Industry Pros Reveal Why Some CUs Are Still on Windows 7

Jan. 14 marked the end of Microsoft’s support for Windows 7, but for many credit unions Jan. 14 also marked the beginning of a technology scramble. Although many have already upgraded to Windows 10, many others are playing catch-up — and playing with fire, according to three industry pros.

Hackers on the Prowl

Microsoft has stopped providing security updates and other support for Windows 7, but it may be too early to tell if hackers are infiltrating credit unions that haven’t moved to Windows 10, according to Brian Petzold, who is vice president and chief technology officer at Bedel Security, which provides cybersecurity services to financial institutions.

“Right now, this week, credit unions are no worse off than they would have been any other month. It’s really two months out and three months out that we start to have a problem because there could be vulnerabilities in the systems that are not patched at that point,” he said.

Jonathan Derby, who is chief information officer at credit union IT firm Ongoing Operations, said hackers may be biding their time, too. “It completely depends on the type of attack, but generally you’re looking at 200-plus days,” he said.

The Bottleneck

For credit unions that haven’t moved to Windows 10, two things tended to stand in the way, the industry pros said.

The first is vendor systems that don’t work on or don’t support Windows 10. Some credit union vendors aren’t subject to exams often and thus may not feel as much pressure to upgrade or fix things, Petzold noted.

“What we’ve seen is that a lot of credit unions will utilize peripherals, printers, and scanners and things that hook up to computers — that’s where a lot of vendors were slow in providing support for Windows 10,” he added.

“And because of that, the IT departments couldn’t really upgrade a lot of those workstations until those vendors would be able to provide drivers for that or at least certify that they would work,” Petzold said. “And we’re still seeing it. There’s still some vendors out there that still, to this day, have not officially said, ‘We support Windows 10.’”

The second barrier has been competing priorities, Petzold added. “This is really true across the board at all types of financial institutions: If I’ve got my choice of 10 different projects and nine of them are going to directly benefit members and one of them is upgrading my workstations, people are going to tend to do what is going to benefit your customers the most,” he said.

The Scramble

Credit unions that haven’t upgraded to Windows 10 yet should remember three things, according to the pros.

1. Extended support is available — at a price. Credit unions can buy help with extended security updates through Microsoft. “Your best bet is to quickly move forward with Windows 10, but if that is not a possibility, then you should explore getting that extended support so that you remain patched,” Ongoing Operations Senior Solutions and Security Architect Shane Butcher said.

2. Timing is important. Signing up for extended support might be a function of where a credit union is in the upgrade process. “It really depends on how long you think it’s going to take you to get to Windows 10. If you have 20 workstations and it’s going to take you a month or two, I would probably say it’s probably not worth the effort to go and get the extended support for those. But if you have a thousand PCs that are throughout your organization, it’s going to take some time to upgrade those, and in those cases I highly recommend you spend the money and get that support,” Petzold said.

3. Waiting is risky. Examiners are looking for end-of-life operating systems, Petzold said. So are hackers. “There were 250 vulnerabilities released last year for Windows 7,” he added. “At least 90 of those were rated critical, meaning that it’s something that somebody really could pretty easily take advantage of.”

Skeptics should think twice, he warned. “It is a real problem, and it’s going to be a real problem,” he said. “The longer you let this go, though, the worse it’s going to get.”