Is using Windows 10 still safe after the End of Life deadline?

Windows 10 is about to pass into the realm of unsupported operating systems. On October 14, 2025, the final security update will be piped through for Windows 10, and after that, Microsoft won’t supply any more. Well, not unless you sort out extended updates (and I’ll come back to that).

There are plenty of people still using Windows 10, and at this point in time, right before the big deadline, they might have lots of questions. How safe is it to just remain on Windows 10 after the support deadline has passed? You may have heard it’s risky, but is that just an exaggeration – is it really that bad to stick with an unsupported OS?

And what about the extended support program that I just mentioned – how does that fit in? If you avoid paying for this scheme, you may have heard that Microsoft requires you to sync the files on your PC with its servers – is that true? (No, in a word – there are nuances here).

In this article, I’m going to answer these, and some other pressing queries that you may have regarding Windows 10’s End of Life, and how safe the operating system remains as it shuffles onwards in Microsoft’s post-support era.

Is it safe to simply keep using Windows 10 after October 14, when support ends and Microsoft stops providing updates?

No, do not use Windows 10 without updates, or for that matter, don’t continue using any operating system beyond its support deadline. With no security updates, it’s just too much of a risk that you might be compromised.

Software like an operating system is a massive, sprawling, complex affair, and the problem is over time, vulnerabilities will be discovered in the codebase. What normally happens is that Microsoft fixes those security flaws in its monthly updates, so without those, you’re not getting these problems resolved – they remain as gaping holes in your OS. Gaps that a hacker or other nefarious types could exploit.

But I’ve heard that these risks are overblown and exaggerated – how dicey can it be, really?

It’s true that people continue using an operating system without security patches all the time. This happened with Windows 7, and it will happen with Windows 10 (indeed, Windows 7 only went below 10% of Windows market share three years after its End of Life, and Windows 10 is very likely to be a worse situation).

And admittedly, it’s also true that initially, right after the deadline expires, you’re not going to be in much peril. After all, you get a security patch on October 14, anyway, which will last you through to November – that’s when the first update will actually be missing for Windows 10. Even in the month following that, nothing much might happen in the way of vulnerabilities being uncovered – but the key word here is might.

While there may not be many holes left open to exploit in the early days after Windows 10’s support expires, gradually, these will mount up, and staying unprotected on the operating system will become increasingly risky. As security flaws become more widely known, and still unpatched, more hackers will be looking to find and exploit these vulnerabilities in Windows 10 PCs out there.

Frankly, I wouldn’t want to take any risks at all beyond the first month, because I just don’t think it’s worth it – and it’s definitely unwise to run Windows 10 without patches for very long.

What if I’m really careful online and I have a good antivirus, won’t I be safe then, even without Windows 10 updates?

In fairness, packing one of the best antivirus apps and being very cautious about what you do online will go a long way to keeping you safe – that’s true, even without any security updates from Microsoft. But you’ll have to be really careful, and essentially stop following most links (all of the ‘ooh, I’m curious about that’ variety, certainly) – but who has that kind of willpower and steadfastness? Not that many people frankly.

Realistically, you’re likely to slip up from time to time and put your unpatched operating system in danger. Even if you don’t, and you are incredibly careful, sometimes you can be hit by malware from out of nowhere – these things happen and may not be your fault at all (a compromised web server somewhere that pushes a malware-laden advert, for example).

Unless you are going to keep your Windows 10 PC entirely offline, there’s always a chance of compromise, and that risk is somewhat higher if your system doesn’t have security updates. So, I’d really advise that you don’t gamble that you’ll be fine without Windows 10’s monthly updates, as the reality is you may not be – and if your PC does fall prey to malware, it’s a world of hurt.

It isn’t worth the risk, so if you are sticking with Windows 10 past October 14, then you need to ensure you keep getting updates. And here’s the other thing with Windows 10 – you can get an extra free year of support for free (with a slight catch), as mentioned at the outset. So you’d be foolish not to avail yourself of this offer.

So, to stay safe, the best thing to do is get extended support then – how does that work?

Undoubtedly this is the safest path forward. Microsoft’s year of additional support is provided in the form of the Extended Security Updates (ESU) scheme. Normally, this is only an option for businesses in a post-support deadline scenario, but with Windows 10, consumers are also getting this choice for the first time ever.

You can access three available options for the ESU by clicking the link to enroll which you’ll find in the Windows Update panel in Windows 10 (underneath the ‘Check for updates’ button – see the screenshot above). To sign up, you’ll need a Microsoft account, and one option is to pay $30 for the scheme. If you don’t want to fork out any cash, you can use 1,000 Microsoft Rewards points instead (if you have them).

