Security risks loom large as businesses fail to update Windows OS

News by SC Staff

Millions of personal computers worldwide running on Windows 7 operating system - including 76% of NHS PCs - will stop receiving security updates, as Microsoft is ending the support for the OS on 14 January

Millions of personal computers worldwide running on Windows 7 operating system will stop receiving security updates, as Microsoft is ending the support for its popular OS on 14 January.

The Windows 7 machines will still function but it will no longer receive technical support, software updates or security fixes from Microsoft. 

"After January 14, 2020, if your PC is running Windows 7, it will no longer receive security updates," read the Microsoft Windows support website’s section for Windows 7.

"In addition, Microsoft customer service will no longer be available to provide Windows 7 technical support. Related services for Windows 7 will also be discontinued over time."

Extended support charges will be costly. New hardware components may not be compatible with the older system.    

"The cost for extended support depends on the size of the firm; Microsoft may charge US$25 (£20) per device for the first year, moving to US$50 (£40) in the second year and US$100 (£80) per device for the third year for Windows Enterprise," noted Mat Clothier, CEO of Cloudhouse. 

Microsoft has been publishing reminder notifications throughout last year about the move, recommending actions to be taken ahead of pulling the plug. 

A similar step was taken in 2014 with the hugely popular Windows XP. Unlike last time, Windows 7 continues to be a popular OS, with several trade websites listing it as the second most used operating system after Windows 10. This situation should not have happened, commented Jake Moore, cyber-security specialist at ESET.

"I am always perplexed when I hear of companies not using the latest operating system, especially when the version they are using came out a decade ago and will be void of security updates in the next few weeks. It is paramount to have all machines set to the latest operating system for multiple reasons but if companies want to stay secure and protected, the number one priority would be to upgrade – at whatever cost," he said.

However, the biggest risk is that businesses will no longer receive security updates, making them more vulnerable to cyber attacks. Organisations, including the NHS, that retained Windows XP were easy preys during the WannaCry attack.

Former Department of Health and Social Care minister Jackie Doyle-Price informed the UK parliament last year that out of the 1.37 million PCs being used in the NHS, 76 percent of these devices still ran Windows 7.

"By using an unsupported operating system, businesses expose themselves to cyber-security risks," commented Raj Samani, chief scientist and fellow at McAfee.

"Cyber-criminals can then use this to their advantage by identifying any flaws in the system and potentially accessing data and information - as seen previously during the end life of former operating systems, such as Windows XP," he said.

Organisations running Windows 7 past 14 January are putting their company and staff, as well as their suppliers, partners, and customers in security risk, noted Ken Galvin, senior product manager at Quest KACE.

"We’re now at the stage where the best option is to upgrade. However, if businesses cannot and have made arrangements with Microsoft to pay for continued Windows 7 patching support, it is critical that they make sure their patch management system will be able to apply them," he explained.

Security solutions, particularly anti-virus software, often fail in a legacy system situation.

"With Microsoft discontinuing support for Windows 7 and Windows Server 2008 on January 14, it is imperative that consumers and businesses take steps to ensure their systems are not vulnerable," commented Satnam Narang, senior research engineer at Tenable.  

"In December 2019, Microsoft released fixes for CVE-2019-1458, an elevation of privilege vulnerability that was exploited in the wild. It affects both Windows 7 and Windows 2008 systems. Users of Windows 7 and Windows Server 2008 who opt not to migrate to newer versions are at risk of being preyed upon by bad actors, leaving them vulnerable to attacks especially since these systems won’t be supported by Microsoft," he said.

Not receiving security updates can put data at risk, not to mention the GDPR problems involved, and the potential of being attacked with ransomware or other malicious code that can bring firms crashing to a halt, warned Moore of ESET.

A business survey by Cloudhouse shows that 69 percent of businesses feel severely hampered by the cost and complexity of migrating legacy applications. Nearly 25 percent admit they don’t know of any solutions that would enable them to migrate their legacy applications.

"The cost of a major upgrade may be a bitter pill to swallow for some businesses but it is better to prepare for an attack rather than to pick up the pieces after your businesses goes offline. Furthermore, attackers are very good at locating out of date systems online," said Moore.

However, upgrading is not an impossible task, assures Galvin of Quest KACE.

"IT teams can, and should be taking advantage of automation tools to assist with the migration, and invest in ongoing endpoint management to make sure that these systems are continually up to date without the team needing to break their backs. Businesses should prioritise gaining visibility over all their systems so they can be 100 percent sure that each one is secure."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews