A study that spanned 20 different industries found that 2,000 organizations run more than 50 percent of their computers on outdated versions of an operating system, making them almost three times as likely to experience a publicly disclosed breach, according at a new report from BitSight.
Within the healthcare/wellness industry, examining 2,935 organizations, about 15 percent of the computers used in this sector were running outdated versions of MacOS or Windows operating systems, according to the report, and about 16 percent of the computers examined for this report within the healthcare industry were using outdated Internet browsers.
What’s more, given the way that cyber criminals have exploited outdated systems to carry out massive attacks, such as with the recent WannaCry ransomware attack, the researchers conclude that outdated mobile devices may pose the next big cyber threat for companies.
BitSight, a vendor risk management software provider, analyzed more than 35,000 companies from a span of industries, including healthcare, over the last year to better understand the usage of outdated computer operating systems and internet browsers, the time to it took to update operating systems once a new release was made available, and how these practices correlate to data breaches. The data, presented in the report “Growing Risk Ignored: Critical Updates,” indicates that there are large gaps in asset management programs across the globe.
The conclusion of this research coincides with “WannaCry,” a strain of ransomware that affected over 300,000 computers worldwide across banks, hospitals, telecommunications services, and train stations, while also disrupting the global supply chain network of many other critical services. Despite the availability of a critical patch months prior to the attack, many companies neglected to download the Microsoft update.
The key findings from the report, across all the industries, include:
- Over 8,500 organizations have more than 50 percent of their computers running an out-of-date version of an Internet browser, doubling their chances of experiencing a publicly disclosed breach
- More than 25 percent of the computers used in the Government sector were running outdated MacOS or Windows operating systems, with nearly 80 percent of these outdated systems comprised of MacOS
- In March of this year, two months before the WannaCry ransomware attack, nearly 20 percent of computers examined in this report that were running Windows were using Windows Vista or XP, both of which did not have a patch available and are no longer officially supported by Microsoft
- A month after each macOS Sierra point release is announced, more than 35 percent of companies fail to upgrade to the latest version, potentially exposing the systems to vulnerabilities during that time
The report authors wrote, “The recent WannaCry ransomware attack brought to light the link between outdated systems on corporate networks and the probability of cyber criminals gaining access to a company’s data. However, the problem has existed for quite some time.”
Researchers examined more than 35,000 companies and found that over 8,500 of these organizations were running at least 50 percent of their computers on older Internet browsers (i.e. not the most up-to-date versions), making them more than twice as likely to experience a publicly disclosed breach compared to companies with less than 50 percent of their computers running out-of-date browsers.
Researchers also found that when organizations had more than 50 percent of their computers running outdated versions of an operating system, they were nearly three times as likely to experience a breach than organizations with less than 50 percent of their computers on an outdated version of an operating system.
Drilling down into specific industries, researchers examined seven major industries, including Education, Government, Retail, Healthcare, Finance, Legal, and Energy. They found that among these industries, Education and Government had the highest usage rate of outdated operating systems and Internet browsers. In fact, more than 25 percent of the computers used in the Government sector (including state and local government) were running outdated versions of MacOS or Windows operating systems. This industry also had a high rate of outdated Internet browsers. More than 25 percent of the Internet browsers in this industry were not the most up-to-date versions.
Further, the report authors wrote that although Finance has been a top performer in previous research, this new study found that the financial sector performs in line with Healthcare and Retail when it comes to outdated operating systems and Internet browsers. “An estimated 15 percent of computer operating systems and browsers are out of date in each of these industries. These are important findings because they suggest that although Healthcare and Retail companies have made most of the headlines for their exposure to recent ransomware attacks, the Financial sector may be vulnerable to similar cyber attacks in the future as a result of their use of outdated systems,” the report authors stated.
The report offers a number of recommendations:
- Apply critical system updates and monitor your attack surface from the outside
- Update Internet browsers
- Continuously monitor and evaluate your third parties
- Understand the business impact of cybersecurity decisions
The researchers conclude in the report that although companies have advanced their approach over the years, the study found that thousands of companies are using outdated operating systems and Internet browsers, increasing their chances of experiencing a publicly disclosed data breach.
“Looking ahead, could mobile devices become the next target for hackers? Given the way that cyber criminals have exploited outdated systems to carry out massive attacks, outdated mobile devices may pose the next big cyber threat for companies. Further research should shed light on this issue and arm companies and their third parties with the necessary insight to protect their networks from the next attack,” the report authors wrote.