The final option, the one I’d recommend, is free, but it does come with a slight catch…

Ah yes, the catch – I’ve heard that you must sync files with Microsoft to get the ‘free’ updates – does that mean the company’s sticking its nose in my business?

It is true that Microsoft requires you to sync some data to get the ESU with the third (free) option, but there’s some misinformation online about this indicating that you’re somehow syncing your personal files to Microsoft’s servers.

To be clear, what’s actually required is that you sync your PC Settings (to OneDrive, Microsoft’s cloud storage service) via the Windows Backup app. So, yes, it is true that you’re allowing Microsoft to store some of your data, but a very limited amount – just your setting choices. All your personal data – files on your PC like your documents, photos, videos and so on – isn’t included in this syncing arrangement.

In my book, this isn’t a particularly intrusive ask, and is a relatively small price to pay for an additional year of security for Windows 10. But if you’re really against the idea of sharing anything related to your PC with Microsoft, you can simply pay the $30 fee as mentioned, and I’d still recommend doing that if you want to remain on Windows 10 – don’t just plough on with no security updates.

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from TechRadar.com SOURCE

/by
, ,

Cyber Insurance Preparedness for Small Businesses

Having the right technology controls in place can vastly impact the cost of cyber insurance and claims eligibility.

Hackers are aggressively targeting small and medium-sized businesses: One in every three SMBs was hit with ransomware in 2024, according to research from Microsoft.

The luckiest businesses will never get breached or will have the incident response and backup and recovery plans in place to walk away unscathed. But even they are at risk of liabilities such as business disruptions, exposed data and fines. Not to mention, 94% of all ransomware attempts against SMBs in 2024 targeted backups, according to Sophos.

Enter cyber insurance. As more SMBs investigate first- and third-party coverage, they’ll encounter a slew of technical prerequisites. It’s crucial that they know what risks to cover and the requirements to qualify for that coverage in order to ultimately be eligible for a payout. 

Upfront Risk Assessments Save Time and Money

Many cyber insurance providers provide free risk assessments for businesses, but John Candillo, field CISO at CDW, recommends doing a little upfront work to smooth out the process and avoid getting blindsided.

“Insurers want to know how your business looks from the outside looking in,” he says. “A focus on this ahead of time can greatly improve your situation when it comes to who’s willing to underwrite your policy, but also what your premiums are going to be and how you’re answering questionnaires,”

Conducting an internal risk assessment and engaging with cybersecurity ratings companies such as SecurityScorecard or Bitsight can help SMBs be more informed policy shoppers.

“If you understand what the auditor is going to ask you and you’re prepared for it, the results of the audit are going to be way different than if you’re caught off guard,” Candillo says.

These steps get stakeholders thinking about what type of risk requires coverage. Cyber insurance can broadly be put into two categories. First-party coverage will protect against things such as breach response costs, cyber extortion costs, data-loss costs and business interruptions. Third-party coverage insures against risks such as breach liabilities and regulatory penalties.

The more you know up front about your risk profile, the easier it is to advocate for yourself during the underwriting process.

Proper Security Controls Are Necessary for Coverage

Inadequate cybersecurity controls can be a dealbreaker for cyber insurers, resulting in outright rejection or prohibitively expensive premiums.

“They’re going to have anywhere from 15 to 30 controls they’re going to ask about,” Candillo says. “But we call the most common things they ask about the big 12.”

  1. Multifactor authentication
  2. Privileged access management
  3. Remote access controls (such as VPNs)
  4. Endpoint protection and response
  5. Security information and event management
  6. Incident response plan
  7. Business continuity plan and disaster recovery
  8. Backup strategy
  9. Email security
  10. Security awareness training
  11. Third-party risk management
  12. Patching and vulnerability management

“They’re going to ask you no very pointed questions,” Candillo says. “For example: Is every application accessible only through multifactor authentication? And they’re going to expect a yes or no answer.”

Phrases such as “yes, no, always, never, every and all” fall into a category Cardillo calls absolutist language. Covering your bases isn’t just a matter of getting coverage; it’s also a matter of meeting certain requirements should you need to submit a claim.

“Don’t just answer yes or no,” Candillo says. “Take the PDF they gave you with the yes or no questions, export it into another format where you can actually qualify your answers and give as much information as possible.”

This added context helps businesses have a more complete picture of the controls they have in place and can round out answers in questionnaires as a possible defense in the event that an insurer attempts to deny a claim.

