Is your organization still using Windows 7? Microsoft support is coming to a close in a few short months. If you think end-of-support for legacy systems doesn’t impact your organization, think again.
Microsoft ends all support for Windows 7 on January 14, 2020. This end-of-support means no more Windows 7 patching, bug fixes, or security updates to protect older systems that may include your e-commerce server or point-of-sale (POS) system or financial database with Personally Identifiable Information (PII).
How pervasive is the Microsoft Windows 7 user base? According to Dublin-based StatCounter GS, the global Windows 7 Server Pack 1 (SP1) market share is still 33.6% as of May 2019. Windows 7 will become increasingly vulnerable without security updates. Anecdotal evidence garnered from threats like WannaCry following Windows XP end-of-support says that adversaries will step up attacks on Windows 7 users as these organizations have lower security maturity, making them attractive targets.
Migrating Windows 7 operating systems (OS) requires time and money and with just months remaining until January 2020, you need to come up with a plan. These Windows cycles might especially impact small and medium-sized businesses (SMBs) who have more finite IT teams lacking skill sets to address the changes. While it might be tempting to look for workarounds, this is the end of the line for Windows 7. Non-compliance penalties for HIPAA (Health Insurance Portability and Accountability Act) or PCI DSS (Payment Card Industry Data Security Standard) are likely to far outweigh the risk and expense of migrating and being compliant.
Performance and security are two areas that have evolved considerably over the last three or four years, and your organization may have some unique considerations to assess in order to optimize your limited resources. Recent technical advancements mean that you can improve security and protection all while reducing complexity and cost. Here are some crucial questions that you may be asking as you move ahead, or even wrap up your Windows 7 migration.
Microsoft will discontinue all Windows 7 support on January 14, 2020. Microsoft has been forthcoming about the Windows product lifecycle, so this should not come as a surprise. However, you may have found that day-to-day IT priorities and security firefighting has overtaken migration planning. Allocating resources for migration may be a challenge for organizations such as city and state government, as well as educational institutions. Windows 7 is not the only product facing end-of-support. Here is a list of Microsoft support deadlines to note:
Product | End-of-Support Date |
---|---|
Windows 7 Server Pack 1 | January 14, 2020 |
Windows Server 2008 R2 SP1 | January 14, 2020 |
SQL Server 2008 SP4 | July 9, 2019 |
Office 2010 | October 13, 2020 |
The time to mobilize is now. Develop a migration plan that encompasses any IT timelines that your vertical industry or organization may follow. For example, allow extra time to freeze ordering and shipping system development 60 days before the retail holiday season or year-end break for educational institutions.
Some of the organizational impacts of older systems and hardware include:
Obsolete platforms are at greater risk of malware and viruses that adversaries can exploit to access your data or other businesses in your supply chain and operating network. In the event of a data breach due to unpatched legacy software or hardware, sizable compliance fines or negative publicity may result if the data breach is deemed to be preventable.
Organizations have four possible paths when migrating off legacy operating systems and devices:
Here’s what Microsoft has to say to businesses running Windows 7.
In a nutshell: yes. Running Windows 7 after January 14, 2020 could violate security and privacy safeguards such as PCI DSS and HIPAA for organizations of all sizes. Criteria 6.2 of PCI DSS requires the installation and maintenance of current security patches on POS devices; patches for Windows 7 will stop after the end-of-support date. HIPAA similarly requires the ability to apply patches to devices that handle PHI (Protected Health Information) and Windows 7 devices would not be compliant after the looming January date.
If migration is not an option or there are unforeseen delays, compensating controls may be used to address compliance and audit requirements. These compliance-related compensating controls involve identifying, examining, and mitigating risks along with documenting and maintaining security levels over time. Notify your PCI QSA (Qualified Security Assessor) of any compensating controls or document them in your organization’s self-assessment reports.
The optimal approach is to successfully migrate to Windows 10 with plenty of time built in for contingencies. Always consult a PCI DSS or HIPAA expert for compliance recommendations about your specific entity and protected data.
Here are some practical tips for robust security controls to help you think like a hacker when it comes to protecting your Windows 7 infrastructure as you prepare for migration:
Note that Microsoft customers with Windows 7 support contracts will continue to receive any updates, patches, and bug fixes that Microsoft provides through January 14, 2020.
There are three primary steps to consider in your migration to Windows 10.
Don’t wait until the last minute when new workstations may be in short supply along with vacationing IT staff and users who may hinder migration. Engage outside help to leverage experts who have done this consistently to avoid surprises if your organization doesn’t have a lot of migration experience.
Endpoint technology has seen significant advancements since Windows 7’s introduction in 2009. EDR capabilities are one of the newer layered defense tools in the endpoint battle that block known malware and unknown, or Zero-day attacks, to protect organizations from costly data breaches. Anomaly detection to maximize endpoint security is a crucial step to prevent, detect, respond to, and predict threats. EDR also supports threat hunting by pinpointing attacks in progress and isolating impacted endpoints or servers, while minimizing false positives that waste your valuable time. EventTracker EDR is a 24/7 managed service that closes security gaps created by legacy systems with a defense-in-depth strategy that bolsters endpoint security to contain threats early and reduce dwell time across all stages of the threat chain.
A move to Windows 10 provides numerous benefits such as increased performance, usability, and operating efficiencies. Hardware today is optimized for Windows 10, and legacy OS users face security risks, rising operating costs, lost productivity, and an inability to capitalize on hardware and software improvements. While migrating requires time and money, the benefits outweigh the disadvantages that could include compliance fines, data breaches, and damaged brand reputation.
As you eliminate Windows 7, keep security top of mind as you assess the strategic choices available to you today. EDR can be another compensating control to place legacy equipment like Microsoft Windows 7 in lockdown mode. Advanced cybersecurity threats have increased in severity and volume, and your security solutions must likewise protect your sensitive data and customer trust. Security risks increase as the looming end-of-support date of January 14, 2020 approaches.
Are you facing a Windows 7 migration? Watch our webcast on Windows 7 Migration: A Cybersecurity Reboot to learn more about your options for protecting your employees and customers, sensitive data, and infrastructure.
Subscribe to Lumifi's Daily Cybersecurity News Curated by a CISO
We’ve expanded our MDR capabilities with enhanced incident response and security services to better protect against evolving cyber threats.