SMEs Run Outdated & Vulnerable Operating Systems

New research underscores security weaknesses in small-to medium sized businesses, including a dependence on antiquated Microsoft operating systems, encryption misconfigurations, poor patching regimes, and reliance on outdated Exchange 2000 email servers.

The findings, recently published by Alert Logic, demonstrate how resource-strapped SMBs increasingly are vulnerable in the face of today's cyber threats.

Some 66% of SMB devices surveyed run Microsoft OS versions that are expired or will expire in the next six months. The majority of devices scanned by Alert Logic for the study currently run Windows versions that are more than 10 years old. 

Microsoft will discontinue support for Windows 7 and Windows 2008 Server on January 14, 2020.

"What we suggest is for SME security pros to read the report, understand it, and then take the findings to their management so business executives can better understand why it's important to make an investment in security," says Jack Danahy, senior vice president for security at Alert Logic. 

"If they even do one thing, focusing on patching will make a big difference. They should also put a mitigation control in for better monitoring.”"

Alert Logic also found other weak security practices by SMBs:

Encryption Misconfigurations
According to the Alert Logic research, 42% of SMB security issues are related to encryption. 
While automated patching has helped to reduce the frequency of vulnerabilities, configuration remains a major issue. This includes misconfiguring SSL encryption, not configuring Amazon S3 buckets properly, and providing improper access credentials to employees.

Poor Patching 
75% of unpatched vulnerabilities, among SMBs, are more than one-year old, according to the research. 
While automated updates have improved software patching, organisations are still having difficulty keeping up with all the updates.

Antiquated Email Servers
More than 30% of SMB email servers operate on unsupported software, according to the research. Despite email being the lifeblood of most companies, almost one-third of the top email servers detected were running Exchange 2000, which Microsoft stopped supporting nearly 10 years ago. 

Frank Dickson, research vice president at IDC who focuses on security, adds that there are four practical steps that SMB can take to avoid security mishaps: make sure the company's operating systems and applications are current; patch regularly; download all the updates (new versions of software); and use some form of multifactor authentication, whether it's a finger scan, facial recognition, or an iris scan.

"So many of the problems can be solved by taking some common sense steps," he says. Alert Logic's Danahy adds that many of the same problems existed 20 years ago, but people were less familiar with security issues.

"While I do think people underappreciate the complexity of an organisation changing their operating system, I think we're at a point where people are starting to look at security differently," Danahy says. "The SMB folks recognise that security has become a serious challenge."

Dark Reading

You Might Also Read: 

SMEs Risk Costs Of Up To $2.5m Following A Breach:

Most Cyber Insurance Claims Result from Human Error:

« Ten Reasons Why Senior Managers Need To Understand Cyber Security
AI Could Transform Submarine Warfare »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Galaxkey

Galaxkey

Galaxkey is a data protection product that protects email, documents and any data using access control and an encryption platform.

SAMATE

SAMATE

The Software Assurance Metrics And Tool Evaluation project is an inter-agency project between the US Department of Homeland Security and NIST.

Information-Technology Promotion Agency (IPA) - Japan

Information-Technology Promotion Agency (IPA) - Japan

IPA is an implementing agency in Japan with a role to address Information Security, IT Systems Reliability and IT Resource Development.

IBA Security

IBA Security

IBA Security is a center of competence consolidating the cybersecurity expertise of the IBA Group.

HorizonIQ

HorizonIQ

HorizonIQ (formerly Internap Corp / INAP) maximizes efficiency and innovation with flexible infrastructure solutions.

FileWave

FileWave

FileWave offers a single solution for managing apps, devices, and more for Mac, Windows, and mobile devices.

Corsa Security

Corsa Security

Corsa Security is leading the transformation of network security with a private cloud approach that helps scale network security services with unwavering performance and flexibility.

RIT Global Cybersecurity Institute

RIT Global Cybersecurity Institute

At RIT's Global Cybersecurity Institute, we educate and train cybersecurity professionals; develop new cybersecurity and AI-based knowledge for industry, academia, and government.

Cybertronium

Cybertronium

Cybertronium is a leader in managing cyber risk. We bring you the latest from the complex, ever-evolving online threat environment with the insights to inspire and the expertise to act.

Utimaco

Utimaco

UTIMACO develops on-premises and cloud-based hardware security modules, solutions for key management, data protection and identity management as well as data intelligence solutions.

Akamai Technologies

Akamai Technologies

Akamai's leading security, compute, and delivery solutions are helping global companies make life better for billions of people, billions of times a day.

Cambridge International Systems

Cambridge International Systems

For more than 25 years, Cambridge has been fighting bad actors in both the cyber and physical worlds.

Converged Communication Solutions

Converged Communication Solutions

Converged is an independent Internet Service Provider, telephony, IT support and security specialist.

QPoint Technologies

QPoint Technologies

QPoint provides solutions and consulting in areas including software engineering, testing, cybersecurity, ICT, web, mobile, project management, and complex integration processes.

Secomea

Secomea

Secomea redefines manufacturing plant security by combining internationally recognized industry best practices as critical components of our robust cybersecurity strategy.

Cyberus

Cyberus

Cyberus brings together industry, business, and government to collaboratively create a secure digital future for Russia and the world.