Microsoft will end support for the Windows 7 operating system on Jan. 14, 2020. This may seem like only a minor inconvenience to some. After all, Windows 7 will continue to run on Jan. 14 as it did on Jan. 13. So why is it so important to upgrade to Windows 10?
The answer: cybercrime.
End of support means that Windows 7 no longer will receive the OS patches or security updates that keep your IT systems safe. Whether it’s your personal home computer or the central conduit for your e-commerce business, using an unpatched out-of-date system is equivalent to leaving the door wide open for anyone to enter. If you wouldn’t do it at home, don’t do it to your computer either.
What Makes Loss of Support Dangerous?
When an OS is no longer regularly patched with new security updates, that leaves any bugs or zero-day vulnerabilities found after the end of support date vulnerable to cybercriminals. Just because they’re older doesn’t mean cybercriminals will stop searching for vulnerabilities in these systems.
In fact, older systems are more likely to suffer from cyberthreats because these vulnerabilities are spread on the Dark Web for others to find. Only a fully patched and up-to-date OS can combat known, fixable vulnerabilities in your system.
Cybercriminals are always searching for ways to enter your systems. The number of phishing attacks, malware and zero-day attacks increases each year.
Cyberattacks against small and medium size businesses rose from 61 percent of survey respondents to 67 percent between 2017 and 2018, according to the 2018 State of Cybersecurity in Small and Medium Size Businesses report from the Ponemon Institute.
Malware and zero-day threats, which unpatched computers are most vulnerable to, rose from 16 percent to 24 percent.
The cost from damage and theft of data averaged US$1.43 million for single businesses that experienced attacks in 2018. That figure doesn’t even include the average $1.56 million in downtime while fixing the problem. Can your business afford to ignore upgrades?
What Threats Are Out There?
The most visible threat to an unpatched OS is ransomware planted on your computer or network in an effort to extort money for returning your data. If you’re an etailer or other electronic business, losing your customer list, vendor information, and invaluable store data could leave you out of business for days, weeks or permanently.
Paying the ransom doesn’t ensure all the data will return or that you can return to normal operations in time to mitigate the costs. If you don’t have recent, secure backups that didn’t get compromised, your recovery options are severely limited.
While ransomware is a clear and present danger to any e-commerce business, it’s not the only one etailers should be concerned about. If a cybercriminal gets into your computer through an unpatched vulnerability, you could unwittingly be handing over all your credentials or customer data for use or sale on the black market.
Keyloggers can record usernames and passwords to bank accounts or other sensitive information. After acquiring the credentials to your website, a cybercriminal could record your customers’ credentials or load malware onto the computers of anyone who visits your site. The last thing you want is for people to think your store isn’t safe to visit or purchase from.
There also may be a legal matter to consider. Government regulations — such as HIPAA and state privacy laws — require certain basic security safeguards for customer data. Failure to have a regularly patched OS may violate those requirements and leave you liable if your customer data is breached. Many cyber insurance policies won’t pay out if basic safeguards aren’t met.
Not upgrading to Windows 10 leaves you and your business vulnerable, and history shows that an exploit could cost you more than you can afford.
It’s Happened Before, It Will Happen Again
It’s hard to sift through the constant barrage of reports about major new cyberattacks to determine the cause of any one attack. All too often it is human error, rather than software or hardware problems, that opens the door to cybercriminals.
Even though human fallibility is a constant concern, an up-to-date OS and other security measures, such as email and Web filtering, and comprehensive employee training, can help defend against attackers easily exploiting a known vulnerability.
Unfortunately, too many businesses and organizations don’t prioritize the expense of remaining current with IT security issues until it’s too late.
City of Atlanta
Georgia has had its share of cyber problems, but last year’s SamSam malware attack on the city of Atlanta was the most impactful. It crippled the city’s IT infrastructure.
However, rather than pay the ransom, the city invested more than $2.6 million in emergency and recovery services to update its outdated cybersecurity.
An analysis of the attack showed that critical security patches that might have prevented access to the city’s systems had not been applied more than a month after their release.
Lake City, Florida
Florida’s Lake City municipality suffered a large scale ransomware attack in June.
