As of 14 October, Windows 10 will become the source of major security concerns. From this date onwards, Microsoft will cease all technical support, feature updates, and – most critically – security updates for its older operating system.
This end-of-life (EOL) presents a serious challenge. Those organizations, individuals and devices that are still running Windows 10 will no longer receive critical security patches – and there are plenty that will be.
General Manager, Kaseya Labs.
Our Kaseya Labs research has found that a staggering 30% of small- to medium-sized business (SMB) workstations have not yet upgraded to Windows 11.
That means millions of business computers will be exposed to unpatched vulnerabilities, effectively creating an open season for threat actors who know legacy Windows 10 machines are exploitable.
We’ve already seen how this can play out with 40%-60% of breaches worldwide involving unpatched vulnerabilities. Giving attackers a known target with such a large footprint makes it even easier for them.
In the last 3,000 Pen Tests our team has conducted, in over 15% of the tests we were able to compromise the network through unsupported Windows operating systems (mainly old version of Windows 7 and 2008 still on the network).
Why are so many machines yet to upgrade to Windows 11?
This volume of un-upgraded systems far exceeds what we’ve seen in previous Windows EOL transitions. In the case of the Windows 7 EOL in 2020, less than 10% of SMB machines were yet to have upgraded to Windows 10 at the same point in its lifecycle.
The stark difference in the number of unpatched machines is likely down to the strict hardware requirements that the Windows 11 update requires.
If your computer was built 2018 or later, it will probably meet those prerequisites. However, it is estimated that this leaves hundreds of millions of older computers worldwide which cannot be upgraded.
The biggest impediment is the need for machines to support Trusted Platform Module 2.0 (TPM 2.0) – a security chip that generates cryptographic keys to verify the integrity and authenticity of the system.
Additional requirements include UEFI Secure Boot (instead of legacy BIOS), 64-bit CPUs (no older 32-bit CPUs) and minimum thresholds for RAM and disk space.
There are various registry hacks and bootable drives to get around Microsoft’s upgrade check, and while these may technically “work”, the system will still be considered unsupported by Microsoft and will likely lead to experience issues and incompatibility problems in the future. In other words, don’t go down this route.
Microsoft has faced criticism about leaving older machines behind, with some questioning whether the push to upgrade is motivated by the company’s desire to sell new devices.
However, the reality is that modern hardware systems such as TPM 2.0 and UEFI Secure Boot are required to make computing more secure. They’re necessities, and we can’t simply cover them with a band-aid, or kick the can down the road. Unfortunately, however, it is likely that many firms will do nothing, hoping that nothing goes wrong.
Hope is not a strategy. Imagine if your car was recalled for faulty airbags that could deploy at any moment and cause a severe injury – you wouldn’t drive around with that vulnerability without bringing it in for a fix.
The same applies here – the impacts could be serious. Only, the difference with cybersecurity is that there are many multiple bad actors actively trying to trigger that issue.
Organizations have three real options
Some organizations may feel that if they have “high end” security software (AV/EDR/XDR/SOC) then this will provide some level of protection.
However, if the underlying OS has a critical vulnerability that enables an attacker to remotely gain full access, no amount of security software will be able to protect the machine.
You may get lucky, and catch some activity, but any security professional will tell you it can’t be counted on if the OS is completely controlled by an adversary.
In reality, organizations have three real options: to upgrade to Windows 11; to decommission and replace their Windows 10 machine; or to purchase Microsoft Extended Security Updates (ESUs).
If you’re still running Windows 10 after 14 October, and are not getting security updates through the ESUs, it will become trivial for attackers to compromise the machine.
As Microsoft publishes security updates under the ESUs, attackers will be informed of the vulnerabilities and – if exploitable – they will automate their attacks to find machines that are running unpatched versions of Windows 10.
In essence, attackers will essentially be getting a blueprint of what to look for when these patches are released, and they will know millions of computers are running Windows 10 without the updates.
Further, by failing to upgrade, replace machines or purchase ESUs, it is highly likely that you will quickly become in violation of a variety of compliance standards that require companies to run supported software, and have the latest security patches applied.
If you have cyber liability insurance, you will also be voiding your policy if there is an incident and it is found that you are running unsupported and unpatched software.
ESUs must be purchased as a priority for un-updated systems
For these reasons, if you have failed to update or replace all systems prior to 14 October, the immediate priority must be to purchase the ESU for each Windows 10 machine that will still be used.
These can be purchased on an annual basis for up to three years, extending support until October 2028. For EDU institutions, it’s only a $1 per machine. For businesses, it’s $61 for the first year, with the price doubling to $122 in year two, and again to $244 in year three.
After you have purchased the appropriate ESUs, you should look to upgrade or replace systems as quickly as possible.
There will no longer be technical support or bug fixes, and so the further the days tick away from 14 October, the more valuable IT time and worker productivity will be taken up by maintenance issues such as implementing new drivers and new software. Software is not static, and issues will begin to pile up.
Acting quickly is imperative. Without swift remediation, organizations could quickly find themselves at the mercy of threat actors that are actively hunting for unpatched systems and looking to exploit known vulnerabilities.
Making some small changes now can save you from a world of hurt that will become ever more likely to occur down the line.
Can't find your Windows key? Wee list the best Windows product key finder software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.