Two days ago, I finally gave up Windows 7. I don't dislike Windows 10, but there's just always been something special about Windows 7. It was svelte. It actually ran faster and took up less hard drive space than its predecessor, the much-maligned Windows Vista. It looked great. We Windows users could finally hold our heads a little higher around Mac users. And, well, I didn't know how well Windows 10 would work on that old Windows 7 laptop, or how much time it would take to make the transition.
But Microsoft forced my hand. Tuesday is the last day that Microsoft will support Windows 7. "If you continue to use Windows 7 after support has ended, your PC will still work, but it will become more vulnerable to security risks and viruses," the company says. In other words, if you don't want to leave your computer open to ransomware and other threats, you better upgrade.
I was far from alone in my procrastination. A poll of IT professionals last year by Spiceworks, a social and online network for the IT industry, found that 79 percent of respondents still had at least one Windows 7 machine in their organization. About 25 percent said they didn’t expect to finish upgrading by now. Updates are always painful for large organizations. Many companies, nonprofits, and government agencies probably will keep running Windows 7 despite the risks and despite having had years to plan for the transition.
Organizations tend to overestimate how quickly they'll migrate to newer operating systems. In a 2013 poll by Spiceworks, 26 percent of respondents projected that they wouldn't migrate away from Windows XP before Microsoft ended support for that operating system in 2014. But Spiceworks found that about 32 percent of respondents were still running at least one machine with Windows XP last summer.
Fortunately for me, my upgrade to Windows 10 was pretty easy. And Microsoft says it will fix particularly important security issues for users who shell out for "extended support"; the company has been known to release security fixes even after it has officially stopped supporting a product.
IT departments can take steps to protect systems that are no longer supported. But they need to be proactive. "If organizations put their heads in the sand, they're going to get bit," says Chris Tillett, senior security engineer at information security company Exabeam. "You could be reading that your local hospital is sending your data to some criminal enterprise."
Why Companies Don't Update
Windows 7 was released in 2009. It was followed by Windows 8 in 2012 and Windows 10—the current version—in 2015 (there was no Windows 9). That might sound like plenty of time for organizations to migrate, but it’s never that simple. Some organizations may not want to—or be able to—shell out for new hardware and software. Plus, Windows 8 was notoriously unpopular because it didn’t have the traditional "Start" button. Many IT departments didn't want to support the operating system for fear that their help desks would be flooded by questions from confused users, says Peter Tsai from Spiceworks. That means PCs purchased as recently as 2015 may still be running Windows 7.
The biggest reason organizations hold on to older operating systems, Tsai says, is the need to run older "legacy" software that might not run correctly on newer operating systems. Backwards compatibility has long been a big priority for Microsoft, but it's not possible to guarantee everything that ran on older versions of Windows will work on a new version. Marc Capellupo, another Exabeam security engineer, says security improvements in Windows 10 might prevent some older applications from working correctly if they try to access parts of the operating system that are now locked down. The only way to be sure that old software works with new systems is to test it, and that takes time and resources. Even if an application will work flawlessly on Windows 10, an organization might delay an upgrade until it's been thoroughly tested. At large companies, with hundreds of thousands of users, an update from one version of an operating system to another can take years, Tillett says.
It’s getting easier to migrate applications from one operating system to another, Tsai says, because newer software is often web-based or built with cross-platform tools like the Java programming environment. But many industries, such as utilities, manufacturing, or financial services, still use decades-old software that can't easily be replaced, says Jason Christopher, principal cyber risk adviser at the industrial technology security company Dragos.
When millions of dollars, or people's lives, are on the line, companies are reluctant to replace software that still works, even if that means having to run outdated operating systems. Some companies still have ancient IBM mainframes, and others might run MS-DOS in virtual machines.
In cases where organizations have to run old, unsupported software and operating systems, IT departments typically do their best to secure systems in ways that don't depend on getting security updates from Microsoft. One of the most common strategies, Christopher says, is to isolate outdated systems from the internet or from other parts of the network.
For many companies looking to keep their systems safe, one answer will be still more software. According to Spiceworks, 59 percent of IT pros expect to use artificial intelligence or machine learning to detect security threats.