Running an end-of-life operating system can literally also end the life of a business once a cyberattacker infiltrates its network.
Almost one quarter of customers (22%) of a cybersecurity firm werestill using the end-of-life Windows 7 operating system, when an anonymized study was conducted recently.
Microsoft had stopped providing security updates to the old operating system in January last year. At the rate that cyberattacks grow in sophistication, any unsupported operating system can become vulnerable within hours of becoming redundant.
Among those still using Windows 7, consumers, small- to medium- enterprises (SMEs), and very small businesses (VSBs) globally occupied almost the same share: 22% each. Almost a quarter of VSBs do not have dedicated IT staff responsible solely for cybersecurity, yet they are still using Windows 7 on the Kaspersky Security Network.
For now, businesses can still receive extended paid support for Windows 7, but at an extra expense and on a limited time window determined by Microsoft. As for even older operating systems such as Windows XP and Vista, vendor support ended in 2014 and 2017, respectively. Only 1% of these redundant OSes were in use on the firm’s protection network.
What if OS upgrades are not possible?
According to the firm’s spokesperson: “Updating your operating system might seem like a nuisance for many. But OS updates are not just there just to fix errors, or to offer the newest interface. The procedure introduces fixes for those bugs that can open a gaping door for cybercriminals to enter. Even if you think you are vigilant and protected while online, updating your OS is an essential element of security that should not be overlooked, regardless of any third-party security solution’s presence. If OS is obsolete, it can no longer receive these critical updates.”
The firm is cognizant of such users and notes: knowing the risks of an end-of-life operating system is a good start but acting on that knowledge is a smart way to finish. Use an up-to-date version of the OS and make sure the auto-update feature is enabled.
Users that for some reason cannot upgrade to the latest OS version soonest, need to consider this attack vector in their threat model and ensure smart separation of vulnerable nodes from the rest of the network. Solutions with exploit prevention technologies can be used to reduce the risks of unpatched vulnerabilities that can be found in an obsolete OS.