Majority of SMBs using outdated Windows OS versions & email servers
3 July 2019
A large number of small and medium businesses (SMBs) are still using outdated versions of the Windows operating system, outdated email servers, and unpatched open source software that are rendering them vulnerable to cyber attacks and malware injections.
A recent study carried out by Alert Logic found that two out every three devices used by SMBs (66 percent) are running versions of the Windows operating system that have either expired, are unsupported, or are due to expire by January next year. Many of these devices run Windows versions that are over ten years old.
The high rate of use of expired and outdated versions of Windows OS is perplexing considering that Microsoft had offered a free upgrade to the latest Windows 10 operating system to users across the globe for a long period of time.
SMBs still using Exchange 2000 that expired ten years ago
The use of expired and outdated software is not restricted to the choice of the operating system among SMBs. Alert Logic found that more than 30 percent, or almost a third of them, are still using Exchange 2000, an email server which has been unsupported for nearly ten years.
“Once the operating system is no longer supported by Microsoft, no further research is done to identify or resolve vulnerabilities, and no new patches are developed to fix flaws in the operating system. Running outdated and unsupported operating systems exposes these SMBs to significant risk.
“In addition, most regulatory and industry compliance frameworks require than operating systems are patched and up to date, which means that running an unsupported operating system makes compliance impossible,” says Tony Bradley, Senior Manager of Content Marketing for Alert Logic.
Thanks to the widespread adoption of digitisation in recent years, SMBs are using more open source software and internet-connected devices than ever before. However, many open-source software tools are difficult to patch even if they are embedded in IT networks and automated updates to components have failed to improve software patching. SMBs are also struggling to respond to encryption-related configuration issues with just 13 encryption-related configuration issues accounting for 42% of all security issues found.
According to Alert Logic, as many as 75 percent of unpatched vulnerabilities in IT networks owned by SMBs are more than one year old, indicating that SMBs are failing to patch vulnerabilities even if they are known to them. The firm believes that the main reason for this is the continued lack of skilled cyber security personnel.
SMBs should outsource cyber security to security firms
“The continued lack of skilled cybersecurity professionals affects organisations of all sizes, and small and midsize businesses are at greater disadvantage because they can’t scale like large organisations can.
“These organisations will greatly benefit from partnering with providers who can augment their limited teams with threat intelligence and experts to be more secure and compliant,” said Onkar Birk, Senior Vice President of Product Strategy and Engineering at Alert Logic.
He added that SMBs should delegate the task of cyber security to firms that offer cost-conscious security options to reduce risks and improve security credentials of an IT network. This way, they will be able to enjoy the level of security that is traditionally enjoyed by Fortune 500 companies.
Even though large organisations face more cyber attacks every day because of the large amounts of data and intellectual property they hold, small and medium businesses also suffer constant attacks as many of them form the supply chain of larger organisations and as a result, hold critical data that could be of use to hackers.
Between 2016 and 2017, as many as 875,000 small and medium businesses in the UK suffered cyber breaches with a least one in every four such businesses (23%) in London suffering breaches. As a result of these attacks, while 21 percent of SMBs suffered over £10,000 in costs, 11 percent of them suffered losses in excess of £50,000.