SMEs Run Outdated & Vulnerable Operating Systems

New research underscores security weaknesses in small-to medium sized businesses, including a dependence on antiquated Microsoft operating systems, encryption misconfigurations, poor patching regimes, and reliance on outdated Exchange 2000 email servers.

The findings, recently published by Alert Logic, demonstrate how resource-strapped SMBs increasingly are vulnerable in the face of today's cyber threats.

Some 66% of SMB devices surveyed run Microsoft OS versions that are expired or will expire in the next six months. The majority of devices scanned by Alert Logic for the study currently run Windows versions that are more than 10 years old. 

Microsoft will discontinue support for Windows 7 and Windows 2008 Server on January 14, 2020.

"What we suggest is for SME security pros to read the report, understand it, and then take the findings to their management so business executives can better understand why it's important to make an investment in security," says Jack Danahy, senior vice president for security at Alert Logic. 

"If they even do one thing, focusing on patching will make a big difference. They should also put a mitigation control in for better monitoring.”"

Alert Logic also found other weak security practices by SMBs:

Encryption Misconfigurations
According to the Alert Logic research, 42% of SMB security issues are related to encryption. 
While automated patching has helped to reduce the frequency of vulnerabilities, configuration remains a major issue. This includes misconfiguring SSL encryption, not configuring Amazon S3 buckets properly, and providing improper access credentials to employees.

Poor Patching 
75% of unpatched vulnerabilities, among SMBs, are more than one-year old, according to the research. 
While automated updates have improved software patching, organisations are still having difficulty keeping up with all the updates.

Antiquated Email Servers
More than 30% of SMB email servers operate on unsupported software, according to the research. Despite email being the lifeblood of most companies, almost one-third of the top email servers detected were running Exchange 2000, which Microsoft stopped supporting nearly 10 years ago. 

Frank Dickson, research vice president at IDC who focuses on security, adds that there are four practical steps that SMB can take to avoid security mishaps: make sure the company's operating systems and applications are current; patch regularly; download all the updates (new versions of software); and use some form of multifactor authentication, whether it's a finger scan, facial recognition, or an iris scan.

"So many of the problems can be solved by taking some common sense steps," he says. Alert Logic's Danahy adds that many of the same problems existed 20 years ago, but people were less familiar with security issues.

"While I do think people underappreciate the complexity of an organisation changing their operating system, I think we're at a point where people are starting to look at security differently," Danahy says. "The SMB folks recognise that security has become a serious challenge."

Dark Reading

You Might Also Read: 

SMEs Risk Costs Of Up To $2.5m Following A Breach:

Most Cyber Insurance Claims Result from Human Error:

« Ten Reasons Why Senior Managers Need To Understand Cyber Security
AI Could Transform Submarine Warfare »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Virus Bulletin

Virus Bulletin

Virus Bulletin is an online security information portal and certification body, providing users with independent intelligence about the latest developments in the global threat landscape.

IT GRC Forum

IT GRC Forum

The IT GRC Forum is an online resource and networking platform for the Governance, Risk Management, and Compliance (GRC) community

Security Stronghold

Security Stronghold

Security Stronghold is focused on protecting computers from malicious programs like viruses, Trojans, spyware, adware, trackware, keyloggers and other kinds of online threats.

DKCERT

DKCERT

DKCERT (Danish Computer Security Incident Response Team) is a service of DeIC (Danish e-Infrastructure Cooperation).

Openminded (OPMD)

Openminded (OPMD)

Openminded is a French security and network services company.

Excellium Services

Excellium Services

Excellium’s Professional Services team combines expertise and experience that complements your in-house security resources.

Styra

Styra

Styra allows companies to secure cloud environments and applications, including those built on the popular Kubernetes open-source cloud platform.

Desec Security

Desec Security

Desec's training platform allows professionals around of the world to acquire knowledge and practical experience in Information Security.

Lifespan Technology

Lifespan Technology

Lifespan Technology provides the full range of IT Asset Disposition services. This includes hardware recycling and disposal, data destruction, and hardware resale.

2Keys

2Keys

2Keys designs, deploys and operates Digital Identity Platforms and Cyber Security Platforms through Managed Service and Professional Service engagements.

Ensighten

Ensighten

Ensighten is a leader in Website Security & Privacy Compliance. Protect your website from malicious attacks, monitor & detect vulnerabilities, protect consumer data.

Institute for Pervasive Cybersecurity - Boise State University

Institute for Pervasive Cybersecurity - Boise State University

Boise State University’s Institute for Pervasive Cybersecurity is a leader of innovative cybersecurity research and advancement in Idaho and the region.

Ping Identity

Ping Identity

At Ping Identity, we believe in making digital experiences both secure and seamless for all users, without compromise. That’s digital freedom.

Endure Secure

Endure Secure

Endure Secure is a managed cyber security & information security consultancy. Our passion for IS and our understanding of the threat landscape is reflected in the services that we provide.

Badge

Badge

Badge authenticates you on-demand for every application, on any device, without storing any secrets.

Cloudbrink

Cloudbrink

Cloudbrink is purpose-built to deliver the industry’s highest performance connectivity to remote and hybrid workers, anywhere in the world.