Support for Microsoft Windows 7 will soon be coming to an end, and organizations must take proactive steps now to be properly prepared for the change. After Jan. 14, 2020, Microsoft will no longer provide security updates or technical support for devices that continue to run its popular operating system.
This means workstations running Microsoft Windows 7 will not receive patches going forward, and organizations that keep running the system will do so at their own risk. “You can continue to use Windows 7, but once support ends, your PC will become more vulnerable to security risks,” Microsoft states on its website. “Windows will operate, but you will stop receiving security and feature updates.”
Implications for financial institutions
The imminent “end of life” of Microsoft Windows 7 is a serious issue. Once Windows 7 reaches the end of its lifecycle, users will need to upgrade to a new operating system such as Windows 10 to ensure the safety of their workstations.
The situation is even more crucial for banks and credit unions, which are some of the most highly regulated businesses worldwide. Auditors and examiners will be searching for computers running Windows 7 and will note them in their reports. To prevent such findings and write-ups, the IT staff at financial institutions should implement measures now.
For instance, bank IT staff should carefully review patch management reports monthly for all their devices and remedy any exceptions. Patches—software updates designed to repair known vulnerabilities or security weaknesses in applications and operating systems—are critical to reducing security incidents in financial institutions. In the Supervisory Insights publication, the FDIC indicated that an effective patch-management program should include written policies and procedures to identify, prioritize, test, and apply patches in a timely manner.
The FDIC also stressed the importance of replacing end-of-life products, stating: “An effective program also should use information received from threat intelligence sources that report on identified vulnerabilities. Bank management should be aware of products reaching or at the end-of-life or those no longer supported by a vendor. Management should also establish strategies to migrate from unsupported or obsolete systems and applications and, in the interim, implement strategies to mitigate any risk associated with the use of unsupported or obsolete products.”
Options for addressing the issue
Auditors and examiners rarely allow devices with obsolete operating systems to remain on a network. So, organizations must adopt strategies to effectively address the end of the Windows 7 lifecycle. Microsoft recommends several options to remedy the situation, including upgrading existing devices to Windows 10, purchasing new devices with Windows 10/Windows 10 Pro already installed, or using Microsoft 365 for Business/Enterprise. Regardless, the decision to upgrade or replace workstations calls for a thoughtful cost-benefit analysis.
Some experts advocate switching out machines that are at least two years old as their performance will decline and they will need to be replaced eventually. But if a PC is less than two years old—or replacement is currently not an option—installing Windows 10 Pro would be a better solution. This requires paying a one-time, minimal license fee—currently $199—for each machine being upgraded.
Microsoft Windows 10 Pro is rolled out in different “builds” or versions, which are included with the purchase of a license. Running the most up-to-date version of the product can result in potential software compatibility issues, so it is often safer to stay one build update behind. For example, it would be ideal to upgrade to version 1803 of Windows 10 now and version 1809 in the fall.
PCs that are not running on an upgraded—or at least patched—Microsoft Windows operating system will be more open to would-be cyberattacks. Thankfully, the use of firewalls and other layered security tactics can prevent a single machine from compromising overall security. Still, Windows 7 end of life poses a potential security risk that financial institutions must navigate effectively to continue operating successfully.
Banks and credit unions will have to switch to the latest Microsoft Windows system eventually, but the cost and effort involved are minimal. And taking this step sooner than later can save time, thwart hackers—and avert auditor write-ups. To make the process as painless as possible, institutions can hire a third-party provider to handle every aspect of making the necessary PC upgrades and/or replacements.