Kaspersky recently conducted a study based on anonymized OS metadata provided by consenting Kaspersky Security Network users. The survey found that almost one quarter (22%) of PC users are still using the end-of-life OS Windows 7, which stopped receiving mainstream support in January 2020 by way of the vendor no longer sending software updates including critical security fixes.

According to the report, among those still using Windows 7, consumers, SMBs and very small businesses (VSBs) occupy almost the same share with 22% each. It is also noteworthy that almost a quarter of VSBs still use the outdated OS as they do not have dedicated IT staff responsible for ensuring their OS is up-to-date.

Kaspersky’s findings also showed that only a small percentage (less than 1%) of people and businesses still use older operating systems, such as Windows XP and Vista, support for which ended in 2014 and 2017 respectively. Overall, almost one quarter (24%) of users are still running a Windows OS without mainstream support. Fortunately, 72% of users are using Windows 10, the latest version of Windows OS, which appears to be the safest choice.

Knowing the risks of an end-of-life operating system is a good start, but acting on that knowledge is a smart way to finish. To protect yourself or your business, Kaspersky recommends the following:

• Use an up-to-date version of the OS and make sure the auto-update feature is enabled.
• If upgrading to the latest OS version is not possible, organizations should consider this attack vector in their threat model and ensure smart separation of vulnerable nodes from the rest of the network.
• Use solutions with exploit prevention technologies, which help to reduce the risk of exploitation of unpatched vulnerabilities that can be found in and obsolete OS (Windows 7 and earlier).

'Using an operating system which has been declared end-of-life, and thus is no longer receiving security updates, is akin to driving a car with a brake light on. The likelihood of disaster is great and yet it’s difficult convey this to users of such systems without it appearing to simply trying to get them to spend more money," says Oliver Tavakoli, CTO at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers. "This would be a good place for a government or NGOs to step in to provide incentives and programs to upgrade as it makes the entire ecosystem more secure."

Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software, explains, "Public procurement policies have quite often no contingencies for outdated OS, in the same way as the notion ‘it still works’ is dominant in discussions when decisions have to be made about where to spend money from constrained budgets. It will be interesting to see how this percentage is affected by the Biden administration’s initiatives over the course of the next twelve months."

Schrader adds, "As digitalization efforts will require additional systems, it is quite likely that existing one’s remain unchanged. In any case, those organizations still using Windows 7 are easier targets for cyber-attacks due to the lack of updates (if they haven’t signed up for the extended paid support) and likely face some public backlash and loss of reputation in case a data breach happens, not to mention the impact such a scenario might have on the cyber risk insurance status. As an organization, if you have no other option, make sure your devices are hardened, the firewalls rules are restrictive for those, and that they are all on a separate part of your network, using VLANs or internal firewall zones."