Thousands of Orgs Still Run Outdated OS, Post-WannaCry

More than 2,000 organizations run more than 50% of their computers on outdated versions of an operating system, making them almost three times as likely to experience a publicly disclosed breach.

The research, from BitSight, also found that more than 25% of the computers used in the government sector were running outdated MacOS or Windows operating systems, with nearly 80% of these outdated systems comprised of MacOS.

The report coincides with “WannaCry,” a strain of ransomware that affected over 300,000 computers worldwide across banks, hospitals, telecommunications services and train stations, while also disrupting the global supply chain network of many other critical services. Despite the availability of a critical patch months prior to the attack, many companies neglected to download the Microsoft update.

In March of this year, two months before the WannaCry ransomware attack, nearly 20% of computers examined in the report were running Windows, using Windows Vista or XP, both of which are no longer officially supported by Microsoft and thus did not have a patch available.

“The WannaCry attack brought to light the threat posed by outdated systems on corporate networks,” said Stephen Boyer, co-founder and CTO of BitSight. “Our researchers found that thousands of companies across every industry are using endpoints with outdated operating systems and browsers.”

BitSight analyzed more than 35,000 companies from industries across the globe over the last year. To look at the spread of operating systems and internet browsers, researchers studied over 1.5 billion observations over a period of eight months, focusing on operating systems from Apple and Microsoft, along with internet browsers including Firefox, Chrome, Safari and Internet Explorer.

Also, the analysis uncovered that after each macOS Sierra point release is announced, more than 35% of companies fail to upgrade to the latest version within a month, potentially exposing the systems to vulnerabilities during that time.

 In addition to the OS issue, the firm also found that more than 8,500 organizations have more than 50% of their computers running an out-of-date version of an Internet browser, doubling their chances of experiencing a publicly disclosed breach.

“Research and analysis of organizational endpoint configuration and vulnerabilities suggests that unless companies begin to take a proactive approach to updating their systems, we may see larger attacks in the future,” Boyer said. “Endpoint information, made available in the BitSight Security Ratings portal, can serve as a key metric for executives, board members, insurers, and security and risk teams to understand and mitigate the risks of their insureds or their vendors.”

What’s Hot on Infosecurity Magazine?