Out of Date Operating Systems Increase Breach Risks

Sue Marquette Poremba

When WannaCry ransomware hit last month, it highlighted a very serious security problem, one that we just don’t talk about enough. That’s the use of outdated and unsupported operating systems and software.

Even before the massive ransomware attack, I knew how much of a hidden problem this was, mostly through anecdotal evidence. I’ve had informal conversations with people employed in varied industries, including those doing highly sensitive research, who have said they continued to use Windows XP because IT didn’t have the time or budget to upgrade to a newer OS or they just liked XP better than anything else and switched back. We’ve heard stories that Point of Sale systems and IoT still operate on XP because it would be too costly to switch.

BitSight has confirmed my anecdotal evidence. In a new report, “A Growing Risk Ignored: Critical Updates,” the company analyzed more than 35,000 companies from industries across the globe and found that a surprising number of companies continue to run outdated and unsupported operating systems, as well as internet browsers.

For example, according to the report, more than 2,000 organizations run more than 50 percent of their computers on outdated versions of an operating system and more than 8,500 organizations have more than 50 percent of their computers running an out-of-date version of an internet browser. This triples and doubles, respectively, the organizations’ likelihood of a data breach.


Windows users aren’t the only ones falling behind on upgrades. The study found that more than 25 percent of the computers used in government were running outdated MacOS or Windows; nearly 80 percent of these outdated systems were MacOS. Also, more than a third of companies don’t bother to do the monthly MacOS updates.

A similar study from Duo Security investigated the activity of 4.6 million endpoints across multiple industries and geographies, as well as more than 3,500 simulated phishing campaigns for the latest possible data on our overall security health. It found that 13 percent of endpoints use an outdated Internet Explorer browser, and three-quarters of state and local governments are using MacOS over two years old. And it goes beyond our desktop computers, as Information Security Buzz reported:

Only 27% of Android phones are running the latest major OS version, compared to 73% of iPhones operating on iOS 10 or above. This stark difference is likely linked to many Android devices being beholden to both manufacturers and carriers to roll out updates, which can slow down the time to patch.

If things don’t change, if organizations don’t begin budgeting for staying up to date with software and hardware changes, we can expect threats like WannaCry to be the tip of the iceberg, as Stephen Boyer, co-founder and CTO of BitSight, said in a formal statement:

The WannaCry attack brought to light the threat posed by outdated systems on corporate networks. Research and analysis of organizational endpoint configuration and vulnerabilities suggests that unless companies begin to take a proactive approach to updating their systems, we may see larger attacks in the future.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba


Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 



Add Comment      Leave a comment on this blog post
Jun 12, 2017 10:28 PM Terry Critchley Terry Critchley  says:
This is like repainting the funnels on the Titanic when what is needed is a redesign of the hull and some radar. The focus on cyber security is too narrow and one dimensional. It needs lateral, even outrageous thinking to produce an architecture for the purpose. Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 
Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.