New! The Security Ratings report is now the Executive Report. Request your report to see enhanced analysis such as your rating, likelihood of ransomware incidents, and likelihood of data breach incidents.
Windows 7 End of Life: What Organizations Are Using the Now Outdated OS?
This week, Microsoft ended support for the Windows 7 operating system. Among other implications, Microsoft will no longer issue security patches for the nine-year-old OS. Any organization relying on the OS moving forward could be susceptible to a security issue, attack or data breach unless they purchased extended support from Microsoft.
The fix is simple: Migrate to a newer operating system. Yet, just as is the case with widely uneven patch management practices, many organizations will delay upgrading, for a variety of reasons.
Following the official end-of-life of the OS on January 14, the Bitsight Data Science team investigated the scope of the Windows 7 migration challenge leveraging our Bitsight Security Ratings platform, which can identify organizations (and machines within those organizations) that have migrated, and those that have not. Bitsight’s non-intrusive data collection process gathers over 200 billion IT “events” daily from around the global internet, informing Bitsight-generated security ratings for over 200,000 organizations.
Bitsight's Data Science team studied roughly 60,000 organizations and found that over the past 60 days almost 70% of those organizations were using Windows 7 in some capacity. Of note, though, Windows 7 usage is typically not universal within those organizations, and Bitsight is able to examine its prevalence. For example, at just over half of the organizations studied (51%) running Windows 7, the prevalence of Windows 7 is higher than one in 10 machines. For 32% of them, over one in four of machines are running Windows 7.
Additional noteworthy insights derived from the team’s research include:
Windows 7 is nearly universal at larger companies.
Nearly 90% of organizations with more than 10,000 employees are running Windows 7 on at least one computer, versus only 61% with less than 1,000 employees.
Windows 7 deployment is the widest in the education and government verticals.
Only the education and government sectors have a Windows 7 deployment rate above 80% (education is 84% and government is 82%). Conversely, technology companies have the lowest Windows 7 deployment rate, and technology is the only market where the rate is under 60% (56%).
Organizations within retail, transportation, manufacturing, and healthcare industries have a greater dependency on Windows 7.
At organizations running Windows 7, the prevalence of Windows 7 is greater than one in four machines within retail (41%), transportation (41%), manufacturing (41%), and healthcare (44%). Conversely, only 12% of organizations in the education sector are using Windows 7 on more than 25% of their machines.
Within the finance and healthcare industries, the dependence on Windows 7 correlates to company size.
Within healthcare, Windows 7 deployment rates jump from 68% to 93% when comparing organizations with less than 1,000 employees to those with more than 10,000. Within finance, the delta based on organization size is even more pronounced. Within this sector, 56% of organizations with less than 1,000 employees using the OS, versus 89% of those with more than 10,000 employees.
Within large finance and healthcare organizations, there is a higher dependence on Windows 7.
Within healthcare, 45% of organizations with more than 10,000 employees are using Windows 7 on more than one out of four machines. Within finance, 46% of organizations with more than 10,000 employees are using Windows 7 on more than one out of four machines.
Window's 7 is just the latest outdated system to be added to the laundry list of cyber security risks. In addition to Window's 7, Bitsight researchers examined more than 35,000 companies from over 20 industries across the world to identify the industries using outdated operating systems and Internet browsers over the last year and their correlation to data breaches.