Windows 7 End of Life: What Organizations Are Using the Now Outdated OS?

Tom Montroy | January 21, 2020 | tag: Cyber Risks

This week, Microsoft ended support for the Windows 7 operating system. Among other implications, Microsoft will no longer issue security patches for the nine-year-old OS. Any organization relying on the OS moving forward could be susceptible to a security issue, attack or data breach unless they purchased extended support from Microsoft. 

The fix is simple: Migrate to a newer operating system. Yet, just as is the case with widely uneven patch management practices, many organizations will delay upgrading, for a variety of reasons. 

Following the official end-of-life of the OS on January 14, the BitSight Data Science team  investigated the scope of the Windows 7 migration challenge leveraging our BitSight Security Ratings platform, which can identify organizations (and machines within those organizations) that have migrated, and those that have not. BitSight’s non-intrusive data collection process gathers over 200 billion IT “events” daily from around the global internet, informing BitSight-generated security ratings for over 200,000 organizations.

BitSight's Data Science team studied roughly 60,000 organizations and found that over the past 60 days almost 70% of those organizations were using Windows 7 in some capacity. Of note, though, Windows 7 usage is typically not universal within those organizations, and BitSight is able to examine its prevalence. For example, at just over half of the organizations studied (51%) running Windows 7, the prevalence of Windows 7 is higher than one in 10 machines. For 32% of them, over one in four of machines are running Windows 7.

Additional noteworthy insights derived from the team’s research include:

Windows 7 is nearly universal at larger companies.

Nearly 90% of organizations with more than 10,000 employees are running Windows 7 on at least one computer, versus only 61% with less than 1,000 employees. 

Screen Shot 2020-01-24 at 9.45.29 AM

Windows 7 deployment is the widest in the education and government verticals.

Only the education and government sectors have a Windows 7 deployment rate above 80% (education is 84% and government is 82%). Conversely, technology companies have the lowest Windows 7 deployment rate, and technology is the only market where the rate is under 60% (56%).

Industries with the most window's 7 computers

Organizations within retail, transportation, manufacturing, and healthcare industries have a greater dependency on Windows 7.

At organizations running Windows 7, the prevalence of Windows 7 is greater than one in four machines within retail (41%), transportation (41%), manufacturing (41%), and healthcare (44%). Conversely, only 12% of organizations in the education sector are using Windows 7 on more than 25% of their machines.

Industries relying the most on window's 7 computers

Within the finance and healthcare industries, the dependence on Windows 7 correlates to company size.

Within healthcare, Windows 7 deployment rates jump from 68% to 93% when comparing organizations with less than 1,000 employees to those with more than 10,000. Within finance, the delta based on organization size is even more pronounced. Within this sector, 56% of organizations with less than 1,000 employees using the OS, versus 89% of those with more than 10,000 employees.

Screen Shot 2020-01-24 at 9.42.25 AM

Within large finance and healthcare organizations, there is a higher dependence on Windows 7.

Within healthcare, 45% of organizations with more than 10,000 employees are using Windows 7 on more than one out of four machines.  Within finance, 46% of organizations with more than 10,000 employees are using Windows 7 on more than one out of four machines. 

Window's 7 is just the latest outdated system to be added to the laundry list of cyber security risks. In addition to Window's 7, BitSight researchers examined more than 35,000 companies from over 20 industries across the world to identify the industries using outdated operating systems and Internet browsers over the last year and their correlation to data breaches.

Read the report on risks of outdated systems

Suggested Posts

What is an Attack Vector and How Can You Mitigate the Risk they Pose?

Today’s opportunistic hackers are seasoned professionals who are getting more adept at exploiting your organization’s digital attack surface. To do this they employ a variety of attack vectors.


Protecting Sensitive Data: 4 Things To Keep In Mind

Given the recent security breaches and reported hacking attempts, it is increasingly important for companies to have a handle on their most sensitive data. Sensitive data can include employees’ personal information, customer...


Secure Remote Work: New Threats Require a Shift in Policy and Training

Working from home introduces significant cyber risk to any organization. However, recent events reveal that it’s not a case of “if” but “when” bad actors will exploit the rampant vulnerabilities on home networks.


Get the Weekly Cybersecurity Newsletter.