While Microsoft began alerting users of the deadline last April, it is highly likely that many organizations have yet to upgrade their devices, leaving their businesses vulnerable to security risks. Windows 7 end-of-support arrives more than 10 years after the OS was released on Oct. 22, 2009.
Kerry McClendon, senior director of IT, BackblazeOpens a new window :
“The farther past end-of-life-ing a computer goes on Windows 7, the longer it’s been since a security patch, and the more vulnerable those computers are to both old and new threats. Any company running Windows 7 will be out of compliance and likely facing failed audits or potential revenue loss tied to compliance issues. Additionally, there is a real threat of ransomware, which should be a critical focus of any organization, no matter what system they’re running–whether you’re on Windows 10 or 7, if you open a Phishing email, you have a problem.
Many businesses may not have upgraded yet, because in some cases, it takes a significant effort and dollars to upgrade; depending on the type of business it may require a shift of resources focusing on rewriting code, upgrading hardware, and/or delaying the release of new products. Decision makers who aren’t fully weighing the cost of potential security or functionality issues might decide it’s worth the risk. All we can say if you’re considering that path: Make sure you have good data backups, you’re going to need them.â€
Chris Tillet, senior security engineer, ExabeamOpens a new window :
“Operationally, it’s probably a nothing burger. Windows 7 will still be able to log into the network, print and access files, and do everything that it has been doing. Security-wise, vulnerability teams need to be on their toes to watch for exploits. No doubt there will be a ransomware variant raring to go. So security controls around Windows 7 will need to be tight. In some cases, that may be adding in additional behavioral analytics tools and network monitoring tools to protect the business from the increased risk.
Imagine a company like Honeywell (not that they still use Windows 7, but as an example). Their rollout of Windows 7 to new users likely took YEARS. We are talking over 200,000 employees. You don’t just tell a desktop support person to download an ISO and spin it up and go upgrade 200,000 machines….at least if you want to keep your job. Careful planning and testing had to happen to make sure that all of the business applications could run on Windows 7. That could take months. Then a test rollout. Take lessons learned, and adjust. Test again. Now one year has passed. Now we need new hardware refreshes in aerospace so let’s do them first…and on and on. Budget restraints, upgrade cycles, and business disruption dictate many of these projects and rollout timelines.
Marc Capellupo, senior security engineer, ExabeamOpens a new window :
“The one universal truth in IT is that upgrades are painful. Regardless of how much preparation you do, something will always go wrong, break, or not work after the upgrade. And so because of that, it takes time, and it takes money, resources, and planning. Worse, there is arguably nothing more disruptive to a business than a workstation upgrade, because that touches EVERYBODY in the company. So there has to be an incredibly convincing reason to go down that route. Windows 10 hasn’t become that reason yet. The average PC user and even enterprise IT admins, would be hard pressed to find a feature parity between Windows 7 and Windows 10. It’s also not the security team arguing for the upgrade at the next executive meeting.
From a security perspective, Microsoft has put a lot of great work into the security aspects of Windows10, containerization, virtualization, i.e. Credential Guard, Application Guard, Hyper V, etc. The unfortunate truth is we haven’t felt the pain of NOT having those security updates yet. The major, news-worthy vulnerabilities and exploits of the past several years (EternalBlue, BlueKeep..) have either affected Windows 10 or been quickly ported over.
Pain is the biggest driver in phasing out old tech. Developers unanimously hated programming for IE 6, forcing users to upgrade to a modern browser when half of the websites they visited didn’t work anymore. The predictable cost of ongoing maintenance will give companies a longer runway to roll out the upgrades until it is either too expensive to maintain or the potential risk for an unpatched vulnerability forces them to. You would be surprised just how many companies Chris and I walk into that still haven’t finished their Windows XP upgrades.â€
Anthony Bettini, CTO, WhiteHat Security:Opens a new window
“Whenever widely deployed operating systems (OS), software, applications, or devices are transitioned to end of life (EOL) or end of support (EOS), we see these targeted by attackers more frequently. EOL software is often an easy target because as vulnerabilities get disclosed in newer versions, which do receive patches or updates, these old versions go unprotected.
Often we see businesses still running Windows 7 or other old software or applications due to the software’s use on embedded devices or systems that aren’t interacted with regularly. Unfortunately, if organizations don’t have a strong Vulnerability Management Program in place, which includes asset detection and constantly attempts to drive down the mean-time-to-remediation (MTTR), then often we see organizations not prioritizing EOL software maintenance until after a successful attack.
Updating software sometimes is as easy as applying a patch. However, if there is a critical application on the server, coordinating downtime and possibly modifying the application to be compatible with the new component may need to be scheduled and often far out. EOL software presents an additional challenge in that it inherently can’t be updated – it needs to be replaced by a newer version (if one even exists).â€
Bob Davis, CMO, Plutora:Opens a new window
“This is a compelling event for businesses who have important/critical applications running on Windows 7. I expect businesses will invest in a migration strategy. I don’t, however, expect end users to move the same way, nor for businesses that have non-critical apps. They’ll make a ‘to-do item’ to migrate, but it won’t be a priority.
It’s the old axiom, If it ain’t broke, why fix it? Migrating OS instances can be a very expensive endeavor for an organization with a large population. If organizations are comfortable with the capabilities of the OS for their users, what is the motivation to change?
From a business perspective, compatibility with applications and hardware, feature availability or lack thereof, and vulnerabilities associated with an OS that is out of support are the biggest issues. Once the vulnerability point number is crossed, businesses should be migrating quickly. But until then, why? End users will focus far less on vulnerability, perhaps to their peril. But nonetheless, if features and compatibility are ok, why upgrade.
I really think it’s a simple matter of people being comfortable with the status quo, as long as it works. Why change? Again, if it ain’t broke, why fix it?â€