Data Breach Risk From Out of Date Operating Systems and Web Browsers Quantified

The recent WannaCry ransomware attacks have highlighted the risks from failing to apply patches and update software promptly. BitSight has now published the results of a study that sought to quantify the risk from tardy updates and delayed software upgrades.

For the study, BitSight analyzed the correlation between data breaches and the continued to use old operating systems such as Windows 7, Windows Vista and Windows XP and old versions of web browsers.

Operating systems and browsers used by approximately 35,000 companies from 20 industries were assessed as part of the study. BitSight checked Apple OS and Microsoft Windows operating systems and Chrome, Internet Explorer, Safari, and Firefox web browsers.

2,000 of the companies studied (6%) had out of date operating systems on more than half of their computers. BitSight said 8,500 companies were discovered to be using out of date web browsers.

BitSight used its risk platform to study computer compromises and identified operating system and browser versions at those companies. BitSight was able to determine that organizations running out of date operating systems were three times more likely to suffer a data breach than those running newer operating systems. Organizations with out of date web browsers were two times more likely to experience a data breach.

The analysis did not confirm whether the data breaches occurred as a direct result of running outdated browsers and operating systems. The outdated software was only an indicator in the risk profile of those companies.

BitSight research scientist Dan Dahlberg said it is common knowledge that using outdated software and operating systems increases risk, but the big surprise from the study was the number of companies that were taking such big risks. For instance, prior to the WannaCry attacks, 20% of computers analyzed during the study were still running Windows XP.

The healthcare industry fared better than other industry sectors with 85% of organizations using up to date browsers and operating systems. However, 15% were taking risks by failing to update their browsers promptly and upgrade their operating systems.

Unsurprisingly, government organizations were some of the worst offenders, with more than a quarter of computers running on old operating systems and using out-of-date browsers.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.