Facade of pavilion promoting Windows 10
Research published July 23 reveals that while the majority of organizations are happy to talk the Windows security talk, a third were suffering from a Windows 10 upgrade lethargy that risks putting their data security on the line.
Windows 7, service pack 1, is due to reach its “end of extended support” stage on January 14, 2020. Which means that free security support will cease to be entirely for home users, while businesses will have to pay a fee that will double year on year.
The “Windows 10 2020: Beyond the migration” report from 1E reveals that 82% of organizations agree security is a motivating factor in making a move from Windows 7 to Windows 10. However, 32% of device endpoints have yet to be upgraded to Windows 10 and 56% of those asked readily admitted this slow migration isn’t good enough.
The financial services, the public sector, construction and property, media, leisure and entertainment industries have managed a 66% Windows 10 migration rate while retail, distribution and transport are just behind on 65%.
Windows 7 legacy devices blamed for this lethargic approach
One complaint, regularly aired in mitigation of not moving to Windows 10, is that there are legacy applications or hardware that dictates Windows 7 remains where it is. Sumir Karayi, CEO at 1E, isn’t convinced by this argument. “If you have very specific applications that will not run on Windows 7, and there aren’t that many,” Karayi says, “you can still run them on virtual instances of Windows 7.”
Karayi is not convinced that paying Microsoft for extended support is the answer either, as he says that “the challenge is that exception handling, especially for older stuff, gets more and more expensive as time goes by.” His advice is, and he says always will be, that you should do “everything in your power to stay current going forward.”
How to mitigate the security risk of sticking with Windows 7
Maor Hizkiev, CTO at BitDam warns that by not migrating from legacy Windows 7 products, organizations are playing a dangerous game. “If an attack reaches an endpoint, the likelihood of the adversary being able to exploit it is significantly higher when compared to a machine that is updated and fully patched,” Hizkiev says.
This is for the simple reason that the majority of successful attacks exploit old vulnerabilities that have been discovered but remain effective, according to Hizkiev. A claim backed up by a recently published report, “Still Vulnerable After All These Years,” in which BitDam reveals that the majority of attacks seen in 2018 exploited vulnerabilities that were discovered in years gone by, many dating back to 2012.
Even the U.S. Department of Homeland Security has recently warned of a critical security problem that Windows 7 users are facing.
Boris Cipot, a senior security engineer at Synopsys, agrees that keeping unsupported software or operating systems in your network is always a high risk. “But it may also be a risk that many companies accept and decide to move forward with for a variety of operational reasons,” he says, “if a company does decide to move forward with these accepted risks, they should also handle those systems as high-risk environments.”
Which means allowing only the bare minimum and necessary communication with the rest of the network. “They also need to be monitored at all times,” Cipot concludes, “as you’re essentially maintaining a security hole that will require special attention.”
Not everyone I spoke to is a fan of Windows 10 it has to be said. “There’s very little value in upgrading to Windows 10, but a steep learning curve for both users and administrators,” says Igor Baikalov, chief scientist at Securonix, who continues, “Microsoft’s extortion strategy of ending support for one of the few stable and reliable Windows versions might have to be addressed at the highest levels to avoid a tremendous waste of time and money for the upgrade.”
The market speaks
Undoubtedly, Windows operating system market share statistics would seem to suggest a lot of people share that “little value in upgrading to Windows 10” view.
While Windows 10 had a 58.21% market share for June 2019, Windows 7 wasn’t that far behind with 31.96%. Windows 8 (1.74%) and Windows XP (1.71%) are now such a small part of the market that they aren’t in the fight at all.
With the Microsoft nudges by way of upgrade pop-ups and as we get ever closer to the end of support deadline, that market share is expected to start falling quite rapidly.
“If there is a business demand to retain Windows 7, it’s critical for the security posture of your organization to acquire the Microsoft extended support while you devise your strategy to migrating to Windows 10,” Tarik Saleh, senior security engineer and malware researcher at DomainTools says, concluding that “this will give your organization some breathing room until 2023 by lowering the risk of exploitation and compromise.”