Windows 7 Will Go Out of Compliance as it Goes
End of Life (EOL)
There have been many articles that cover how Windows 7 will make your computer more vulnerable to malware. When the system goes end-of-life in January 2020, Microsoft will stop issuing security updates for all but the most severe issues, leaving its legacy systems undefended.
Viruses and malware are far from the only thing that you’ll have to worry about once Windows 7 goes EOL. Corporations dealing with healthcare information, credit card numbers, financial information, or data from EU citizens may be subject to strict compliance requirements. For example, storing your data on an end-of-life system may violate these requirements in any number of ways:
Storing Data on an EOL System is a Great Way to Lose It
What happens when you store data on a computer whose operating system has gone end-of-life?
The first answer is “nothing good.” As time goes on, the computer will become more susceptible to bugs and errors, which increases the risk of catastrophic data loss. The longer you store your data on an end-of-life system, the more likely it is that you’ll lose it.
You think that this problem is what backup and disaster recovery programs are for – and you’re right! Except, of course, that your backup and disaster recovery programs are most likely built to work with supported operating systems. Are you willing to take the chance that your modern backup and recovery tool won’t work with an EOL system?
This risk goes double for non-accidental disasters – e.g. viruses and malware. Having an EOL system means that it will be that much easier for attackers to break through your defenses and steal your data. It also means that a ransomware attacker will find it much easier to locate and delete your backups.
What Does Losing Data Have to Do with Compliance?
Three words: data retention requirements.
The Bank Secrecy Act prevents banks from enabling tax evasion, money laundering, and other forms of corruption. It requires banks, casinos, and other financial institutions to preserve their customer records for at least five years. Banks and ATM vendors, coincidentally, are among those experiencing a general delay in their Windows 10 implementations. If they lose customer data to obsolescence or malware, their employees could face criminal penalties or even spend time in prison.
Under HIPAA, covered entities are required to preserve relevant documentation for six years or more, while medical records are covered by state records retention laws – usually for around five years. Notably, the healthcare industry also has significant problems when it comes to upgrading their Windows 7 computers. By the January 2020 deadline, at least 70% of devices and computers in the healthcare industry will be running on out-of-date operating systems.
You’ll find that this is a common theme. Across the industries that governed by compliance rules with data retention requirements, the companies that comprise those industries are having difficulty upgrading from Windows 7 to Windows 10. If this was a novel, we’d call it “Foreshadowing.”
Data Retention Isn’t Your Only Problem
Even if your compliance regime doesn’t have specific guidelines about how long you should be storing data, you’re still going to encounter difficulties.
For example, PCI-DSS has some broad guidelines when it comes to data storage. Under PCI, your mandate is to protect stored cardholder data. Is cardholder data fully protected if it’s stored on a computer with a depreciated operating system? Technology best practices would suggest “no”. Also fines for PCI violations are steep – some in the order of $100,000 a month until addressing your security problems.
HIPAA and the GDPR also offer large fines for violators while providing a flexible definition of protection. You might store your data with perfect encryption, hide it behind a firewall, and protect it with strong antivirus…but if it’s stored on a Windows 7 PC, regulators will still be able to argue that you haven’t done your due diligence.
It’s Time to Upgrade Your Operating Systems
Most organizations try to make a point of storing customer and mission-critical data on systems other than desktops. Servers and cloud storage are more secure than desktops connected to the internet and subject to user error. You may think it doesn’t matter that your users are using obsolete desktops, because you make a point to centralize all the critical data.
Unfortunately, data creeps out of place. Users are the enemy of categorized data, and even a organized system is likely to find sensitive data saved to unsecured locations. In that case, its best that this displaced data is still protected by the most up-to-date operating system available.