The entire world is scurrying to make up for lost time now that Microsoft has finally pulled the plug on Windows 7 updates, and IT Asset Managers need to know an accurate count of just how many of those devices are still in their environment – now.
As of today, Jan. 14, 2020, the Redmond, Washington-based software giant has stopped supporting the more than 10-year-old operating system. Windows 10, its replacement, came out four years ago. But many organizations still are using the now antiquated operating system even after the vendor offered upgrades for free.
The problem creates an enormous security risk for users who do not follow one of a handful of options still available as of Tuesday morning. In fact, cybersecurity experts are sounding alarms that vulnerabilities already are being found as hackers are taking advantage of the opportunity to breach security loopholes. Even government agencies are putting out warnings to stop using Windows 7 immediately or choose from one of the available options.
The news came out the same day that Microsoft said it would put out a patch soon for Windows 10, which also was found to have a security vulnerability.
The International Association of IT Asset Managers, Inc. (IAITAM) says the problem affects every one of its 12 Key Process Areas (KPAs) for a successful ITAM program and believes it is imperative for IT Asset Managers to ensure they have accurate information as the issue becomes more critical over the coming days.
“These are the moments when using IT Asset Management (ITAM) best practices are imperative to keep data secure and business functions operational,” said Dr. Barbara Rembiesa, President and CEO of IAITAM. “We’ve been saying for years that you cannot manage what you do not know you have. If you don’t know how many Windows 7 computers are in the environment, you could put your organization in financial jeopardy, at the very least.”
The numbers published by major media outlets citing other sources suggest that Windows 7 still is a dominant operating system in much of the world. According to Net Marketshare, which tracks platform usage across the globe, nearly 33% of users worldwide were still operating Windows 7 as of the end of December 2019 – just two weeks ago. Windows 10 users account for almost 48 percent. Windows as a whole dominates all major platforms with an 87% market saturation, according to the report. It tops Mac OS, the second-highest operating system in use, by about 70%.
In China, the numbers could be even more startling. China’s National Computer Network Emergency Response Technical Team, CNCERT, said more than two-thirds of the country still were using Windows 7 as of the third quarter in 2019. And the UK’s National Cyber Security Centre (NCSC) put out a warning for Windows 7 users to stop all financial transactions, sending email, or storing “sensitive information” immediately.
According to Stat Counter, another company that tracks market share, nearly 17% of users in the UK still were on Windows 7 as of the end of December. Windows 10 users in that country account for nearly 76% of users, according to the site. That company also said the percentage of Windows 7 vs. Windows 10 users were similar in the US at that time.
The National Association of Dutch Municipalities also said more than 50% of municipalities in The Netherlands still use Windows 7, as do most hospitals there.
But IT Asset Managers know the only way to know exactly how many versions of a particular operating system in the environment is an accurate inventory count. To accomplish this, practitioners should be certain their discovery tools are counting those versions accurately, and that their repositories are reconciling with the discovery tools as they find them. If all the versions are not accounted for, organizations that continue to disregard the warnings coming from multiple sources are in danger of data breaches or, potentially, complete meltdowns. If all else fails, now might be a time to do a wall-to-wall inventory, if possible.
Legacy Let Go
Microsoft has been sounding the alarm for a year that free support for Windows 7 was coming to an end. When it was released in 2009, the company said it would support the operating system for at least 10 years. That ended in late 2019. The company offered free upgrades to users to move to Windows 10 and extended the free support until today.
But many organizations did not make the switch because they run legacy software that is not compatible, or not as compatible, with Windows 10. While the migration mostly is seamless for the average user, organizations with heavy investments in software that they rely on for general business operations remained a priority and a financial roadblock for making the switch.
“As organization’s move their operations to the cloud, legacy support issues like this will likely become a thing of the past in the next 10 to 15 years, but as Windows 7 remains in use across many organisations at present people should be aware of the increased vulnerability which this OS will now experience as it is no longer supported,” said Carl Wearn, head of e-crime at security software vendor Mimecast, in a story published this morning on Infosecurity Magazine.
