January 14th 2020 marked the scheduled End of Life for Microsoft’s Windows 7 operating system, which means the technology company will no longer provide security updates and patches to its widely used software.
There is an option to sign up to Microsoft’s Extended Security Updates, although this only lasts for three years.
Councils that still use Windows 7 could therefore now be at greater risk of being targeted by cybercriminals. Computers that are running unsupported or unpatched software such as Windows 7 are much more vulnerable to viruses, malware and cyber-attacks, which is why cyber security experts have advised Windows 7 users to upgrade their operating system at the earliest possible opportunity.
An estimated 200 million computers are still thought to be running Windows 7, which is now more than a decade old and increasingly vulnerable to the latest cyber-attack tactics. Just last month the US National Security Agency warned of serious new vulnerabilities it had found in Windows – including Windows 7 and even the latest version of Windows 10. Microsoft fixed the issue in a round of updates on 14 January 2020, but that was the last ever series of updates for Windows 7. Now, any future security issues for Windows 7 will not be included in Microsoft’s updates.
Windows 7 EOL presents huge opportunity for cybercriminals
The decision by Microsoft to effectively cut Windows 7 loose and provide no further updates presents cybercriminals around the world with a huge opportunity. They can now look to exploit bugs in the software for malicious purposes, such as gaining access to your network and stealing data.
Hackers are always on the look-out for so-called ‘zero-day’ vulnerabilities – which are bugs and flaws that software developers do not know about – but they also look to exploit vulnerabilities that are known to developers. This is because software is not always up to date, and cybercriminals aim to act quickly to exploit these before developers are able to fix the problem.
For example, the ‘WannaCry’ ransomware attack in 2017 exploited a known vulnerability in Windows software despite Microsoft releasing a fix for the issue months before the attack. This was because hundreds of thousands of computers around the world were left unpatched and effectively wide open to attack.
Now, all computers running Windows 7 risk being targeted for a similar attack. According to Gartner, unpatched systems remain one of the top causes of cyber-security breaches – with an estimated 99% of the system vulnerabilities that are targeted being known flaws at the time.
Indeed, some of the largest data breaches in recent years have been linked to unpatched vulnerabilities. For example, the huge breach of Equifax in 2017 was due to out-of-date systems, and the recent ransomware attack on Travelex on New Year’s Eve 2019 was reportedly the result of a known vulnerability in VPN software.
What can councils do to avoid being targeted by cybercriminals?
If any computers used by your council are running Windows 7 then action needs to be taken to protect your network from cybercrime. Even if you are using up-to-date software you still need to be vigilant when it comes to cybersecurity. Fixing known vulnerabilities results in greater protection from the risk of cyber-attacks, but given the sheer volume of software updates and the potential for patches to disrupt functionality, this is not a straightforward process.
Cyber security experts recommend that your organisation:
- Adopts a patching strategy that prioritises software updates
- Aligns the need for updates with the organisations biggest risks
- Prioritises critical updates as soon as they are identified
- Has a workable plan for other actionable flaws and vulnerabilities
- Runs up-to-date and fully supported software whenever possible
There are many legitimate reasons why some devices in use in your council may have to run old or unpatched software such as Windows 7. In such cases it is important to take appropriate steps to maintain cyber security, for example isolating unsupported systems from other networks to limit the risk of an extensive security breach.
A robust patching strategy is not only good cyber hygiene, it is also basic risk management. When an organisation such as a council takes out a cyber insurance policy, the patching strategy will be a key factor in the premium price. Current policyholders should also review their policies as some insurers apply exclusions for any losses arising from outdated and/or unsupported systems.
As well as cyber insurance companies, regulators are also paying close attention the cyber security and patching strategy of organisations – with severe consequences in terms of regulatory fines, reputational damage and business interruption. Equifax, for example, were fined $700m by US regulators for its data breach in 2017, while the US hotel group Marriott is facing a £99m fine in the UK for a data breach under the EU’s new GDPR (General Data Protection Regulations).
The recent withdrawal of support for Windows 7 means weaker cyber security for the councils and other organisations running the software. Although many will look to upgrade their systems to a newer operating systems, those continuing to use unsupported and unpatched software without appropriate controls in place are exposed to an unnecessary risk which could prove costly in the long run.
For more information about cyber insurance and how BHIB Councils Insurance can help, get in touch with our team today or request a quote.