Organizations run more than half of their computers on outdated versions of an operating system, making them three times as likely to experience a publicly disclosed breach, new research found.
Over 35,000 companies from industries across the globe ended up analyzed over the last year, to better understand the usage of outdated computer operating systems and Internet browsers, the time to it took to update operating systems once a new release was made available, and how these practices correlate to data breaches, according to research conducted by BitSight. The data found there are large gaps in asset management programs across the globe.
“The WannaCry attack brought to light the threat posed by outdated systems on corporate networks. Our researchers found that thousands of companies across every industry are using endpoints with outdated operating systems and browsers. Research and analysis of organizational endpoint configuration and vulnerabilities suggests that unless companies begin to take a proactive approach to updating their systems, we may see larger attacks in the future,” said Stephen Boyer, co-founder and chief technology officer of BitSight. “Endpoint information can serve as a key metric for executives, board members, insurers, and security and risk teams to understand and mitigate the risks of their insureds or their vendors.”
Key findings from the report include:
• Over 2,000 organizations run more than 50 percent of their computers on outdated versions of an operating system, making them almost three times as likely to experience a publicly disclosed breach.
• Over 8,500 organizations have more than 50 percent of their computers running an out-of-date version of an Internet browser, doubling their chances of experiencing a publicly disclosed breach.
• Over 25 percent of the computers used in the government sector were running outdated MacOS or Windows operating systems, with nearly 80 percent of these outdated systems comprised of macOS.
• In March, two months before the WannaCry ransomware attack, nearly 20 percent of computers examined in this report running Windows were using Windows Vista or XP, both of which did not have a patch available and are no longer officially supported by Microsoft.
Using security incidents from networks, BitSight uses algorithms to produce daily security ratings for organizations, ranging from 250 to 900, where higher ratings equate to lower risk. The foundation of this research is built on the company’s ability to identify machine compromises, configuration and adoption of the latest patches, and user behavior across the Internet; and attribute that information to companies.
To look at the spread of operating systems and Internet browsers, researchers studied over 1.5 billion observations over a period of eight months, focusing on operating systems from Apple and Microsoft, along with Internet browsers including Firefox, Chrome, Safari, and Internet Explorer.
Click here to register for the BitSight report.