In terms of implementing the prerequisite technology, Candillo recommends working with a partner such as CDW with access to solutions from a variety of vendors.

“There are cheap ways to do it and there are expensive ways to do it,” he says. “SMBs are probably going to opt for the affordable way, as long as they know what that looks like.”

Cyber Insurance Isn’t a One-Time Thing

Most cyber insurance policies will need to be reviewed on an annual basis. Businesses will therefore have to complete questionnaires annually, and the questions being asked could change depending on shifting conditions in the threat landscape.

What’s more, many businesses will create an “insurance tower,” as they may require more than one insurer to achieve the desired level of coverage. While a common practice, this does multiply the work that goes into renewing policies each year. Candillo says this further underscores the importance of adding context to checklists.

“It’s something they have to deal with every year, and you may only hear about it once a year,” he says. “Without that additional context, it’s hard to get a lot of knowledge and experience around how the answers you give impact insurability, not to mention premiums.”

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from BizTechMagazine.com SOURCE

/by

Safeguard your SMB from password manager attacks

Staying secure online is becoming trickier by the day, especially for small or medium-sized businesses (SMBs). While tools like password managers are designed to protect sensitive information, cybercriminals are now targeting them. A recent study reveals a startling threefold increase in malware targeting password vaults and credential stores over the past year.

The rising threat of infostealers

Infostealers, also known as information stealers, are a type of malware designed to hijack and transmit sensitive data from a victim’s computer. They can come in many forms, such as keyloggers or spyware, but their main goal is to collect login credentials and other valuable information.

The study by Picus Security uncovered alarming growth in infostealers designed to target credential stores, including password managers. By analyzing one million malware samples, researchers confirmed that 93% of malicious actions use just 10 common hacking methods.

Why are password managers a prime target? Their centralized nature makes them convenient for users but equally appealing to cybercriminals. By breaching just one password vault, attackers can gain access to a wealth of credentials across multiple accounts and platforms.

Malware in action: RedLine and Lumma Stealers

Two notorious infostealers leading these attacks are RedLine Stealer and Lumma Stealer, each targeting victims in unique ways.

  • RedLine Stealer is often spread through phishing attempts or fake websites. It specializes in extracting data from web browsers, email applications, and other credential storage locations.
  • Lumma Stealer operates as a Malware-as-a-Service (MaaS), allowing criminals to rent the malware and use it to steal payment credentials, cryptocurrency wallets, and other sensitive information.

Malware tactics are changing. With operating system defenses improving, old methods such as credential dumping are less effective. Modern infostealers now target weaker but valuable areas, such as password managers.

The dark web surge

The stolen credentials don’t just stop with the initial hacker; they often end up being posted for sale on the dark web. Initial access brokers profit by reselling credentials that give hackers easy access to enterprise systems. These stolen credentials are then used in major ransomware attacks.

Why password manager attacks are increasing

Cybercriminals are adapting their tactics to target password managers for several reasons, including their effectiveness and ease of execution.

  • Minimal skill requirement – Most infostealers only need basic user-level access to scrape stored credentials, making attacks fast and easy.
  • Automation – Many attackers leverage automated tools to extract information, streamlining cyber theft.
  • Password reuse – If businesses use repeated passwords across accounts, stolen credentials can lead to broader credential stuffing attacks, exposing an entire network.

For SMBs, such attacks can be devastating, resulting in operational disruptions as well as financial losses and reputational damage.

Protecting your credentials with secure technologies

SMBs must take decisive action to protect themselves from these growing threats. Here’s how you can stay ahead of attackers and secure your password management systems effectively.

  • Adopt zero-knowledge encryption password managers. With zero-knowledge encryption, even if the vault is breached, no one can read the stored credentials.
  • Enable multifactor authentication. Do this across all user and administrator accounts, making it harder for hackers to gain access.
  • Train your users. Educate employees about phishing attempts and other malware entry points. Teach them to recognize suspicious links and avoid downloading attachments from unknown sources.
  • Regularly update software. Make sure all software, including operating systems, browsers, and password managers, is updated with the latest patches to minimize vulnerabilities.
  • Review logs for unusual activity. Monitor activities in password managers and look for suspicious access or login attempts outside regular patterns.

Password managers are indispensable tools for managing multiple accounts safely, but they’re not invincible. For SMBs, proactive security measures should be part of a broader strategy to strengthen operations against emerging threats.

Safeguard your business from various threats — contact our security experts to get started.

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from TechAdvisory.org SOURCE

/by