The clock is ticking. Support for Windows 7 will officially end on January 14, 2020. That is less than 90 days from now. The Windows 7 end-of-life is significant because it’s very popular and widely used version of the Windows operating system. Businesses and individuals around the world will be exposed to increased risk from using an unsupported operating system.
Windows 7 End-of-Life
It’s hard to believe, but it’s been nearly 10 years since Microsoft introduced the Windows 7 operating system. That means that official support will expire on January 14, 2020 and Microsoft will no longer issue updates or patches for the OS. On a related side note, support for Office 2010 is also set to expire at the beginning of 2020, so many small and medium organizations may find most of their business conducted using unsupported software on unsupported platforms.
66% of SMB Devices at Risk
There is reason for concern. In our Critical Watch Report: 2019 SMB Threatscape, Alert Logic revealed the 66% of the devices scanned at small and medium business clients are running a Microsoft operating system that will be out of support by January 2020—meaning Windows 7 or older versions of the Windows operating system.
The report explains, “Additionally, there are still a non-trivial number of Windows XP and even 20-year-old Windows NT devices out there. Even if they are not exposed to the internet, these targets make lateral movement relatively easy once a host has been compromised. With the discontinuation of security updates and bug fixes for Windows Server 2008 scheduled for 2020, combined with the SMB trend of holding on to old operating systems, this security issue is likely to get much worse next year.”
The Case for Upgrading
What’s the big deal? Windows 7 is a great operating system. If it still works and it does what you need it to do, why should you invest in upgrading to Windows 10?
That’s a fair question. In fact, as long as Windows 7 is still a supported operating system it is a very reasonable perspective. There are features Windows 10 that aren’t available in Windows 7, but that’s not incentive if you aren’t interested in those additional capabilities.
Being unsupported changes things. Dramatically.
Microsoft is constantly researching vulnerabilities in the platforms and software it supports, and patches and updates are released on the second Tuesday of each month. Cyber criminals can work backwards from the vulnerability disclosure and the patch to figure out precisely where the flaw is and how to exploit it. There is a lot of shared components between the different versions of Windows so there’s a good chance that the same (or very similar) flaw will also exist in Windows 7. You just won’t have a patch to fix it.
Aside from putting your systems at risk by running unsupported operating systems, there’s also a very good chance that you will violate any compliance frameworks that apply to your business. The various industry guidelines and legislative mandates have unique requirements and directives, but the goal of all of them is to instill some sort of baseline or minimum acceptable security posture. It’s hard to claim to be secure while running operating systems that can’t be patched or updated.
This is just one example, but PCI-DSS requirement 6.2 states:
“Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.”
In other words, if you’re running an unsupported operating system that does not receive patches and updates for known vulnerabilities, you are no longer compliant and may be held accountable if your systems are compromised.
Time to Upgrade
You have less than three months left to upgrade your Windows 7 systems. That’s a daunting task if you haven’t even begun the process, but better late than never. Delaying the effort won’t make it faster or easier.
Of course, this is just one challenge facing small and medium businesses when it comes to cybersecurity. To learn more about the threat landscape and how Alert Logic can help you defend your networks and data, check out the Alert Logic Critical Watch Report: 2019 SMB Threatscape.