Software and hardware often have well-defined lifecycles that define how long the manufacturer has committed to providing support, feature updates – and most importantly – security updates to address vulnerabilities. Once the manufacturer states support has ended for a product, they do not have to (and often do not) release any further security updates, regardless of the severity of security problems.
Windows 7 was last supported in January 2020, after which there is no obligation for Microsoft to patch any holes. As new vulnerabilities are discovered, they remain unaddressed. Bad actors then have a set of known vulnerabilities to exploit that will likely never be patched. All it takes is one machine getting compromised.
End of life firmware and/or hardware is equally troublesome, but often overlooked because they occur in devices that are often not frequently managed and have no automatic update feature. Despite all of this, these types of devices tend to be critical infrastructure and sometimes exposed to the public Internet, which increases the odds of a remote attack. Simply put, some of these devices are first or last lines of defense, such as firewalls, routers, or layer 3 switches. Some give access to hardware and power controls in the form of integrated management, which can have real consequences.In terms of potential costs to your bottom line, there are many. Even if your network isn’t compromised, you may find yourself as the subject of your large customers’ security controls audit, causing your business to become a non-preferred vendor or even cutting off the flow of orders entirely until you are in compliance. A common metric is whether a vendor is running any unsupported and/or end of life products because this is in fact a large risk factor.
In addition, your company may find that it is either impossible or extremely expensive to obtain and keep various forms of insurance, such as cyber security or even more general types of coverage, some of which may be mandated by customers.
With an actual breach come many things – from the negative exposure and reputational harm of mandated data breach reporting to the material costs of recovering and/or reconstructing business data. This expense alone can be staggering, reaching into the tens of thousands or more. This is without factoring in associated downtime, overtime, lost production, or loss of revenue.
The capital and operating expenditures on keeping things current, patched, and supported pale in comparison.