BitSight researchers examined more than 35,000 companies from over 20 industries across the world to explore the use of outdated operating systems and outdated Internet browsers over the last year and their correlation to data breaches.
If more than half of an organization's endpoints are outdated, its chances of experiencing a detrimental breach of potentially sensitive data points nearly triples. With hackers looking for new ways to target vulnerable data in our evolving digital environment, managing outdated software might be more important than you think.
These findings still underscore the seriousness of the risk posed by outdated software, browsers, and operating systems. The fact is, failing to update your software doesn’t just mean you won’t have the latest version — it means you could expose your organization to major security vulnerabilities.
5 Risks Of Outdated Or Unsupported Software, Browsers & Operating Systems
1. Outdated system lacks ransomware protection
One of the major risks of outdated systems is a ransomware attack. You might remember the WannaCry outbreak that impacted over 160,000 users around the world in 2017. More than 67 percent of the computer systems targeted by the WannaCry ransomware were those that had delayed updating to Windows 7 at the time, and were still using what is considered an outdated system at the time of the attacks. Even though Windows pushed out an updated layer of data protection when they realized hackers had access to users’ data, the continued use of outdated software left users vulnerable to attackers.
BitSight researchers examined more than 35,000 companies from over 20 industries across the world to identify the industries using outdated software and correlated it to the likelihood of breaches. See what we found.
2. Business process and functionality disrupted
Another detrimental example of what’s included as outdated software are the many devices connected to your business network. These devices could be more integral to your business than you think—which means that a virus on such a device could cause a major business disruption.
The potential for risk with this example can be more severe depending on the industry. For instance if you’re in the healthcare sector, updating a particular device’s operating system versus using outdated software could break the system. Consider this: if an MRI machine is running on what is considered an outdated operating system and that system becomes infected with a worm, it could cause a major disruption that impacts your business.
During these high-stakes times for the healthcare industry, as well as for many businesses that are seeing financial stress from the Covid-19 outbreak, managing your outdated software before it disrupts your functioning business could be crucial to your future.
3. Your third-party vendors do not utilize the same protection measures
While it is critical to look within your organization for outdated systems, it is just as important to assess your third parties. For example, if one of your vendors manages critical data for your business and accesses your network using an outdated browser, that vendor could be inadvertently exposing your (or your customers’) data to risk.
This is where BitSight can help. Traditional questionnaires and other third-party assessments may give you a broad idea of how your vendors operate to protect their cyberspace, but it is difficult to verify how this information compares to others in the industry, or if the vendor evaluates all their systems and vulnerable spots with the same standards as you. BitSight Third Party Risk Management software uses data collected objectively and externally to determine security ratings, showcasing if your vendors are using what is considered outdated software, so you can be sure that your data remains safe and secure.
4. Outdated mobile devices
It’s inevitable: The more your business grows, the more employees you have—and the more mobile devices get connected to your network. This also includes the increasing number of devices running on the same internet your employees’ while they work remotely during the continuing global pandemic, further expanding the mobile platforms that can impact internal data.
If one of these mobile devices is running on what is an outdated operating system, or using an outdated browser, your corporate network has an increased risk of facing cyber attacks. Employers must establish a continuous monitoring strategy to ensure that your employees are not using outdated mobile devices to access critical information on your network. Employers can use solutions like BitSight to gain insight into the mobile device versions used by everyone connected to your cyberspace, including employees, third parties, and more.
5. Internet Of Things Risk
The average person nowadays connects to the internet on a computer, phone, and likely through their smart devices like televisions. These IoT devices are additional examples of technology that can be considered outdated if their operating systems are not consistently kept updated for the latest threats. Data stored on all of our devices is critical to protect, so much so that Congress has been working through legislation surrounding security standards for what companies, the government, and technology providers can do with the information gathered by our devices. The legislation was introduced in 2017, and has currently passed in the Senate and is waiting on a vote from the House.
Some states, including California and Oregon, introduced legal requirements that went into effect January 1st of 2020 requiring that manufacturers of devices with the ability to connect to the internet must include a level of “reasonable security features”. This affects companies such as device, automotive, and sensor manufacturers, as well as industries that provide network or platform services. Legislation that is already being enforced as well as what is still being discussed highlights the importance of protecting our data. The data we create and store through our devices is desired by potentially harmful organizations, making it critical that we protect it with updated systems.
As indicated in the five risks outlined above, the criticality of updates cannot and should not be ignored. Read the BitSight Insights report, A Growing Risk Ignored: Critical Updates, to learn about correlations between outdated software (as well as browsers and operating systems) and data breaches over the course of a year.
This piece was originally published by BitSight in August of 2017, and has been updated as of July 2020. This updated version includes current information about BitSight, our security rating and third party monitoring software, and the cybersecurity space.