Windows 10 Is Nearing End of Life, So What Should CISOs Do?

Microsoft will end support for Windows 10 in October 2025. Kate O’Flaherty asks, what does that mean for security teams?

After October 14 2025, Windows 10 will still function, but the operating system (OS) will no longer be secure. That’s because it won’t receive fixes and updates, or any new security features. The end result is that Windows 10 machines will be more susceptible to attacks, whose impact could be greater. It also makes exploitation more likely to succeed and difficult to detect, the UK’s National Cyber Security Centre (NCSC) says.

So what can security teams do now to ensure risk is suitably managed ahead of the deadline?

No time to waste

Microsoft’s Windows is the most widely used OS the world. As of October 2024, Windows 10 is projected to have 61% share, amounting to around 700 million PCs running the soon-to-be-outdated software. With an attack surface that huge, there’s no doubt attackers will target end of life (EoL) Windows 10 systems – particularly in sectors such as healthcare and critical infrastructure, which are more likely to operate legacy environments.

“With an attack surface so huge, there’s no doubt attackers will target end-of-life Windows 10 systems.”

A year might seem a long time, but it’s not, especially for those with complex IT infrastructure to migrate. And it could mean some firms need to upgrade their hardware too. One-in-five Windows PCs is not eligible to upgrade to Windows 11, according to analyst Canalys. That’s equivalent to the total number of PCs sold in 2023, the analyst claims.

With less than a year to upgrade often critical systems, it’s time for CISOs to consider their options.

No patches, no problem?

Sticking with EoL Windows 10 is the least secure option, meaning machines won’t receive Microsoft patches when new CVEs are found, says Greg Day, global field CISO at Cybereason. The consequences of adversaries using these flaws in attacks can be dire, but failing to upgrade in time is all-too common. A large number of organisations continued to use Windows XP long after support was withdrawn – mainly because they felt they didn’t have any other option, Day says.

“In many instances, organisations had no choice, as it was embedded into capabilities that either they couldn’t afford to update, or weren’t able to, as they were part of a managed solution,” he tells Assured Intelligence.

Fast-forward to now and many firms operate vast numbers of Windows 10 computers. Simply upgrading a whole fleet of systems to Windows 11 is an “unrealistic expectation”, says Nick Ball, IT director at Agilitas.

That’s why Microsoft is offering a Windows 10 support extension, to give CISOs and IT chiefs some wiggle room in which to stagger roll-outs. However, it’s not a long term solution – and the costs can add up. Microsoft’s extended support is only confirmed for three years and doubles in price every year. Therefore, time is of the essence: CISOs will “want to action their Windows 11 upgrade plans as efficiently as possible”, says Ball.

“A year might seem a long time, but it’s not, especially for those with complex IT infrastructure to migrate.”

Jason Westhaver, security architect with eSentire’s CISO team, goes one step further. He doesn’t think it’s worth paying Microsoft for extended support and says firms should instead upgrade to the latest OS.

“Purchasing extended security updates for Windows 10 should not be seen as a positive investment for your business. By not upgrading, your organisation is essentially subsidising the continued development of an end of life operating system,” he tells Assured Intelligence.

Even organisations concerned about stability and compatibility should have little reason to stay on Windows 10.

“Windows 11 is stable: Microsoft has been supporting it for three years, and it has been fully compatible with Windows 10 applications since its release in 2021,” says Westhaver.

He thinks a year is plenty of time to get things sorted, rather than paying an unnecessary fee to delay the inevitable.

“IT teams have nearly a year to migrate to Windows 11 and Microsoft has made the process very manageable,” Westhaver adds. “A well-run business should already have a patching process in place that can easily handle the upgrade from Windows 10 to Windows 11.”

Even though upgrading to Windows 11 will add costs, it’s a one-time commitment, adds Mayuresh Dani, manager, security research, Qualys Threat Research Unit.

“In most cases, this upgrade cost offsets any future losses arising out of hacking attempts,” he tells Assured Intelligence.

Taking risk-based decisions

But about organisations that do need to continue running Windows 10 after the October 2025 deadline?

If there’s no other choice, Westhaver urges IT leaders to pay for extended support in order to continue to receive security patches. In regulated industries, this is especially important.

“Companies required to adhere to compliance mandates, such as the EU update to the General Data Protection Regulation (GDPR) or the Payment Card Industry Data Security Standard 4.0, are going to have to purchase the Extended Security Updates to remain compliant,” Westhaver says.

“Sticking with EoL Windows 10 is the least secure option, meaning machines won’t receive Microsoft patches when new CVEs are are found.”

Cybereason’s Day positions paying for extended support as “a risk-based decision”.

“If a business has to keep running Windows 10, the first question should be, ‘what risk is being exposed and for how long: What would be the impact if the worst-case scenario happened?’”, he says.

Organisations that choose to stay on Windows 10 must be prepared to address the “inherent risks and challenges associated with maintaining outdated software”, agrees Rob O’Connor, technology lead and CISO (EMEA) at Insight. Implementing best practices and security measures can help “mitigate potential vulnerabilities and ensure a smooth upgrade process”, he says.

Cybereason’s Day also advises having security countermeasures in place to help reduce the risks associated in staying on a legacy OS. This could include virtual patching or other preventative security controls such as endpoint detection and response (EDR) solutions that support legacy operating systems, he says.

Either way, visibility is key. It’s important to know every single Microsoft machine in the organisation, and their patch status, in order to effectively mitigate cyber risk. The clock’s ticking.