Microsoft is ending support for Windows 7 and Server 2008 today leaving millions of users in the unenviable position of either having to pay to upgrade to the newest OS Windows 10 or face using an unsecured computer.

Microsoft announced in June 2019 it would be phasing out support for Windows 7 on January 14, 2020 which means no more security patches would be rolled out. But even with that amount of lead time and the potentially disastrous outcome of using an unsafe PC has not spurred everyone to take action and the OS still retains a market share for desktop and laptops as of December 2019 between 27 and 32 percent, according to StatCounter and Netmarketshare.

Why so many have put off replacing their now 10-year-old operating system is not hard to judge as upgrading massive numbers of computers is costly and time consuming, but Microsoft has done its due diligence to prepare the market for this day, said Mehul Revankar, director of product management at SaltStack.

“Microsoft has done its part, by giving enough warning (9+ months) to its end user so that they can start to phase out Windows 7 from the infrastructure. Therefore, the responsibility to plan and take appropriate actions solely lies on the end user,” he said.

However, Marc Capellupo, senior security engineer at Exabeam, pointed out several reasons why an organization may have delayed or not move on to Windows 10. As with any major business move leaving behind Windows 7 requires time, money, resources, planning and a compelling reason to take the step and having the right people making the case for additional budget to make the change..

” So there has to be an incredibly convincing reason to go down that route. Windows 10 hasn’t become that reason yet. The average PC user and even enterprise IT admins, would be hard pressed to find a feature parity between Windows 7 and Windows 10.  It’s also not the security team arguing for the upgrade at the next executive meeting,” he said. 

Part of the issue of getting everyone on board with upgrading lies with the size of the installed base of Windows users, said Jack Mannino, CEO at nVisium, who noted that many users will continue on with Windows 7 causing an on-going security risk.

“The challenge is that at Windows’ scale and install base, there are non-trivial consequences to ending support that will likely result in many compromises over the next decade. However, a decade is a reasonable support lifecycle for an operating system and we’re better off focusing on removing security debt in our environments rather than prolonging the inevitable,” he said.

The danger of using an out of date OS is also known to threat actors who may well be preparing to take action against system still using Windows 7 said Anthony Bettini, CTO, WhiteHat Security.

“Whenever widely deployed operating systems (OS), software, applications, or devices are transitioned to end of life (EOL) or end of support (EOS), we see these targeted by attackers more frequently. EOL software is often an easy target because as vulnerabilities get disclosed in newer versions, which do receive patches or updates, these old versions go unprotected,” he said. 

The UK’s National Cyber Security Centre (NCSC) issued a severe warning to those still using Windows 7.

“We would urge those using the software after the deadline to replace unsupported devices as soon as possible, to move sensitive data to a supported device and not to use them for tasks like accessing bank and other sensitive accounts. They should also consider accessing email from a different device,” NCSC said in a statement.

Satnam Narang, senior security response manager for Tenable, said larger organizations are likely to have the infrastructure and financial ability in place to upgrade, but for those firms that do not or are behind schedule there are protective steps to be taken.

  • Rely on endpoint detection and antivirus software to detect known threats.
  • Implement email protection, as threats can often come in the form of emails and can slip through the cracks of email filters.
  • Enforce security awareness training for all employees.

Additional suggestions from Veritas’ CIO John Abel are to patch Windows 7 while you still can and ensure all data is backed up using the  “3-2-1 rule.” This means data owners have three copies of their data, two of which are on different storage media and one is air gapped in an offsite location.