Security risks of end-of-life (EOL) hardware and software [Updated]
Technology—both software and hardware—is a major investment. So it's easy to understand why some people may want to hold on to their tech as long as possible. But failing to upgrade systems and continuing to rely on end-of-life (EOL) hardware and software can create major security vulnerabilities.
What is "end of life" (EOL) hardware and software?
"End of life" simply means that the manufacturer has stopped updating and supporting a piece of hardware or software. Every product has a lifecycle. The product lifecycle begins the day the product is released and ends when the developer decides to stop providing software and firmware updates.
These life cycles may last for many years—decades, even—but chances are that a manufacture is going to stop supporting its products at some point.
Why would a manufacturer stop supporting a product?
While users may initially fall in love with a new piece of software or hardware, expectations tend to swell as time passes. After the luster of something new wears off, users desire more features and better performance. Eventually, the old product becomes incapable of meeting these demands, so a new product is created to replace it, much like how a new car model replaces the vintage version.
This type of transition is quite common in the tech industry. In regard to software, it is usually referred to as the "software development life cycle" (SDLC). The term "system development life cycle" may be used to include hardware as well.
A manufacturer may stop supporting a product for any number of reasons, including:
The product has matured to a point that it makes more sense to start from scratch with fresh code or updated components.
The manufacturer is spread too thin updating too many products, and so they shed support for a product to focus on supporting fewer products.
The product was a flop or had so many issues at launch that the manufacturer has decided to quietly walk away in the hopes of working on its next success.
Why might businesses keep using end of life products?
Software and hardware may keep working even though they're no longer supported. Tech can get pricey.
Some business owners may prefer to hold on to software they've already paid for rather than buy a new version or transition to a subscription/SaaS model. And buying one piece of new hardware may require buying other hardware that integrates with the new hardware.
In addition to the direct cost of purchasing new systems, there are the indirect costs associated with losing and resetting customizations that have made users' lives easier and sped up workflows for the last few years. Business owners may have concerns of whether their specific crucial software can work on a new operating system.
It's not hard to see why businesses may be reluctant to update certain systems.
But the legacy products may have gaping security holes that make for easy intrusions and cyberattacks. Such security issues pose major risks to your business and your customers' information. And in some cases, the security risks can have legal consequences.
If you are holding your customers' business-critical information, you have a duty to be a good steward of that data. Keeping your IT infrastructure up to date is a major step in the right direction.
Also, continuing to depend on unsupported hardware or software may lead to your cyber liability insurance provider denying coverage after a cyber event.
What hardware and software should I watch for end-of-life dates?
Crucial hardware to track end-of-life dates for include:
Routers and modems.
Network interface controllers.
Anything else connected to the internet. (You can't be too sure or too safe.)
On the software side, a business may hold on to its preferred operating system even though the manufacturer has urged users to upgrade. Outdated operating systems open businesses up to a variety of vulnerabilities and potential disasters.
What if I don't want to upgrade my software or hardware?
You may be able to continue using end-of-life hardware or software if you are able to "air gap" it (take it offline and do not allow internet access.) But any end-of-life device or software that requires an internet connection should be swapped out for a newer product as soon as possible because the obsolete product will not receive security updates and is therefore unsecured. Keeping such product connected to your network creates vulnerabilities that attackers can exploit to gain access to your network and systems.
Technology can have a difficult time adjusting to changes brought about by the World Wide Web. Unlike wine, devices and operating systems don't tend to age well. To maintain security across their networks, business owners must be aware of the support status of all their devices and make sure they are being properly updated.
In recent years, people have started relying on internet-connected devices in ways they never foresaw. And as the number of such devices increases and people incorporate more such devices into their daily lives, the scope and scale of security threats will only grow. This also means that, going forward, keeping software and hardware up to date with the latest patches will become more important. But this fundamental security practice is impossible when the product is no longer supported.
While monitoring the end of life for each product can be tedious or even daunting, failing to do so can lead to a security nightmare or catastrophic failure for your business.
A quality managed security service provider (MSSP) should be able to keep up with the end-of-life dates for your hardware and software to ensure that your systems are able to stay up to date, freeing you up to focus on running your business.