Kaspersky on April 26 released survey results revealing that almost one quarter (22 percent) of PCs still run the end-of-life OS Microsoft Windows 7, which stopped receiving mainstream support in January 2020.
When operating systems reach end of life, vulnerabilities will remain on the system without patch updates to resolve issues, providing cyberattackers with potential ways to gain access. Therefore, it is critical to update a system’s OS to protect networks from this avoidable issue, according to Kaspersky.
Using an end-of-life operating system that no longer receives security updates is akin to driving a car with a brake light on. The likelihood of disaster is great and yet it is difficult to convey this to users of such systems without it appearing to be a ploy to get them to spend more money, suggested Oliver Tavakoli, CTO at Vectra AI.
“This would be a good place for a government or NGOs to step in to provide incentives and programs to upgrade as it makes the entire ecosystem more secure,” he told bluehillco.
Those still using Windows 7 are consumers, small and medium-sized businesses (SMBs), and very small businesses (VSBs). The survey points out that almost a quarter of VSBs still use the outdated OS because they lack dedicated IT staff.
A temporary alternative for business users is to purchase extended paid support for Windows 7 from Microsoft. However, that means an extra expense.
Kaspersky’s findings also showed that less than one percent of people and businesses still use older operating systems, such as Windows XP and Vista. Support for those more ancient OSes ended in 2014 and 2017 respectively.
That leaves 72 percent of users running Windows 10, the latest version of Windows OS.
Updating your operating system might seem like a nuisance for many, but OS updates are not just there just to fix errors, or to enable the newest interface, according to Oleg Gorobets, senior product marketing manager at Kaspersky. Updating introduces fixes for those bugs that can open a gaping door for cybercriminals to enter.
“Even if you think you are vigilant and protected while online, updating your OS is an essential element of security that should not be overlooked, regardless of any third-party security solution’s presence,” he advised.
If the OS is obsolete, it can no longer receive these critical updates. He likened the rationale to an owner of an old and crumbling house installing a new door. It makes more sense to find a new home, sooner rather than later.
“The same attitude is needed when it comes to ensuring the security of the operating system you trust with your valuable data every day,” Gorobets added.
Mitigating Attack Vectors
Knowing the risks of continuing to use an end-of-life operating system is a good start. But acting on that knowledge is a smarter way to finish, the report notes.
Kaspersky recommends several steps to protect yourself or your business.
If upgrading to the latest OS version is not possible, organizations should consider this exposed attack vector in their threat model. Be sure to create some smart separations of vulnerable nodes from the rest of the network.
For example, an embedded systems security solution can provide support that allows you to operate an OS as old as Windows XP SP2 that runs on systems with very low specifications.
Use cloud security and endpoint security solutions with exploit prevention technologies. Also available are small office security applications which help to reduce the risk of exploitation of unpatched vulnerabilities found in obsolete operating systems such as Microsoft Windows 7 and earlier.
As an organization with no other option, make sure your devices are hardened, the firewall rules are restrictive for those, and that they are all on a separate part of your network, using VLANs or internal firewall zones.
Full Disclosure Lacking
Other sources covering the market share of each version of the Microsoft Windows desktop operating system have similar percentages for Windows 7 as the Kaspersky study, noted Dirk Schrader, global vice president for security research at New Net Technologies.
“Unfortunately, there is no mention of the base data about how many devices have been checked,” he told bluehillco.
Microsoft told OEM manufacturers of PCs and laptops to end the sale of Windows 7 as a preinstalled OS by Oct. 31, 2016, merely four and half years ago. Many companies and local or state administrations have usage policies of computer hardware in place where the expected life span of a device is longer than the time elapsed since that date, he observed.
Public procurement policies have quite often no contingencies for outdated OSes. They apply the notion “it still works,” which is dominant in discussions when decisions have to be made about where to spend money from constrained budgets.
“It will be interesting to see how this percentage is affected by the Biden administration’s initiatives over the course of the next twelve months. As digitalization efforts will require additional systems, it is quite likely that existing systems remain unchanged,” said Schrader.
In any case, those organizations still using Windows 7 are easier targets for cyberattacks due to the lack of updates (if they have not signed up for the extended paid support) and likely face some public backlash and loss of reputation in case a data breach happens, he added.
“There is also the impact such a scenario might have on the cyber risk insurance status,” Schrader observed.