If you would like to read the other parts in this article series please go to:
- The Risk of Running Obsolete Software (Part 1)
- The Risk of Running Obsolete Software (Part 3)
- The Risk of Running Obsolete Software (Part 4)
Introduction
Part 1 of this series, we looked at the troubling statistics that indicate many individuals and companies are still running Windows XP, Windows Server 2003, old versions of Internet Explorer and other software – not just Microsoft’s but from all software vendors – that is old, less secure and in some cases so obsolete that it isn’t even getting security updates anymore. We also discussed some of the security consequences of using out-of-date operating systems and applications, including the facts that hackers have had more time to discover its vulnerabilities, that it doesn’t have the newest security features and technologies, and that vulnerabilities that do get discovered won’t be fixed if the software lifecycle is expired. We also talked about how this can not only put the outdated system at risk but also other computers on the same local network and can even be used to attack computers on other networks over the Internet as part of a botnet.
In this, Part 2, we’re going to take up the topic of why – despite all these security consequences – people and businesses are still clinging to the past and continuing to use software that’s way past its prime. Then in Part 3, we’ll look at the software support lifecycle concept and how it plays into the problem, and finally we’ll get into some specifics about the dangers inherent in particular out-of-date operating systems, applications and devices.
Change is scary and hard
This is the simplest and one of the most common excuses given for letting software overstay its welcome. It’s well known that most people are resistant to change, even when the changes are clearly beneficial. Despite the cliché, familiarity more often breeds comfort than contempt. People fear the unknown, and they don’t trust strangers, whether that stranger is a human being or a computer program.
We can break that fear and mistrust down into more granular reasons. People are depend on their computers to get their work done are afraid that a brand new OS or mission critical application will disrupt that process. What if the new version doesn’t work as well as the old one? What if some of their favorite features that they use and rely upon have been removed (as has been known to happen)? What if the interface isn’t as easy to navigate?
Closely related is the fear of personal humiliation. Even if the software works fine, is faster and crashes less often and still has all the old features plus some great new ones, what if those improvements make it so complicated that the user won’t be able to figure it out? One thing that people universally hate is being made to look or feel stupid, and there’s nothing like a new and radically redesigned computer OS or program to bring out that self-doubt and self-frustration. This is true even though logically we know that using any new tool always involves some degree of learning curve.
Learning, however, requires extra time and effort. Many users, even if they have no doubts that they’re capable of doing it, don’t want to put in that work to adapt to a new way of doing things. They might know that in the long run the new way will actually make them more efficient and make their jobs easier, but some people are lazy, some aren’t good managers of their time, and some people are just completely overloaded and busy already and under so much deadline pressure that they just don’t have any place in their schedules for getting up to speed on new software.
Resistance to change is especially strong when there’s no visible motivation to make the change. If the current software is working well, doing what it’s supposed to do, and there have been no negative security consequences thus far, many people are apt to take that as a sign that there’s no reason to upgrade. Gamblers know it’s a fallacy that past performance is an indicator of future results; that is, just because you’ve been lucky and escaped exploit or attack on your unpatched OS thus far, that doesn’t mean it won’t happen tomorrow. Good luck has a way of running out.
Upgrading is like a rickety bridge
One way to help ameliorate the fear of the “new” is to get acquainted with the unknown in a safe environment. Trying out the latest version of the OS or software before being plunged into it on your own machine can convince you that the new features really are worth it, that the old ones are still there and still work, that learning to get around on a “reimagined” interface really won’t take that long.
However, even once people know this, some may still be reluctant to upgrade. I’ve heard it over and over: “I really like Windows 10 [or the new version of Office, or the new browser] but I’m afraid something will go wrong during the upgrade and hose my system.” This fear isn’t entirely unfounded; almost all of us who have been working with computers for a long time have experienced the upgrade-gone-terribly-wrong at some point. It’s often simpler and safer to just wait until you need to replace the hardware, and buy computers (or new phones) that come preinstalled with the new operating system.
But that means that in the interim, you’re running an older OS and/or applications (In many cases, of course, your application version will be limited by your operating system version, since newer versions of an application may not run on the older OS). If your hardware proves to be especially hardy and your budget is especially tight, you might eventually find yourself in the unhappy position of seeing an announcement that support for your OS and/or applications is about to be dropped, which means no more security updates. You didn’t plan it that way; it just crept up on you as time has a way of doing.
The prospect of upgrading is a little like the thought of going across a rickety bridge to get from one side of the chasm to the other. Even though there are wildfires coming toward you on your side, and there’s road to safety on the other side, you’re reluctant to set foot on that wobbly suspension bridge lest something bad should happen on the way across. Only when the flames are licking at their heels will some people finally be motivated to make the move.
Money matters: the practicalities of upgrading software (or not)
Another reason commonly given for failure to upgrade to the most recent and most security software is that old bugaboo: cost. When upgrade licenses cost $100 or more per machine, this can be a significant outlay for businesses and even for home users who have several computers in the house.
It’s getting more difficult to justify that argument with the trend toward free OS upgrades; for example, Microsoft currently allows upgrades of Windows 7, 8 and 8.1 systems to Windows 10 at no cost. This includes the Professional editions but doesn’t apply to the enterprise editions; businesses that have volume licensing agreements can upgrade as part of the contract terms. The free upgrade offer is scheduled to end in July 2016, though. Obviously the intent is to motivate those running the older operating systems to upgrade sooner rather than later.
Even with free upgrade offers, though, the cost of upgrading extends beyond paying for the software itself. Whereas buying new hardware with the new and more secure OS already installed eliminates the risk of an upgrade disaster, it means a big capital expenditure. And you don’t always have a choice – sometimes the new software won’t run on the existing hardware (or at least not without replacing some of its components). That can be enough to deter many individuals and businesses from moving to the new software even if they have no qualms about the learning curve.
It’s also important to remember that even if you’re able to upgrade the existing hardware to the new software and even if the software is available at no cost, there can still be very real costs involved in the down time that’s involved during an upgrade, as well as costs associated with lost/reduced productivity while users get acquainted with the new software. Monetary considerations, then, can frequently be the reason for holding back on an upgrade, even though the costs that are associated with a security breach can be many times more than the cost of upgrading.
Summary
In this, Part 2 of our discussion of the risks that are inherent in using obsolete technology, we looked at the reasons people use to justify putting off an upgrade even when they know newer software would offer better security (and even, in some cases, when the software they’re using ceases to get security updates). Next time, in Part 3, we’re going to delve into the intricacies of the software support lifecycle and why it’s so important to be familiar with vendors’ roadmaps for the software on which your business mission depends.
If you would like to read the other parts in this article series please go to:
