Since January 2020, Windows 7 Operating System is not supported by Microsoft anymore. This means any PCs still running the software no longer receive security updates, software updates, or technical support for any issues.
Many small businesses are not aware of the potential impact and implications of not running the latest software releases. Their approach? “If it ain’t broke, don’t fix it”. Unfortunately, this mindset will cause systems to be compromised at some point as there is no further maintenance available to protect their operating system from cyber attacks if they still use Windows 7.
On the upside, this Windows 7 end of life status has incentivised some of Espria’s clients to undertake a review of their IT systems.
Our client’s issue : an IT system vulnerable to threats
One of our clients has used the cessation of the Windows 7 platform to look at their complete IT infrastructure and ensure that it is as secure and reliable as it can be.
The team here at Espria performed an audit of their IT systems.
Several areas in need of improvement were identified, including:
- Multiple anti-virus products being used throughout the organisation but also on some machines!
- Different versions of Microsoft Office being utilised, including Windows 2007, and desktops running multiple Windows Operating Systems
- Windows Updates not being applied to all machines
- Large levels of spams received on a daily basis
- Many web browsers in use
- Administrative rights granted to users on their desktops
- Simple passwords used and shared amongst all users
- Remote user laptops only secured by simple passwords
- All users provided with remote access to the server, whether it was actually required by the business or not
Our solutions : new processes
Whilst the above was not causing any problems from an operational perspective, clearly this is not best practice as to how IT systems should be maintained.
Through the introduction of new processes and a small investment in hardware and software products, we were able to address each of these concerns within a short space of time with minimal disruption to the userbase:
Whilst the above was not causing any problems from an operational perspective, clearly this was not best IT practice.
Through the introduction of new processes and a small investment in hardware and software products, we were able to address each of these concerns within a short space of time with minimal disruption to users:
- We introduced a modern, anti-virus solution with central management, update services and reporting.
- We migrated all users to Office 365, ensuring that the same version of the Office product was used and automatic updates were carried out.
- We standardised Windows 10 operating system across all machines, performing in-place upgrades where possible or machine replacements where hardware was not suited to the new environment.
- We configured Windows 10 to perform updates automatically in the background to ensure that all users are on the latest security release.
- With the migration to Office 365, this has automatically provided a level of spam protection : only required emails are allowed to go through.
- We agreed with the business that only 2 Web Browsers should be used and removed non-supported products. We configured automated updates to ensure that the latest product versions are always present.
- We removed administrator rights from all users to ensure that their desktop environment cannot change so that no additional software can be installed.
- We introduce complex passwords to ensure a minimum level of characters, as well as password change enforcement every 30 days.
- We enabled encryption services on remote laptops prior to Windows starting so that the data cannot be accessed without an initial key being entered to allow the machine to start.
- We reviewed all remote user access to ensure it was restricted to only those that need it. In addition, a secure Firewall with VPN Services was installed so that remote users have to authenticate against the Firewall before they are given access to the network.
These steps have led to an improved IT offering for the business’ customers while ensuring the company is better protected against cyber attacks.
We will continue to review the installation every 6 months to ensure that the levels of protection and policies used remain adequate.