Due to a combination of human error, an insecure and outdated IT infrastructure, and failure to isolate backups from the network, the town was forced to pay $460,000 in ransom for the encryption key to its data.
Unfortunately, paying the ransom didn’t solve its problems. More than a month after obtaining the encryption key, the majority of its data was still locked up. With each file taking up to 12 hours to decrypt, it will be a long time before all files are restored, if all of them can be.
WannaCry Ransomware
Can anyone ever forget WannaCry? It is the quintessential example of why everyone should upgrade to a fully supported OS software — and keep it updated!
In 2017, the self-replicating malware WannaCry spread across the globe, exploiting a known vulnerability called “EternalBlue” to compromise computers running long-unsupported Windows XP and unpatched Windows 7 OSes.
Individuals, businesses, and all manner of organizations made up the more than 200,000 victims in 150 countries.
Most notably, 48 different hospitals and health offices across England, many running unsupported Windows XP machines, were affected in the WannaCry attack, causing mass confusion and forcing medical staff to reroute or reschedule medical procedures during the three-day downtime.
Many Windows XP computers didn’t get exploited by WannaCry, but only because the systems was so old that the malware crashed the OS, leaving the victims not much better off.
The WannaCry attack was so severe and so easily replicated that Microsoft took the unprecedented step of issuing a security patch for Windows XP, despite not having supported the OS for years.
The BlueKeep Vulnerability
Two years after WannaCry, a new vulnerability known as “BlueKeep” is threatening to repeat history. Like the EternalBlue exploit, BlueKeep can allow remote execution without user interaction, meaning a self-replicating malware similar to WannaCry could spread quickly.
As of now, the vulnerability is found only in Windows 7 and older OSes. To keep BlueKeep from reaching WannaCry levels of damage, Microsoft has issued patches for all affected systems, including Windows XP.
You may be tempted to conclude that if Microsoft is willing to continue to patch these major issues in Windows XP, even into 2019, they’ll probably do the same for Windows 7 in years to come — but don’t count on it. These patches have arrived only to counter the most dire and widespread threats.
For all the attention WannaCry and BlueKeep receive, there are countless other bugs and vulnerabilities left untreated on untold thousands of out-of-date computers, and they’re just as dangerous when they affect your business.
What Are Your Options?
If you’re running Windows 7 (or Windows XP!) there are a few different options available to you.
1. Buy new hardware.
This is the simplest option, though not the cheapest. New computers automatically will come with Windows 10, which solves the problem altogether.
As a bonus you’ll have faster, more efficient, and more secure hardware in addition to ongoing Windows 10 support. With Black Friday coming up, it may be the perfect time to go shopping.
2. Upgrade your OS to Windows 10.
If you can’t afford all new computers across your business, you can purchase a Windows 10 software license and upgrade your existing computers’ operating systems.
If you are a larger company purchasing Windows 10 licenses in bulk, Microsoft will help you upgrade your equipment with its FastTrack program.
If you’re looking to upgrade just a couple of computers, Microsoft offers a guide to help users through the upgrade process.
Businesses using Windows 7, 8 or 8.1 Pro can get a free Windows 10 upgrade for all their machines if they move to Microsoft 365 Business subscription.
3. Purchase Microsoft’s Extended Support.
This option is available only to users running Windows 7 Professional or Enterprise through volume licensing. A single-person e-business won’t be able to take advantage of this offer.
If you fall into this category, though, you can contact Microsoft to purchase up to three years of extended support for $50 to $100 per device the first year, with the price doubling each subsequent year.
4. Move to Windows Virtual Desktop.
Microsoft offers free Windows 7 support for Windows Virtual Desktop, which runs through Azure cloud. This option reduces hardware costs and gives you more time to switch to Windows 10.
5. Mitigate the Risk.
The fact is some people may not have the means to do any of the above options. If that’s the case for you, do everything you can to mitigate the risks. Isolate the outdated computers in question from the rest of your systems and keep them offline if possible.
Create reliable backups daily and isolate them from the rest of your IT systems. Practice good cybersecurity behaviors and upgrade to Windows 10 as soon as possible.
Ultimately, only upgrading to Windows 10 and installing security patches immediately will give you the most reliable protection against cyberthreats. Don’t become a victim. Close the door on cybercriminals and keep your business safe.