Two-thirds of SMEs run old or expired Microsoft OS

A report finds SMEs are unaware and underresourced to operate.
3 July 2019

Old or expired Windows OSes are making SMEs vulnerable. Source: Shutterstock

Two-thirds (66 percent) of small and medium-sized enterprises (SMEs) continue to run Microsoft OS versions that have expired or will expire by January 2020. 


The majority of systems in use are over ten years’ old, finds Alert Logic’s Critical Watch Report: SMB Threatscape 2019. The research was based on data from the firm’s 4,000-strong customer base of SMEs and large enterprises. 

Identifying a trend of outdated and often unsupported operating systems among smaller organizations, the report noted that SME attack surfaces are widening. 

Cybercriminals are also exploiting shortfalls in encryption, workload configuration, and limited visibility into vulnerabilities. 

“The continued lack of skilled cybersecurity professionals affects organizations of all sizes, and small and midsize businesses are at a greater disadvantage because they can’t scale as large organizations can,” said Onkar Birk, Senior Vice President of Product Strategy and Engineering, Alert Logic. 

Overall, trends highlighted in the report point to both a lack of awareness and lack of resource among SMEs to handle the growing risk of cyber threats. 

In addition to the majority running out of date Microsoft OS versions, the report stated that 42 percent of security issues are related to encryption. 

Here, automated patching has helped reduce the frequency of vulnerabilities, but configuration remains an issue. Just 13 encryption-related configuration issues accounted for 42 percent of all security issues found.

Meanwhile, 75 percent of unpatched vulnerabilities in the SME space are more than one year old. Again, while automated updated have improved patching, organizations are still struggling to keep pace. 

Finally, Alert Logic noted while email is “the lifeblood of most organizations”, nearly a third (30 percent) of SME email servers operate on aged software: Exchange 2000— which has been unsupported for nearly a decade. 

The report follows another by Business in the Community earlier in 2019, which found that a third of UK SMEs have no cybersecurity strategy in place whatsoever.

Just over a third (35 percent) had basic data protection policies in place and just 29 percent had a policy for controlling access to systems. 

That same report recommended SMEs follow four steps at a “bare minimum” to ensure they have a base level of cybersecurity in place:

  • Businesses should use a firewall to secure an internet connection.
  • Choose the most secure settings for devices and software.
  • Control who has access to data and services with passwords and user-specific accounts.
  • Use antivirus software and utilize the auto-update mechanism to keep everything up to date.

Transitioning to a newer operating system can be added to that list.