As support for Microsoft’s Windows 7 operating system (OS) ends today (14 January 2020), organisations around the world are panicking as it dawns on their IT teams that they have completely missed the boat.
As already discussed, more than half of UK organisations appear to have failed to complete the transition process, with some IT teams not even sure if they had any Windows 7 machines, and many face escalating costs to keep their systems functional under an extended support package that will run for the next three years.
With so many people still running the old OS, and free upgrades to Windows 10 no longer officially possible – which will lock out many small businesses – the cyber security implications of failing to upgrade represent by far a more pressing threat than increased costs. In short, exploits targeting Windows 7 users are likely to increase in volume substantially in the coming months.
But boom time for cyber criminals can also mean boom time for the CISOs tasked with defending against them, and for white hats, the end of Windows 7 support is an ideal opportunity to make the case for security within the business.
Carl Wearn, head of e-crime at Mimecast, said CISOs should also use the more widespread awareness around the end of Windows 7 support as an opportunity to push for basic cyber security hygiene – a cornerstone of any business security posture.
“As Windows 7 remains in use across many organisations at present, people should be aware of the increased vulnerability that this OS will now experience as it is no longer supported,” said Wearn.
“Ensuring good cyber hygiene and the use of fallback facilities, as well as ensuring the updating of a good antivirus solution, becomes even more critical to an organisation if it continues to use an unsupported OS.
“Making sure users are aware of the increased vulnerability of their system and the steps they can take to help ensure its security, including the use of strong passwords, will likely go a long way towards maintaining the security of any network yet to be updated with a newer OS. In any case, this advice should always be followed even on newer, supported systems.”
Wearn also said that with more organisations going all-in on the cloud, legacy support issues of this nature are likely to become a thing of the past in the medium term – although CISOs must still be awake to myriad security issues inherent in the cloud.
Ken Galvin, senior product manager at Quest Kace, said that the best, indeed the only option left was to upgrade. However, he said, if organisations cannot do so for some reason, and have made arrangements to pay for the extended support package through to 2023, it will be critical for CISOs to have the resources to ensure their patch management can apply updates.
This, he said, was an ideal opportunity to turn the business on to the idea of automation in cyber security.
“IT teams can and should be taking advantage of automation tools to assist with the migration, and invest in ongoing endpoint management to make sure these systems are continually up to date without the team needing to break their backs,” said Galvin. “Businesses should prioritise gaining visibility over all their systems, so they can be 100% sure that each one is secure.”
Tim Brown, vice-president of security at SolarWinds, said there was no excuse for not migrating from Windows 7 to Windows 10, and that Microsoft had been more than generous in the amount of time it has continued to offer Windows 7 support – it is now five years since mainstream support ended.
But there were upsides, said Brown. “It’s important not to see Windows 7 coming to the end of its life as a negative event,” he said. “It’s an opportunity for businesses to transition to a more secure and superior OS.
“While many will be panicked into upgrading because they fear a security incident, it is important to recognise the benefits – better efficiency, increased user-friendliness, and faster apps. Avoid thinking that ‘if it ain’t broke, don’t fix it’ – an attitude to software that simply doesn’t work in the long term.”