It may be hard to remember today, but when Windows XP was released on Oct. 25, 2001, it was a revelation. Aimed at both consumers and businesses, it married a user-friendly interface with reliability, replacing clunky and crash-prone Windows 2000. When upgrades to the system became available in the ensuing years, many businesses and individuals decided they had sunk too much time and money into XP-compatible hardware and training to make switching worthwhile.
In fact, according to a 2018 Spiceworks report, 32 percent of businesses still have Windows XP installed on at least one device in their network. As we approach the 20th anniversary of XP’s release, we’re seeing the full consequences of the continued use of this out-of-date, unsupported operating system by users around the world.
XP usage is just one of many data points that illuminate the perilous networked landscape we inhabit today. That’s why Verisk has identified digital vulnerability as an emerging global risk as criminal and state agents exploit these outdated systems for nefarious ends. By looking at the numbers behind these seemingly small lags in cyber security, we can see the true threat digital vulnerability poses in modern life.
Here’s how one computer in the Accounting department running an outdating operating system could impact your business (or government, or family). One Friday in May of 2017, a ransomware attack began with an initial infection in Asia. Within one day, 230,000 computers in more than 150 countries were infected.
By the time the Wannacry ransomware attack—as it is now known—was over, economic losses were estimated to run from the hundreds of millions to up to $4 billion. And the attack could have been worse had its creators (believed to be North Koreans agents) chosen to target vital infrastructure. That wasn’t the end of it: Just this May, Microsoft released a patch for Windows XP, which it stopped releasing updates for five years ago. As Wired magazine reported, “The last time Microsoft bothered to make a Windows XP fix publicly available was a little over two years ago, in the months before the WannaCry ransomware attack swept the globe. This week’s vulnerability has similarly devastating implications.”
I’m not saying that XP is behind the world’s growing cyber-vulnerability crisis: it isn’t. Microsoft has been pushing users away from the program for years, and those using the operating system today make up a tiny fraction of networked computers. What’s clear is that currently, our patch cadence—the speed at which vulnerabilities are addressed—lags behind the pace at which malicious actors are identifying weaknesses; that these attacks are getting more audacious and more costly; and that relatively few people realize the connection between cyberattacks and what are often viewed as benign digital security lapses. Too often, it is the well-meaning employee or technophobic grandfather who accidentally allows criminals into what should be a tightly guarded digital sphere.
This doesn’t mean that a future of Wild West lawlessness in the digital world is inevitable. While both criminals and nefarious state actors are becoming savvier in their attacks, policymakers and cybersecurity experts are also redoubling their efforts.
On Oct. 2, 2019, the U.S. House of Representatives passed the Cybersecurity Vulnerability Remediation Act, which amends the Homeland Security Act to include that “the director may, as appropriate, identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities, including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor.” This move attempts to address the problem identified here, and other state and federal laws are beginning to gain momentum in this area.
However, to effectively combat bad actors online, we must change public perceptions of cyberattacks. As I wrote for the Verisk Risk Report, cyberattacks must be seen as a hurricane in the Caribbean during storm season, when they are too often viewed as an earthquake in New York City: unpredictable, devastating, and unlikely to reoccur.
This year is on track to be “the worst year on record” for breach activity, with 4.1 billion records exposed as of June 30, according to a mid-year report by QuickView. Compared to the previous year, the number of breaches was up 54 percent. Today, we have an unprecedented view of the problem we face thanks to the power of data analytics and its impact on risk assessment. We need to use this power to better inform every citizen of how they can help protect their communities through simple actions, like not snoozing that security update for one more day.
Humans have always used data to understand patterns and influence future events. We’ve collected the data; we see the upwards trend of increasing digital attacks; now, we need to start preemptively educating people how they can influence this situation going forward.
Whether they work in a café, a bank, or a hospital, no conscientious employee would leave a door propped open when leaving work for the night, nor would they hand out security codes to shady strangers on the street. That is because we are all trained in the basic security protocols of the physical world. Now that we can understand the scale of the problem, it’s time to bring this training into the digital era, to ensure a secure and resilient future for all, offline and on.
Prashant Pai is vice president of cyber offerings at Verisk (Nasdaq:VRSK), a leading data analytics provider.