Windows end of life approaches today. Cybersecurity experts are hoping you’re paying attention to this as January 14, 2020 marks the final day for Windows 7 support.
From a security perspective—as you might appreciate—monthly security patches as well as hot fixes for pending cyberattacks (think the latest risks from the state of Iran) will no longer be available to any machines running Windows 7. Microsoft will no longer be detecting threats and risks associated with the platform, so in the event a hacker discovers a new vulnerability, you won’t even know before it’s too late!
Digging in a bit deeper…
The reality is that all software contains bugs. You see, Windows—just like any program—is designed with the best intentions to meet users’ needs. Sometimes in creating a feature that someone really finds helpful for their productivity, a software developer overlooks security implications.
In practice, many security bugs surface only following an imminent threat or detected vulnerability from the cybersecurity community.
Microsoft does conduct rigorous research to discover and fix vulnerabilities. It actively employs teams of security experts to poke holes and patch findings from their discoveries. They have an ear to the hacking community for chatter of vulnerabilities found in their software.
What their business model does not afford them is continued support on older operating systems that are no longer being sold off the shelf. As of January 14, Microsoft decided to deprecate its Windows 7 product. Whether it is needed because other software is still dependent on the Windows 7 platform or an upgrade is not in the budget, as you move past January 14, 2020 you assume the total risk and liability of having a buggy operating system vulnerable to newly discovered vulnerabilities.
On top of that, many cyber insurance policies will NOT cover you if you end up with a cyberattack or data breach as a result of outdated software (it’s simply too high risk for them).
Microsoft traditionally releases patch fixes, including critical security vulnerability fixes every second and fourth Tuesday of the month. It also has started releasing emergency patches as needed (in response to upticks in ransomware viruses exploiting newly found bugs in their software). But as of January 14, 2020, if you continue to use Windows 7, you will no longer have this security blanket (there are a few exceptions for enterprise accounts, but unless you already qualify for enterprise licensing, you will not be receiving any additional fixes).
Are there any things you can do while waiting for new computers to come in or for your budget to afford newer Windows 10 machines?
So, does Windows 7 end of life need to trigger reason for concern? Probably yes.
Can your organization maintain the level of security you had before end of life was initiated? Probably yes as well.
What cybersecurity experts advise if you still are dependent on any Windows 7 machines is the following:
Eliminate Windows 7 machines that you do not need — unless you are running software that critically depends on specifically Windows 7 to run (i.e., there are no newer versions of the platform), opt to upgrade your machine or replace it. Upgrading is a cheaper option and may suit your organization to extend the life of your computers. This option entirely depends on the quality of machine and when you purchased it.
Consider the ‘bubble boy’ option — another option that we frequently use is a quarantined computer approach. What I mean here is your Windows 7 computers should be gapped from the internet and protected from accessibility to the outside world as much as possible. Encapsulate those machines running dated operating systems—either by disconnecting them from the rest of your network or segment that device off network to eliminate the risk that one computer could ever be the cause of a major ransomware attack on your entire network.
Dealing with Windows upgrades does take planning. If your organization hasn’t planned for the next upgrade, you might want to consider first getting all the facts straight. Most security experts recommend a ransomware vulnerability assessment to identify and prioritize the risks you’re confronting.