Microsoft’s support for Windows 7 and Windows Server 2008 ended last month leaving certain users more vulnerable to security and malware attacks.
The end of life for the Windows systems was not uncommon as Microsoft typically provides at least a decade of product support for its operating systems.Â
Microsoft discontinued mainstream support for Windows 7 in early 2015, but extended support through Jan. 14. Its end of life means Microsoft will no longer provide free incident support, design changes or fixes for security bugs for users of both Windows 7 and Windows Server 2008.
The Q&A talks to Eddie Chang, second vice president of cyber risk management at property-casualty insurer Travelers Cos., on how businesses and educational institutions can protect operating systems and data.
Q. Why are U.S. businesses and educational institutions using Windows 7 and Windows Server 2008 more vulnerable to cyber attacks?
Using an unsupported operating system, like Windows 7 or Windows Server 2008, makes a business more vulnerable to cyber attacks for three basic reasons. First, that business will no longer receive patches from Microsoft, so vulnerabilities in those obsolete systems will be found and publicized, leaving the door open for cyber criminals. Second, that business will not have the benefit of using the latest, most effective security controls that are built into newer operating systems. Finally, a business may not be able to patch or upgrade other applications, because developers other than Microsoft will also stop supporting Windows 7 and Windows Server 2008.Â
Q. Which steps should businesses using Windows 7 and Windows Server 2008 take to prevent cyber attacks?
We have seen many cases where businesses don’t know what they are running on their network. The first step, for any business, is to evaluate whether it is running Windows 7 or Windows Server 2008 anywhere in its environment. If so, the next step is to decide what to do. The best practice would be to upgrade to a supported operating system. For various reasons, however, that may not be possible. For example, the business may be running proprietary software on Windows 7 that will not run on, or cannot be ported to, Windows 10. That is common in the manufacturing and healthcare industries, where Windows 7 is running on machinery or equipment that cannot be easily replaced. If that’s the case, the business will need to consider what compensating controls can be used to protect the older system, like putting it behind a firewall. Another option is purchasing Extended Security Updates from Microsoft.
Q. How often should businesses consider updating their computer systems?
There’s a distinction between patching and upgrading. Most businesses should be patching their computer systems monthly, because that’s how often Microsoft and other software vendors release software patches. For smaller businesses, it can be as easy as turning on the automatic Windows Update feature. Larger businesses may want to test the monthly patches before installing them within a production environment.
For major upgrades, whether to a newer operating system or to new computer hardware, there are many considerations, including cost. However, when a business is using an operating system that has passed its End of Life date, that might be an indicator that it’s time to upgrade.
Q. What should businesses consider as system support becomes obsolete?
One mistake many businesses make is looking only at the cost of upgrading the operating system, without accounting for the risk involved in not upgrading. A single computer running Windows 7 can become the foothold used by cyber criminals to compromise a business’s entire network, causing the business to become the victim of a financial fraud, suffer a costly data breach or be hit with a ransomware attack. The resulting loss can far exceed what it would have cost the business to upgrade in the first place.
Q. What role do cyber insurers play in helping businesses protect themselves?
Cyber insurance provides indemnification for covered cyber losses. In addition, many cyber insurers provide access to services and expertise that can help businesses avoid the loss in the first place. These prebreach services, such as cybersecurity assessments and awareness training, provide a way for cyber insurers to help their business customers protect valuable systems and data.
Q. How has cyber liability insurance changed in recent years?
Cyber insurance evolves to keep pace with the threats businesses face. Examples include invoice manipulation coverage, which helps protect against a new kind of financial fraud, as well as system failure coverage, which helps protect against outages and downtime even when not caused by a hacker. One of the newest coverages, betterment, can help companies improve their cybersecurity after a cyber attack. In cyberspace, getting back to status quo is often not enough; businesses may need to improve their defenses to avoid falling victim to a similar attack in the future, and betterment coverage is one way cyber insurance can help them do that.
