search menu icon-carat-right cmu-wordmark

Introduction (Part 1 of 7: Mitigating Risks of Unsupported Operating Systems)

Katie C. Stewart
• Insider Threat Blog
Katie C. Stewart

Federal CIOs and CISOs are challenged with analyzing the risk of having unsupported operating systems on their networks and determining how to properly address this risk. In this blog series, I explain how an unsupported operating system can expose a network to attack and what steps your organization can take to mitigate this risk.

The recent WannaCry ransomware campaign affected many organizations; there were reports of tens of thousands of infections in over 150 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The WannaCry worm targeted Windows operating systems, and organizations running unsupported versions of Windows were unable to deploy Microsoft's patches.

How vulnerable is unsupported software? In 2014, Microsoft estimated that malware infections jumped 66 percent once support for Windows XP SP2 stopped. According to NetMarketShare, 7% of the world's PCs still run Windows XP in 2017, even though support for it ended in 2014. And Microsoft Windows is only one example.

Upgrading to supported operating systems is expensive, and many organizations do not have the IT budget to appropriately update all their legacy operating systems. So some organizations weigh the cost of upgrading against the chance that their systems will be breached and choose to keep the unsupported software on their networks. In the current evolving threat environment, your organization should not take this approach for the long term. Instead, you should take five actions to ensure your organization's cybersecurity and address the risks of having unsupported software:

  1. Define your risk tolerance.
  2. Manage your software inventory.
  3. Upgrade, retire, or replace unsupported software.
  4. Establish and maintain whitelists.
  5. Create and enforce a policy to manage unsupported software.

In the coming weeks, I will explain each of these actions in a series of seven blog posts. Check back next week to read the next post about defining the amount of risk your organization is willing to accept. You can also subscribe to a feed of the Insider Threat Blog to be alerted when a new post is available.

For more information about risk and resilience in your organization, see, or contact me at

About the Author