Gartner has forecast that cybersecurity spending across Australia and New Zealand will exceed $4.5 billion in 2019. However, many organisations could be leaving the back door wide open with their continued reliance on older Microsoft Windows operating systems.
The first in a series of dominos fell on July 9 2019, with the end of extended support for Microsoft’s SQL Server 2008/2008 R2. Set to follow on January 14 2020 will be the popular Windows 7 and Microsoft Server 2008/2008 R2.
The end of the extended support period means that Microsoft will no longer provide technical support, software updates or security updates for the above operating systems.
Soon the regular monthly rollup software and security updates will not be available for all of these older systems. Over the past three years, vulnerability fixes for Windows 7 and Microsoft Server 2008 have been at record highs over the life of the systems. Users will shortly be reliant on Microsoft to determine whether a threat is sufficiently high enough to warrant an out-of-support fix.
Most will recall the infamous WannaCry mass worldwide infection of 2017, which targeted unpatched Windows 7 devices, and to a lesser extent Microsoft Server 2008. As recently as May 2019, Microsoft released a new major patch for a similar ‘wormable flaw’ known as BlueKeep, to protect older operating systems including Windows 7 and Microsoft Server 2008/2008 R2.
It is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.
Microsoft Security Response Centre.
And Windows 7, for example, is still very much in use. Worldwide reports suggest Windows 10 only took over the top market share position from Windows 7 in December 2018. A more realistic figure locally, taken from our own website visitors in July 2019, shows a still worrying 12% of visitors running Windows were still using Windows 7.
Operating systems are only one part of a much larger cybersecurity strategy, but continuing to run old unpatched operating systems is not an option. Organisations should have a clear risk management strategy, and have their hardware replacement plans well underway.
As the Gartner cybersecurity figures demonstrate, top of mind for many boards is to ensure their customer data is safe. The mandatory breach reporting requirements, together with the 4% of revenue fines allowed for in the new GDPR regulations, have changed the regulatory landscape all over the world. Enormous fines for security breaches, including Equifax (over AU$1 billion) and British Airways (AU$329 million) have set a new standard for security regulation. In addition to the customer loyalty implications of any breach.
In highly security-conscious industries such as Finance and Healthcare, or for businesses operating in the supply chain to government and larger corporations, the need to meet compliance requirements and the precious business opportunities they provide, could be at risk with out-of-date systems. Not being able to tick the security compliance box can present an immediate revenue threat.
Get your IT Strategy right
For many organisations it will not be a straight-forward decision to replace ageing servers and user devices. If you are faced with the need to upgrade, it could present an ideal opportunity to re-visit your IT strategy and assess how best to spend each IT dollar to modernise your systems.
In Australia, the instant asset write-off scheme continues through 2019/2020 for businesses with up to $50 million in turnover, and could help ease the financial impact for some. But waiting until June 2020 to act could invite danger.
Bulk buy pricing for hardware replacement can also be arranged via a managed vendor bid process, instead of drip-feeding spending over a longer period.
Whether to invest large sums in hardware or make the move to a cloud environment, is a question many will face. Getting the right vendor-neutral advice will be crucial. If you haven’t yet begun to seek the answers, it’s a great time to start.
Suddenly the year 2020 no longer feels so far into the future.