SMEs Run Outdated & Vulnerable Operating Systems

Uploaded on 2019-07-19 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, TECHNOLOGY--Resilience

New research underscores security weaknesses in small-to medium sized businesses, including a dependence on antiquated Microsoft operating systems, encryption misconfigurations, poor patching regimes, and reliance on outdated Exchange 2000 email servers.

The findings, recently published by Alert Logic, demonstrate how resource-strapped SMBs increasingly are vulnerable in the face of today's cyber threats.

Some 66% of SMB devices surveyed run Microsoft OS versions that are expired or will expire in the next six months. The majority of devices scanned by Alert Logic for the study currently run Windows versions that are more than 10 years old. 

Microsoft will discontinue support for Windows 7 and Windows 2008 Server on January 14, 2020.

"What we suggest is for SME security pros to read the report, understand it, and then take the findings to their management so business executives can better understand why it's important to make an investment in security," says Jack Danahy, senior vice president for security at Alert Logic. 

"If they even do one thing, focusing on patching will make a big difference. They should also put a mitigation control in for better monitoring.”"

Alert Logic also found other weak security practices by SMBs:

Encryption Misconfigurations
According to the Alert Logic research, 42% of SMB security issues are related to encryption. 
While automated patching has helped to reduce the frequency of vulnerabilities, configuration remains a major issue. This includes misconfiguring SSL encryption, not configuring Amazon S3 buckets properly, and providing improper access credentials to employees.

Poor Patching 
75% of unpatched vulnerabilities, among SMBs, are more than one-year old, according to the research. 
While automated updates have improved software patching, organisations are still having difficulty keeping up with all the updates.

Antiquated Email Servers
More than 30% of SMB email servers operate on unsupported software, according to the research. Despite email being the lifeblood of most companies, almost one-third of the top email servers detected were running Exchange 2000, which Microsoft stopped supporting nearly 10 years ago. 

Frank Dickson, research vice president at IDC who focuses on security, adds that there are four practical steps that SMB can take to avoid security mishaps: make sure the company's operating systems and applications are current; patch regularly; download all the updates (new versions of software); and use some form of multifactor authentication, whether it's a finger scan, facial recognition, or an iris scan.

"So many of the problems can be solved by taking some common sense steps," he says. Alert Logic's Danahy adds that many of the same problems existed 20 years ago, but people were less familiar with security issues.

"While I do think people underappreciate the complexity of an organisation changing their operating system, I think we're at a point where people are starting to look at security differently," Danahy says. "The SMB folks recognise that security has become a serious challenge."

Dark Reading

You Might Also Read: 

SMEs Risk Costs Of Up To $2.5m Following A Breach:

Most Cyber Insurance Claims Result from Human Error:

« Ten Reasons Why Senior Managers Need To Understand Cyber Security
AI Could Transform Submarine Warfare »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Micro Systemation AB (MSAB)

Micro Systemation AB (MSAB)

MSAB is a leader in the provision of forensically secure tools for the extraction and analysis of data from mobile devices.

Spiceworks

Spiceworks

Spiceworks provide a range of free apps for IT professionals including network inventory, network monitor, and help desk.

Luxar Tech

Luxar Tech

Luxar's network visibility products enable enterprises and service providers to monitor network traffic, improve security and optimize efficiency.

CERT-PA

CERT-PA

CERT-PA is the national Computer Emergency Response Team for Italian government institutions.

Karlsruhe Institute of Technology (KIT)

Karlsruhe Institute of Technology (KIT)

KIT is a leading research and education institutions with strong capabilities in information systems and security.

Junglemap

Junglemap

Junglemap provide nanolearning training courses on ransomware, information security and GDPR.

PrivateVPN

PrivateVPN

PrivateVPN is a Virtual Private Network services provider offering secure encrypted access to the internet.

IT Career Switch

IT Career Switch

An IT Career Switch Traineeship is the easiest way to start a new career in IT or Cybersecurity with fantastic career prospects.

Women in CyberSecurity (WiCyS)

Women in CyberSecurity (WiCyS)

Women in CyberSecurity (WiCyS) is a non-profit organization dedicated to the recruitment, retention and advancement of women in the cybersecurity field.

CyberSaint Security

CyberSaint Security

CyberSaint’s CyberStrong Platform empowers organizations to implement automated, intelligent cybersecurity compliance and risk management.

Secure Digital Solutions (SDS)

Secure Digital Solutions (SDS)

Secure Digital Solutions is a leading consulting firm in the business of information security providing cyber security program strategy, enterprise risk and compliance, and data privacy.

EVOKE

EVOKE

EVOKE is an award-winning Digital Transformation company that partners with its clients to build digital workplace solutions for organizational challenges.

NetRise

NetRise

NetRise was founded as a direct result of the many shortcomings currently in the device security market, specifically targeting the firmware of devices.

AFRY

AFRY

AFRY is a world leading engineering company, trusted as a supplier of services and solutions within the industry, energy, and infrastructure sectors as well as for authorities.

Protega

Protega

Protega is a company specialized in Managed Cybersecurity Services (MSS) & SOC 24×7; management, risk & compliance (GRC); implementation of data protection technologies; and Red Team services.

Secure Enterprise Engineering (SEE)

Secure Enterprise Engineering (SEE)

SEE provides disruptive cybersecurity system engineering, architecture, and operational capabilities to make our customer’s missions execute faster, smarter, and more securely.