Beware Windows 7 timebomb
IT could be Windows XP all over again. In 11 months, Microsoft will switch off security support for Windows 7.
When this happens, it’s open season for viruses and malware on Windows 7 laptops and PCs — Microsoft will not issue protection patches. They’ll only protect Windows 10, the current system.
In Ireland, around a third of PCs use Windows 7. This includes business and public sector machines. It includes hospitals, schools, utility companies, tax offices and government departments.
Even though it takes a year for a large state body or enterprise to migrate from Windows 7 to Windows 10, many of these organisations look likely to miss the January 2020 deadline.
When they do, taxpayers (or shareholders) will then have to pay thousands, or hundreds of thousands of euros, to Microsoft in special ‘extended support’ security fees if they don’t want to be sitting ducks for malware attacks.
Microsoft won’t officially yet say what these fees are. But the company is reportedly briefing its enterprise customers at present, details of which have leaked.
And the cost looks a little scary. For Windows 7 Pro, for example, it’s $50 per device ($25 for Windows Enterprise) for the first 12 months, $100 per device for the second 12 months and a whopping $200 per device for the next 12 months. (This, reportedly, is treated as an ‘add on’ for Windows 10 and Microsoft 365 customers.)
So an organisation with 1,000 PCs stuck using Windows 7 Pro will face an upfront security fee of $50,000, rising to $200,000 per annum if they don’t sort out upgrades in time.
Even 11 months from the deadline, we can be fairly confident that hundreds, if not thousands, of Ireland’s businesses and public sector bodies will end up paying these unnecessary premium fees.
Irish large organisations, especially those in the public sector, do not do infrastructure and planning well.
Aside from the risk of infection or paying out higher fees than necessary, there are other downsides to sticking with Windows 7.
“Under GDPR, you’re supposed to be using competent, up-to-date systems that are fully patched,” says Brian Honan, one of Ireland’s most senior security consultants. “If not, you’re potentially in breach.”
Honan acknowledges that migrating an operating system is not necessarily a straightforward thing to do.
“Moving from Windows 7 to Windows 10, in many cases, may require upgrading quite a bit of hardware,” he says. “There may be some significant additional costs. If you spent €20m on a medical device, you’re not going to replace that every couple of years. You might decide that it’s cheaper in the short term to just pay for extra support fees.”
The medical example is a case in point. The Wannacry virus of two years ago wreaked particular havoc in public sector institutions such as hospitals because much of its equipment was attached to unsupported Windows XP systems. The HSE, for example, had 1,500 systems using Windows XP because the specialist equipment such systems drove were single-purpose machines that cost millions.
A similar problem was faced by companies running devices such as ticketing machines, CCTV, ATMs and public signage. For big organisations, the cost to update all of this would typically be calculated in the millions rather than the thousands.
But Honan is in no doubt as to the potential for damage for companies that don’t get their act together soon.
“Potentially this could be similar to the Wannacry outbreak. There are probably similar numbers of machines that haven’t been upgraded. Once a piece of malware is in a large organisation, it can become rampant because there won’t be anything to stop it.”
With XP, Microsoft softened their ‘no support’ rule once or twice, in order to offer patches in particularly bad malware cases. But this is not to be expected again, the company’s Irish executives are warning.
“If they don’t purchase security updates, they don’t have any support,” says Shirley Finnerty, business group lead at Microsoft Ireland. “They leave themselves vulnerable to attacks and breaches.”
Finnerty warned that deployment of Windows 10 from Windows 7 “can take on average between three and 12 months, or longer depending on the size of the organisation” and that businesses, as a matter of urgency, “should be planning now”.
Other estimates put the implementation phase for companies at significantly longer than three months.
“According to Gartner, average migration projects for large enterprise organisations with more than 500 seats have been taking 21 months in the US,” says a recently-published report on the issue from the Irish consultancy Auxilion.
“In our experience, migrations from previous versions of Windows involving Irish organisations with more than 200 users took 12 months to complete on average. In almost every case, the migration time was much longer than initially anticipated by the client.”
The overall cost to Irish business, Auxilion reckons, could be as much as €200m.
Is this the new Y2K? No. But that won’t stop a clatter of soundbytes and headlines toward the end of 2019 from business lobbyists arguing that Microsoft is ‘bullying’ small businesses or that ‘the government’ should make Microsoft call off the upgrade deadline.
“It’s all a scam,” our outraged spokesperson will say. “They just want you to keep paying for unnecessary upgrades. Why can’t they just stick to one?”
They are. Windows 10 will be the last time this type of migration will happen. From now on, updates will be cloud-based.
So please, please don’t throw your arms up and act surprised in six months time about this.