When WannaCry ransomware hit last month, it highlighted a very serious security problem, one that we just don’t talk about enough. That’s the use of outdated and unsupported operating systems and software.
Even before the massive ransomware attack, I knew how much of a hidden problem this was, mostly through anecdotal evidence. I’ve had informal conversations with people employed in varied industries, including those doing highly sensitive research, who have said they continued to use Windows XP because IT didn’t have the time or budget to upgrade to a newer OS or they just liked XP better than anything else and switched back. We’ve heard stories that Point of Sale systems and IoT still operate on XP because it would be too costly to switch.
BitSight has confirmed my anecdotal evidence. In a new report, “A Growing Risk Ignored: Critical Updates,” the company analyzed more than 35,000 companies from industries across the globe and found that a surprising number of companies continue to run outdated and unsupported operating systems, as well as internet browsers.
For example, according to the report, more than 2,000 organizations run more than 50 percent of their computers on outdated versions of an operating system and more than 8,500 organizations have more than 50 percent of their computers running an out-of-date version of an internet browser. This triples and doubles, respectively, the organizations’ likelihood of a data breach.
Windows users aren’t the only ones falling behind on upgrades. The study found that more than 25 percent of the computers used in government were running outdated MacOS or Windows; nearly 80 percent of these outdated systems were MacOS. Also, more than a third of companies don’t bother to do the monthly MacOS updates.
A similar study from Duo Security investigated the activity of 4.6 million endpoints across multiple industries and geographies, as well as more than 3,500 simulated phishing campaigns for the latest possible data on our overall security health. It found that 13 percent of endpoints use an outdated Internet Explorer browser, and three-quarters of state and local governments are using MacOS over two years old. And it goes beyond our desktop computers, as Information Security Buzz reported:
Only 27% of Android phones are running the latest major OS version, compared to 73% of iPhones operating on iOS 10 or above. This stark difference is likely linked to many Android devices being beholden to both manufacturers and carriers to roll out updates, which can slow down the time to patch.
If things don’t change, if organizations don’t begin budgeting for staying up to date with software and hardware changes, we can expect threats like WannaCry to be the tip of the iceberg, as Stephen Boyer, co-founder and CTO of BitSight, said in a formal statement:
The WannaCry attack brought to light the threat posed by outdated systems on corporate networks. Research and analysis of organizational endpoint configuration and vulnerabilities suggests that unless companies begin to take a proactive approach to updating their systems, we may see larger attacks in the future.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba