP | October 25, 2001 | January 9, 2007 | April 14, 2009 | April 8, 2014 |
| Windows Vista | January 30, 2007 | October 22, 2010 | April 10, 2012 | April 11, 2017 |
| Windows 7 | October 22, 2009 | October 31, 2013 | January 13, 2015 | January 14, 2020 |
| Windows 8 | October 26, 2012 | October 31, 2014 | January 8, 2018 | January 10, 2023 |
| Windows 8.1 | October 18, 2013 | September 1, 2015 | January 8, 2018 | January 10, 2023 |
Windows Lifecycle
According to Windows’ lifecycle policy[2], a product is designed to have a 5 year mainstream support lifecycle followed by a 5 year extended support cycle. During the mainstream support, consumers have access to free incident support, security update support and the ability to request non-security updates. When a product moves to the extended support stage, security updates are still provided but no new features or design changes are available, and not all products are covered.
After the end of extended support, security updates greatly decrease. According to Microsoft, “the Extended Security Update (ESU) program is a last resort option for customers who need to run certain legacy Microsoft products past the end of support. It includes Critical and/or Important security updates for a maximum of three years after the product’s End of Extended Support date.” Who determines what is critical and important? Microsoft of course. It would have to be a huge security breach, such as WannaCry, to justify the amount of money it would take to push out an update.
Image from Windows end of XP Support[3]
What’s the risk?
If you are running an antiquated system on your home computer, that is a risk to your security and your personal information. Not smart, but not a worldwide catastrophe. However, having one device on your work network running an old system could be devastating.
Though Windows created security updates to counter WannaCry, it is still active on over 145,000 devices worldwide according to a survey by Armis[4]. If even one device on your network is infected, it creates a gateway for hackers to breach your security.
Armis discovered that within the past 6 months, 60% of organization in the manufacturing industry and 40% in the healthcare industry experienced at least one WannaCry attack. Why? Because they tend to have older technology which makes them an easy target.
Percentage of old Windows OS versions by industry type (Retail, Technology, Healthcare, Manufacturing)4
What’s the cost?
It is estimated that the global effort to counter the original WannaCry attack in 2017 cost around $4 billion, including $325 million paid out in ransoms. The combined efforts to stop the attacks created the false sense of security that WannaCry is no longer a threat. This is just not true.
In the same way that tech companies develop better, faster and more efficient software, the criminals do too. Hackers do not stay docile. If one means to infiltrate your system fails, they look for a different back door. Having the most up to date software means that Windows is fighting those battles for you. Keeping an unsupported operating system is the same as lowering the drawbridge to the attacking army.
According to IBM’s Cost of a Breach Report 2019, the average cost of a breach in the United States is $8.2 million. With the average size of a breach being 25,575 records, that equates to $242 per record. Lost business was the biggest contributor to this total cost, with the average business losing $1.42 million[5]. It is hard to recover from the lack of trust a customer feels when their information was stolen on your watch.
Next steps
Where do you go from here? Even with these numbers, you may be asking yourself, can we really afford to find and update every device that is out of date? The bigger question is, can your business survive the cost of a breach if you don’t?
Start with our Cyber Quick Check to see what your cybersecurity score is. Our Security Risk Assessment includes multiple scans that pinpoint weak areas that are most vulnerable, including a full inventory of what is on your network. Don’t let your records be held ransom. Fight back with the right security. If you’re still running Windows XP, Windows 7 or Windows Vista start an upgrade program today. Replace your computers that have the oldest versions of Windows with new computers with the latest version of Windows as you can afford it.
Check your cyber score at here
[1] https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet
[2] https://support.microsoft.com/en-us/help/14085
[3] https://www.microsoft.com/en-us/microsoft-365/windows/end-of-windows-xp-support
[4] https://armis.com/wannacry/
[5] IBM Security and Ponemon Institute. Cost of a Data Breach Report 2019. https://www.ibm.com/downloads/cas/ZBZLY7KL