BitSight: Outdated Operating Systems, Browsers Put Many Organizations At Risk

The easiest way to improve a device's security is to make sure it's using the latest version of its operating system, browser, and other software. Updates often patch known vulnerabilities or bolster an app's defenses. But a new report from BitSight, the self-described "standard in security ratings," shows that many organizations don't update the operating systems or browsers of the many devices they have to manage.

BitSight said it analyzed "more than 35,000 companies from industries across the globe over the last year" to "better understand the usage of outdated computer operating systems and internet browsers, the time to it took to update operating systems once a new release was made available, and how these practices correlate to data breaches." It learned that many organizations fail to keep their software updated.

The company said in its report that "over 2,000 organizations run more than 50% of their computers on outdated versions of an operating system," which in turn makes them "almost three times as likely to experience a publicly disclosed breach." Note the "publicly disclosed" bit--chances are good that other groups are compromised because they use outdated operating systems and either fail to notice the intrusion or keep it hush-hush.

BitSight said it often takes at least a month for organizations to install new point releases of macOS. Apple often uses those updates to ship patches for known vulnerabilities, which means these groups put themselves at risk by waiting to install them. Windows users weren't any better: BitSight said that in March, nearly 50% of the Windows users examined in the report used Windows 7. Another 20% used Windows XP or Vista.

Another 8,500 organizations have outdated browsers on more than 50% of their computers, BitSight said, which doubles their chance of suffering a publicly disclosed breach. This is particularly worrisome given how easy it is to install browser updates. Google Chrome and Mozilla's Firefox automatically update themselves by default. Microsoft Edge and Apple's Safari, however, are usually updated alongside their respective operating systems. Chances are that organizations using those browsers who fail to install OS updates also use old versions of Edge or Safari as a result.

BitSight connected its findings to WannaCry, a ransomware attack that took the world by storm in May, and which exploited a vulnerability in Windows that Microsoft had patched back in March. The attack spread in large part because many organizations fail to keep their software updated. This prompted Microsoft to release a patch for Windows XP, 8, and other legacy versions of the operating system to halt the attack.

Some organizations have legitimate reasons for using outdated versions of Windows and macOS. Critical software might not be compatible with modern versions of the operating systems, which forces these companies to decide between finding an alternative solution or sticking with the version of Windows or macOS that fills their needs. That isn't an easy decision to make--especially with attacks like WannaCry making headlines.

This can in turn lead to problems with outdated browsers. In addition to bundling browser updates with new OS releases, companies often require you to use a modern OS if you want access to newer versions of their browsers.

BitSight's report shows just how dangerous failing to update these critical aspects of a device can be. Companies release updates for a reason, and it's not always because they have some new and exciting features. Often, it's because a vulnerability was disclosed, either publicly or privately, and they want to make sure their customers won't be affected by it. Failing to install those updates puts all those efforts to waste.

You can find the full BitSight report here (though you'll have to provide some personal info to download the whole thing), and the key findings were summarized in a press release.