Given the challenges of a migration, many organizations are still running Windows 7 in their environment. The latest data from both NetMarketShare and StatCounter give Windows 7 around a 26% slice of the OS market.
Some companies and individuals will continue to run Windows 7 and Server 2008 believing that their antivirus and other security measures will keep them safe. This is a misconception that has been shown to be incorrect in the past with disastrous consequences!
In 2017, the WannaCry ransomware virus hit a large numbers of computers. Initially, Microsoft released a patch only for its supported operating systems, including Windows 10, Windows 8/8.1, and Windows 7. As Windows XP was no longer supported at this point, those PCs were vulnerable. To limit the spread of WannaCry, Microsoft did eventually release a patch for XP. But the incident shows the risk of continuing to use an unsupported OS.
Tips for safeguarding data
Beyond purchasing ESUs (Extended Security Updates) and moving forward with a migration, organizations still running Windows 7 need to protect their data from security risks. To that end, Veritas CIO John Abel has several recommendations and thoughts on how to best safeguard your data.
Educate employees. Make sure your employees and users are following best practices for saving and storing data. Consider running a simulation to ensure that your employees know what to do in the event of a security breach or other incident.
Evaluate risk. Understand what data is at risk and where it resides. Data visualizers and analytics tools can help you identify where your key data lives and make sure it complies with company policies and industry regulations.
Run patches. Run patches while you can and make sure they are up to date.
Back up data. Ensure that data is backed up through a "3-2-1 rule." This means that you have three copies of your data, two of which are on different storage media and one of which is air gapped in an offsite location, meaning it's isolated from the public internet and from unsecure systems.
Protecting yourself against malware and ransomware as exemplified by WannaCry is another critical task. As Abel told TechRepublic, there were 151.9 million ransomware attacks in the first three quarters of 2019, according to data from SonicWall.
In addition to Windows 7, Windows Server 2008 also reached the end of extended support on 14 January 2020. Though servers may be better protected against security risks than are workstations, they can still be vulnerable. And they often hold critical data.
"Obviously, servers may not be as exposed as laptops and PCs as they are usually inside a protected environment and not susceptible to the same type of mobility and therefore vulnerability," Abel said. "However, the data exposure and risk can be even greater as servers tend to hold more sensitive data and the potential for impact to an organization is significantly increased."
The other question this raises is how might this affect GDPR liability? The key to this is understanding where your data is and how it is protected. If sensitive data is stored in a Windows 7 / Server 2008 environment then it is going to be increasingly vulnerable from the 14th of January. Companies need to identify what data on these devices hold Personally Identifiable Information (PII) and consider moving this data to a less vulnerable platform.
Finally, the permanent solution is for companies to migrate away from Windows 7 and Server 2008, but this does require planning. The timescale of this planning is entirely dependant upon the size of the company’s current unsupported IT infrastructure and as with any migration, things can go wrong; the only mitigation for this is to ensure that you have secure backups of all your data before the migration begins.