The end of support for Windows 7 is sure to give hackers a royal opportunity to hunt for unpatched and insecure devices. Are you and your clients prepared?
REDMOND, Wash. — Installing security contractors know all too well of the looming 3G sunset. But have you been paying attention to that other sunset with the potential to be majorly disruptive?
On Jan. 14, 2020, Microsoft is retiring free support for Windows 7, Windows Server 2008 R2 and Small Business Server (SBS) 2011. This means that security patches and updates will no longer be automatically implemented, leaving Windows 7 workstations and these servers vulnerable to cyberattacks, malware and other threats.
This includes all versions of these operating systems for businesses and consumers except for federally certified voting systems that run Windows 7. The danger to organizations is larger than the risks associated with end of support for just one server or system, Greg Turner, senior director of Global Technical Services for Honeywell Buildings Solutions, tells SSI.
Potential vulnerabilities are best illustrated by the number of patches currently rolled out monthly to these three systems: Microsoft pushes out fixes for roughly 70 threats each month. “That’s 70 new risks to core operating environments to which organizations could find themselves vulnerable, if unprepared. That’s a relatively large risk to take,” Turner says.
Paid Extended Service
Microsoft is offering a pair of choices for Windows 7 users to continue receiving security updates beyond Jan. 14, 2020. Both options are for business customers, not consumers.
The company will sell paid Windows 7 Extended Security Updates (ESUs), per device: $25 per device for Windows 7 Enterprise and $50 per device for Windows 7 Professional for the first year of support. Then its $100 in the second year and $200 in the third year. The ESUs will provide Windows 7 security updates through January 2023.
These ESUs will be available to any Windows 7 Professional and Windows 7 Enterprise users with volume-licensing agreements, and those with Windows Software Assurance and/or Windows 10 Enterprise or Education subscriptions will get a discount. Microsoft made an exception for Windows 7 users with an active Windows 10 subscription; they will receive one year of ESUs for free.
If paying for support is not a palatable option, then businesses need to be moving to Windows 10 as soon as possible, Turner says.
“Organizations should move their applications onto environments that are supported and will continue to be supported by Microsoft in the future — such as Windows Server 2016 or 2019,” he advises. “The goal is to move all platforms forward, so that organizations are able to continue operating safely and securely.”
Microsoft first began notifying users of the impending support sunset about four years ago. However, millions of Windows 7 PCs are yet to be updated. Data from NetMarketShare shows that approximately 27% of all PCs around the world are still running on Windows 7, which was first introduced in 2009.
Beware the ‘Weakest Link’
The cautionary note here is that installing security contractors, like all businesses, need to be wary of interfacing with customers who are using outdated — and therefore vulnerable — PCs. Consider the scenario, for example, of visiting a customer site to program a camera, a card reader, among other devices, that could potentially expose both customers and the organization to risks.
“The idea of a ‘weakest link’ applies more than ever in the realm of IT security — and that can take the form of compromised USB drives, connected devices or old firmware,” Turner says. “Each of these can be used to introduce a virus to the installer or vice versa. Without updated, secure systems in place this also puts the contractor’s other customers at potential risk of infection.”
Ultimately, Microsoft would like to see customers move beyond a migration to Windows 10. On its support pages, the company is steering users to the Microsoft 365 bundle, which includes Windows 10, Office 365 and EMS. A key attraction of the offering are productivity apps with intelligent Cloud services.
Organizations will have to weigh the benefits of a Cloud-hosted solution — including newfound business efficiencies and improved network security — with cost and ROI. The imminent demise of Windows 7 could provide the impetus to make the investment.
“Since customers must migrate to secure their operations and assets, there’s an opportunity to move increasingly toward virtualized and Cloud-hosted systems — especially for those who don’t require on-premise servers,” Turner explains. “Things like back-ups and security then become the responsibility of the hosting provider, allowing businesses to focus attention elsewhere.”