Last year, Capital One experienced one of the largest-ever data breaches of a bank, when a hacker–Paige Thompson–got her hands on the personal information of over 106 million customers and applicants via a misconfigured AWS server. Now, the Office of the Comptroller of the Currency (OCC) has hit the bank with a whopping $80 million…
Executives typically have long to-do lists. With new cybersecurity standards mandating the C-Suite to become more involved in cybersecurity operations, the list is getting longer. To successfully operate a business in the modern cybersecurity landscape, executives need to ensure that all employees are properly trained, that their vendors are properly vetted and audited, and that their IT and cybersecurity teams are adequately funded and equipped.
More often than not, it’s the “properly equipped” component that causes problems. The rules and regulations surrounding cybersecurity seem to change at a lightning pace, yet these compliance standards aren’t changing half as fast as the technology they govern. It’s not an exaggeration to say that oftentimes, by the time one operating system is completely installed throughout the offices of a large business, that operating system is almost obsolete. And if there is one common theme in several recent high-profile breaches, it’s that obsolete technology is an open invitation to hackers.
In its Network Security Report, IT management platform Spiceworks names outdated legacy systems as one of the biggest threats to corporate cybersecurity. Indeed, one of the business world’s favorite operating systems, Windows XP, launched in 2001 and saw the end of support from Microsoft in 2014. Yet it is still utilized – at least in part – by 32% of all businesses. Meanwhile, 79% of businesses run Windows 7, which launched in 2009, on one or more computers, a percentage that Spiceworks calls “alarming.” Even more alarming (though not unexpected) is Microsoft’s recent announcement that Windows 7 will begin its end-of-life stage in January 2020.
A Costly Predicament
When an operating system enters its end-of-life cycle, support is usually discontinued in stages. This means that starting in 2020, the updates and patches which keep Windows 7 running and virus-resistant will no longer be released for free. Instead, Microsoft plans to offer extended support to many of its users for a fee of about $25 per device. That amount will double per device for a second year of support, and climb to $100 for a third year. Support will be fully discontinued in 2023 as Microsoft devotes resources to making its flagship system, Windows 10, more robust and resilient to cyberattacks.
It doesn’t take an accountant to understand that Microsoft’s pricing plan for extended support can add significant costs for larger businesses. Upgrading is not inexpensive either. Imagine that the average cost of upgrading a small business’s technology is $1,000 per employee; a 1,500-employee company would incur a cost of $1.5M to upgrade every computer. That may be why 25% of businesses surveyed by Spiceworks plan to hold off on updating.
Still, the cost of delaying will likely far outweigh the cost of upgrading legacy software in a timely manner. IBM’s Data Breach Calculator, helps businesses estimate the cost of a data breach based on details like industry, company size, and compliance safeguards in place. The calculator estimates that the average cost of a data breach in the U.S. is $3.92 million. That does not take into account revenue loss due to reputational damage.
What about larger companies? Take Equifax for example, where an unpatched vulnerability in open-source web server Apache Struts was powering a decades-old web application that allowed consumers to check their credit rating. (Apache Struts was also largely responsible for Capital One’s breach.) Techcrunch reports:
“The attackers used the vulnerability to pop a web shell on the server weeks later, and managed to retain access for more than two months, the House panel found and were able to pivot through the company’s various systems by obtaining an unencrypted file of passwords on one server, letting the hackers access more than 48 databases containing unencrypted consumer credit data. During that time, the hackers sent more than 9,000 queries on the databases, downloading data on 265 separate occasions.”
To compound the problem, Equifax’s former CEO tried to blame a single IT staffer for failing to patch Apache Struts. For readers who are new to the CyberFortis site and are just learning about the government’s expectations surrounding security compliance, that’s a very bad move.
All said, failing to upgrade legacy software cost Equifax about $1.4 billion, a cost far exceeding that which businesses can expect to pay for software upgraded in a timely manner. There are a few simple ways to avoid repeating the credit giant’s mistakes. Business leaders should consult their IT departments and assess which systems are due for updates. Then they should prioritize funding to make that happen. Of course, without proper training, executives will not know what questions to ask. Nor will IT personnel know which answers to give. It’s worth spending the time and money now to know which pieces of aging technology are sitting in a dusty server room somewhere, waiting for a hacker to find them.