At some point, all software will reach the end of its life. This means manufacturers will no longer develop or service the product, discontinuing all technical support, upgrades, bug fixes and security fixes. As a result, end-of-life (EOL) software will have known vulnerabilities that cybercriminals can easily exploit. This article discusses the risks of continuing to use EOL software and discusses best practices for organizations to mitigate this risk.
Risks of EOL
Known but unmitigated vulnerabilities are among the highest cybersecurity risks. One survey found that 60% of data breaches stemmed from unpatched known vulnerabilities. Another report found that 3 of 4 cyberattacks in 2020 exploited security vulnerabilities from 2017 or earlier.
Organizations may be hesitant to transition away from EOL software for a number of reasons, such as:
- New software lacks necessary features
- Limited resources
- Migration challenges
- Lack of accountability for replacing software
This is especially true when EOL systems are still functioning. However, continuing to use EOL software also comes with a myriad of risks, such as the following:
- Heightened cybersecurity risk—Without security fixes from the developer, EOL software becomes riddled with security hazards that hackers are often quick to exploit.
- Software incompatibility—New applications will be designed for current software, meaning EOL software is often unable to accommodate newer apps. Organizations that continue to use EOL software will likely have to hold onto legacy systems and applications even when newer and better versions become available. This poses additional risks, as out-of-date applications may soon reach EOL as well.
- Inability to stay in compliance with regulations—Regulations requiring companies to meet minimum data security standards are on the rise. As a result, organizations that use EOL software and fail to adequately protect sensitive customer data may be deemed noncompliant. Consequences may include fines or company shutdowns.
- High operating costs—Attempting to maintain, patch and bug-fix EOL software without developer assistance can be costly. In some cases, the cost of trying to patch EOL software may exceed that of replacing old software to begin with.
- Poor performance and reliability issues—If your organization is running out-of-date software, there is an increased likelihood that your software or systems could break down. Such failures can result in costly downtime and additional operating costs.
Proactive management is a necessary step to prevent unwelcome surprises and keep your organization secure.
Managing EOL Software
Although many organizations are prepared for the initial lifecycle stages that come with introducing new products, few businesses are prepared for what will happen when it inevitably comes time for these software components to be phased out. Consider the following tips for EOL management:
- Create a lifecycle management plan. Effective planning for EOL reduces cybersecurity vulnerabilities, lessens the risk of downtime and helps companies remain compliant with regulations. Your lifecycle management plan should include all aspects of a product lifecycle, beginning with the introduction of new software to EOL and extending to plans for phasing out unsupported software.
- Understand device history. Use device management software that will automatically capture important information about devices when they connect with the network (e.g., model number, IP address, certificate status). Such software can provide your organization with a highly detailed network overview and will enable your organization to push software and firmware updates, certifications and other necessary upgrades to thousands of computers on your network simultaneously.
- Monitor EOL status. Stay current on EOL notifications regarding all critical components of your organization. Most major suppliers have lifecycles for products and product components, including EOL dates. Best practices suggest reviewing the EOL dates of new software before selecting it for current use. Planning for EOL will help your organization avoid any surprises about when devices or software will no longer be supported, enabling your organization to plan and budget for the replacements.
- Maintain consistent cybersecurity practices. Ensure compliance with cybersecurity best practices. Some areas to consider include policies surrounding changing default passwords, password strength, compliance with regulations (e.g., Health Insurance Portability and Accountability Act, Payment Card Industry Data Security Standard and National Defense Authorization Act) and how frequently risk levels are assessed.
- Communicate early and clearly. Inform customers of all upcoming EOL issues and your plans for addressing them. Being communicative and transparent can help your organization improve customer loyalty and trust during EOL transitions.
It’s evident that EOL software exposes organizations to heightened levels of risk. Additionally, many insurers will ask for information on EOL management as a prerequisite to obtaining cyber insurance. Through proper planning and device management, businesses can stay sufficiently protected against these known cyber vulnerabilities.
For more risk management guidance, contact us today.
This Cyber Risks & Liabilities document is not intended to be exhaustive notrshould any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice. 2022 Zywave, Inc. All rights reserved.