Expired Microsoft operating systems pose cybersecurity threats for businesses
Microsoft Windows 7 and Windows Server 2008 have reached their end-of-life date, leaving systems more exposed than ever before.
The property & casualty insurance industry has been undergoing a technological transformation for some time now. Partnerships with startups and InsurTechs have been more mainstream, allowing more traditional businesses a way to shift from legacy systems to one that is fit for the current climate.
However, not all businesses have moved on from their legacy systems — often for valid reasons. But for those in the world of property & casualty with legacy systems that run on Microsoft Windows 7 and Windows Server 2008, they should know their systems are more exposed to dangerous cyber vulnerabilities than ever before.
On January 14, Microsoft Windows 7 and Windows Server 2008 operating systems reached their end-of-life (EOL) date. Technical assistance and software updates from Windows Update that help protect computers are no longer available for the two products.
Now that both software have reached their EOL, “those systems are going to have more vulnerabilities identified that are not going to get patched, making whoever continues to run those software more susceptible to just about any kind of cyberattack that could be conceived,” says Ken Morrison, cyber risk control director at Travelers.
Current estimates from December 2019 indicate that 26.6% of all users operating Windows OS are using Windows 7. From a cybersecurity standpoint, the best way businesses can protect themselves would be to transition from Windows 7 and Windows Server 2008 to new software.
But Morrison says there are a number of legitimate reasons why businesses might not update their software. For example, in the manufacturing and medical field, when computers are connected to a piece of machinery, upgrading software could mean replacing the machinery, which could cost millions of dollars, or it might not be compatible with the latest software.
For businesses facing this predicament, there is an option to buy extended support, and Microsoft will send fixes and patches for the software if you pay for it. But for everyone else, it is a matter of time before they decide to move on because “the mounting risks of attacking are going to be too great to bear,” says Morrison.
Upgrade and plan
For businesses that do plan to upgrade, backups are a key part of the process. But Morrison also stresses that it should be looked at from every angle before taking any action.
He says one of the most important things a business can do is to involve all the stakeholders — not just those involved with information technology but the businesses that are supported by the software and management.
Having a plan is also critical. Businesses need to know their environment and all the devices that will be impacted in order to execute the transition, as well as having a plan in place to back out if it doesn’t work. And having good cyber hygiene, in general, will remain an important component during the process.
There are a number of considerations businesses need to weigh now that Windows 7 and Windows Server 2008 have reached their EOL. Like anything related to cybersecurity and risk management, Morrison says: “You just have to do a risk assessment. You have to just know what you have, and you have to understand what the risks are and be able to articulate how you’re protecting it.”