Select Page

End of Life Software: Risks, Dangers & What to Do Next

Andreas Wuchner

Understanding what to do when you have EOL software becomes crucial to the security of your organization. So, what happens when your system reaches EOL?

When software reaches EOL, it means that program will no longer be supported by the developer and there will be no more updates. Without updates and bug fixes, this software becomes vulnerable to hackers and cyber criminals.

Nothing lasts forever. This applies to software and infrastructure. Legacy solutions and applications are a reality for most organizations from small to medium size businesses and definitely for the enterprise world. For any company investing in cloud initiatives, End of Life (EOL) becomes even more complex.

What is End of Life (EOL)?

Sooner or later everything we use reaches its tipping point and a technological expiry date. End of Life (EOL) is when the manufacturer stops developing and servicing the product. This can include discontinuing technical support, upgrades, bug fixes, and, most importantly, security fixes.

A few risks you want to look out for if your business is running EOL software are:

Software End of Life - Breaking the Cycle

Operational Risks Can Cause Business Interruption

While discussing EOL with business stakeholders you often hear the argument that the legacy system or application is super critical for the business and it has operated without any problems for many years. Why change a system that is reliable and currently operating?

These stakeholders eventually see that EOL components become less and less reliable over time and more prone to failures. They tolerate these conditions until something goes really wrong.

Software nearing EOL also impacts usability. We live in a fast-developing world where new standards emerge and make old ones obsolete. People suddenly find themselves in a situation where the critical web application still works but web browsers no longer support the old encryption in transit methods used by the web application. If these risks materialize, they can cause business interruption, driving up costs and creating client unhappiness.

Security Risks Can Damage Your Reputation

Cyber security risk is widely understood given cyberattacks and data breaches are reported in the press every day. This does not mean that everyone takes the appropriate remediation efforts to address them.

As mentioned, end of life technology receives no security updates, bug fixes, or patches; it is dead in the eyes of the manufacturer. That means your security is completely compromised, not only for the system or software that is EOL, but also potentially for any others that connect to it.

In the worst case scenario, your EOL system or software can be hacked and data stolen. Such cyber security incidents are embarrassing, putting your reputation and customer trust on the line.

Compliance Risks Can Result in Hefty Fines

Regulatory scrutiny is on the rise therefore compliance with regulatory requirements is no longer an option. GDPR, PCI, SOX or HIPAA are prominent examples, and they require that all technologies used must be supported.

Compliance risks on EOL systems are similar to cyber security risks. By failing compliance requirements with legacy systems or software, a business can face hefty fines, particularly in the event of a data breach.

Support Risks Can Increase Maintenance Costs

The longer EOL technologies are kept past their supported life cycle, the higher the costs increase for keeping them running. Over time businesses have fewer people who are familiar with the legacy technology and are capable of supporting it. When support demand exceeds supply, maintenance costs increase in parallel with the risks of a security or compliance event.

Operating End-of-Life systems and software may be tempting but the financial, security, and compliance risks far exceed the benefits. All serious technology providers provide plenty of advanced notice prior to sunsetting an obsolete technology. Businesses that adhere to these announcements and move off of legacy technologies save more than investment dollars. They may also save their reputations and customer loyalty. Remaining or relying on EOL technology is just not worth the risk.

RELATED POSTS

Stagehand: S1 Episode 8

Stagehand: S1 Episode 8

Carl Timmons was given 24 hours to decide what he wanted to do. This was a tactic. Twenty four hours to sit alone and think about all the money he could want and the price he’d pay for it. And 24 hours to also contemplate what Andre Savin might do to him before...

Stagehand: S1 Episode 7

Stagehand: S1 Episode 7

Andre Savin and Lincoln Palmer had met on several occasions and had the type of relationship you’d expect between two men of their standings on the billionaire scale. Contemptuous but also understanding. They were both driven by the same desire—access to...

Stagehand: S1 Episode 6

Stagehand: S1 Episode 6

Belfast, New York - 1889 They called him The Boston Strong Boy—arguably the first real boxing star and one of the highest paid athletes of his time.  He’d always been good at school. He attended Boston College where his parents thought he might pursue...

What Is Zero Trust Anyway?

What Is Zero Trust Anyway?

About three minutes into planning this post, I had one of those “god, I am old” moments. Here is why I had the moment. I have worked in cybersecurity since 1994. My first job was at a big 3 working for the U.S. government through one of the world’s...

Stagehand: S1 Episode 5

Stagehand: S1 Episode 5

Kuwait, 1990 I’m launched out of a submarine a few miles off the coast of Kuwait City. When I swim to shore, I quickly change into my dry land clothes—a full burka. I was a six-foot-one Marine posing as a good Muslim woman. The catch, beneath the modest...

Ransomware: When Policy Matters Most

Ransomware: When Policy Matters Most

Most CISOs divide their approach to cyber defense into three pillars: people, technology, and processes. These pillars define a cybersecurity program’s defensive architecture and arsenal, available assets, and policies and procedures that together inform...

Selling to a CISO? Practice Empathy, Not Salesmanship

Selling to a CISO? Practice Empathy, Not Salesmanship

The cyber security marketplace is hot. Ask any candidate for a cybersecurity role. Better yet, ask any supplier to CISOs. The supplier audience is especially vast, and it’s continuing to grow. Just three years ago, there were estimated to be less than 2,000...

The Risk of Measuring Risk

The Risk of Measuring Risk

Automated measuring of control effectiveness is a very good idea conceptually. When you can combine control gaps with relevant threat information, you get a very good picture about the actual technical cyber risks your business faces. If done correctly, it provides...

Stagehand: S1 Episode 4

Stagehand: S1 Episode 4

Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...

SecOps Needs More Democratization, Not Less SOC

SecOps Needs More Democratization, Not Less SOC

An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an...

Measuring a Cyber Awareness Culture

Measuring a Cyber Awareness Culture

Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...

Good Enough Isn’t Good Enough Anymore

Good Enough Isn’t Good Enough Anymore

The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability.  In light of these increasing challenges, our cyber defenses...

Stagehand: S1 Episode 3

Stagehand: S1 Episode 3

Cyprus ~ 2006 Ali Hassan was a low-level operative in Hezbollah, but we had it on solid authority that he knew where three high-level leaders of the terrorist organization were hiding. Keith arrived fifty-seven hours into Hassan’s interrogation and by the looks of it,...

Mitre Disrupting Advanced Persistent Threats
Share This