Microsoft Windows 7 and Windows Server 2008 operating systems reached their end-of-life (EOL) date on January 14, 2020. This means that Microsoft will no longer provide patches to secure, update, fix or improve these systems, and, as a result, users who decide not to upgrade or change systems could be exposed to dangerous cyber vulnerabilities.
Windows 7 has long been one of the most popular Microsoft operating systems. Even today, almost 11 years after it was first launched, millions of PCs are still running Windows 7 despite Microsoft spending years of effort trying to get users to upgrade to Windows 10 free of charge. Estimates from Netmarketshare in December 2019 indicate that approximately 26.6% of all users operating Windows OS are using Windows 7, giving the recent EOL event a cyber risk profile that may be unprecedented in the history of software.
Eddie Chang (pictured), VP of cyber risk management at Travelers, commented: “Now that they’ve reached EOL, these systems are gradually going to become more and more exposed to cyberattacks. Next month, when Microsoft releases patches for its operating systems, it will not include patches for Windows 7. That means, as each month goes on, there will be more and more vulnerabilities that criminals and attackers will be able to learn about and will try to exploit on Windows 7 systems.”
Cyber criminals are savvy. When Microsoft continues to release new patches for its later software programs, for example Windows 10, cyber criminals will be able to analyse those patches, figure out where the vulnerabilities lie and then see if those vulnerabilities also apply to the millions of Windows 7 systems still in operation. Essentially, every time a new patch comes into play, Windows 7 users gain more exposure.
In this context, companies need to have a complete understanding of where they have Windows 7 systems in their environment, according to Chang. Once they’re clear about that, they need to come up with a plan to modernize and/or protect those systems from potential cyber vulnerabilities.
Read next: Top 10 cyber insurance companies in the US
“One risk we sometimes see is when businesses outsource their IT to a third-party service provider, and then that IT provider falls behind on patching,” Chang told Insurance Business. “In that case, the business may not even be aware that their computers are going out of date because it’s something that they’ve delegated to another company and they just haven’t been paying close enough attention to it. If a company is using an outsourced IT provider, it would be a good idea to periodically check and see if their computers are up to date and being patched as fast as they want them to be.”
Most well-run businesses pay attention to their patching. But there are also some businesses that have legitimate reasons for not upgrading to newer operating systems. And in doing so, they know they’re taking on some risk.
Chang explained: “This is something we see very often with manufacturers and companies that are using medical devices and other internet of things connected devices. In those cases, it’s going to be important for a company that can’t move off Windows 7 to really take a close look at how they can protect those older systems using other controls, which we call compensating controls.”
