Security time bomb: Businesses are not ready for the end of Internet Explorer 8, 9 and 10 support
The end of support for older versions of Internet Explorer has been known about for some time now. Despite the fact that there has been plenty of time to prepare for a move away from Internet Explorer 8, 9 and 10, many businesses are simply not ready and security experts warn that this could lead to a spate of attacks from hackers.
Microsoft has been encouraging people to move to Internet Explorer 11, or Edge in Windows 10 for a while, and the countdown comes to an end tomorrow -- 12 January. From this point forward, there will be no more patches or security fixes issued. Security analysts fear that with Internet Explorer 9 and 10 accounting for 36 percent of IE and Edge use, and with more than 160 vulnerabilities discovered in Internet Explorer in the last three years, there are risky times ahead.
Automatic Updates should have taken care of upgrading users to Internet Explorer 11, but business community Manta reports that more than 60 percent of businesses that use Internet Explorer are still stuck on version 10 or older. With an estimated 34 percent of SMBs found to be Internet Explorer users, there are an awful lot of people at risk if they fail to update their software soon.
Duo Security warns that there are still a huge number of unpatched system in use, and that we’re likely to see a spike in targeted attacks in coming weeks, months, and years. One of the benefits of End of Life dates is that there is a push to get people using the most recent and most secure versions of software, but it also serves as a beacon for attackers who are only too aware that people -- particularly businesses -- can be incredibly slow to update their software.
Duo Security Program Manager Mike Hanley says:
All it takes is one vulnerable device accessing your network to put your entire organization at risk of a data breach. But with visibility into the types of risky devices accessing your network, you can create and enforce data-driven policies to secure your company.
He also shares some tips for businesses to consider:
Educate your users on the importance of running updates and enabling Automatic Updates. Keeping devices up-to-date is critical to preventing compromise by attackers. Using current and supported software ensures users will continue to receive security updates and bug fixes for the software they use most - their browser!
In the case of Internet Explorer and Edge, automatic updates should occur along with monthly patch cycles. However, we also suggest considering switching to browser platforms that are updated frequently and automatically, such as Google Chrome - which is already the leading browser platform by a thin margin according to our data. Users and IT departments should strive to run current, supported operating systems and applications to prevent compromises in their environment.
Carefully weigh the balance between legacy compatibility and security. Many users will argue that web applications they use frequently are designed to be used on older platforms. But using a less-secure browser in today’s security climate in order to support a legacy interface can ultimately be more costly than updating the application or working with a vendor to provider support for newer software in the event of a compromise.
Consider compliance concerns. Microsoft draws attention to an important consideration in their EOL support announcement that running outdated software may actually have compliance impacts in enterprise environments. In addition to generally running with an open attack surface, there could very well be regulatory and compliance concerns associated with running unsupported software.