In the same article, the research company Kollective said this about the migration: “It took many businesses up to three years to move from XP to Windows 7 and we can expect a similar timeline for the move to Windows 10,” said Jon O’Connor, a solution architect at Kollective. “While a lot of companies have migrated the majority of their systems away from Windows 7, being ‘almost there’ isn’t good enough.
“It only takes a handful of unsecured devices to launch a full-scale cyber-attack, so having even one or two Windows 7 PCs on your network could pose a serious risk,” he said. “IT teams need to know for certain that every single device on their networks is off of Windows 7 — but the reality is that most simply don’t know.”
There are several options for upgrading Windows 7, but the cost factor is a consideration for each option.
As of mid-Tuesday afternoon, the following options were available:
- Buy a copy of Windows 10. The cost depends on which version you are using. Windows 10 Pro, the top-of-the-line version, retails for US$199 per device on Microsoft’s website. Of course, using Acquisition Management, Financial Management, and Vendor Management KPAs could help you negotiate on volume discounts that will create a win-win for both organizations.
- Buy a new computer. Microsoft recommends that anyone running a computer more than 3 years old buy a new one. In the long run, this might be more proactive because the legacy hardware can be retired and go through final disposition through the Disposal Management KPA.
- Pay for extended support. Although Microsoft has stopped offering support for free, they have developed ongoing updates for Windows 7. This support lasts for three years but may be an unattractive option because some sources suggest it will cost as much as US$50 per device. However, that price could not be verified through Microsoft’s website. One source suggested than an organization running 10,000 or more machines would spend about $2 million using this approach.
- Switch operating systems. There’s always an option to switch to a different platform. However, doing so could affect all your software, so this one should be used with caution unless your organization determines this is a more productive, cost-effective solution than upgrading Windows 7.
- Disconnect it from the network. This is not a good option for ITAM because the discovery tool will not find it.
- Get really good anti-virus and anti-malware programs. This is good advice for all computer users, but with the end of Windows 7, this could become an even bigger necessity. Although no environment ever can be 100% secure, this might help.
- Try to get the upgrade for free. Although Microsoft publicly ended free upgrades to Windows 10 in 2016, several sources say IT Service Managers (and even home consumers) still can upgrade for free from Microsoft’s website at https://www.microsoft.com/en-us/software-download/windows10. There are several steps involved in doing this, however, so do your research first. IAITAM was not able to test this process to ensure it actually works, although Forbes magazine reported it still works as of today. IAITAM believes that Microsoft will end this option soon.
Also keep in mind that several vendors will continue to support their software for Windows 7 users, but some will not. Web browsers such as Google Chrome, Opera or Firefox will continue to support Windows 7 for now. However, turning on automatic updates for these software options is a good practice because vulnerabilities can be found in any software environment.
Even if an IT Asset Manager finds that the practitioner is stuck with a Windows 7 environment either because legacy applications are necessary or the organization does not give executive buy-in to making a change, some other ITAM best practices still can help mitigate risks to the environment.
Using the Communication & Education Management KPA will keep end-users informed of what they should or should not do and instruct them on how to do them. One tip would be to use an email service compatible with Windows 7 and not open or download anything unfamiliar. This should be part of the Employee Awareness Program (EAP), discussed with the organization’s Legal and Human Resources departments and become a policy under the Policy Management KPA. Ensure users read and sign a document stating they understand the policy and keep it in the employee’s file.
However, ensuring the ITAM program is mature and the environment is known well is the best solution for mitigating risks associated with the end-of-life support for Windows 7. This requires using all the KPAs and following the best practices. Unfortunately, this is a perfect-world scenario. Not all programs are as mature as they should be for various reasons. Keep in mind that when situations like this occur, those executives or IT Service Personnel who have been ignoring the warnings are going to blame the IT Asset Manager if they don’t know how many machines they have to update or replace.
“If you do not have a mature ITAM program in place, and you don’t know what’s in your environment, you already may be too late if something happens before you make changes,” Rembiesa said. “Trying to figure that out after the end-of-life support is final is like leaving the door open for a thief to walk in.”