Qualys launches report to tackle tech debt & cyber risks

Qualys has launched its Tech Debt Report, an initiative to assist organisations in identifying and mitigating cyber risks associated with end-of-life (EoL) and end-of-support (EoS) technologies.

The report is intended to help IT and security teams work collaboratively to address the vulnerabilities in outdated technology infrastructure.

The company highlights that tech debt is often perceived as a problem primarily for IT departments, with Chief Information Officers (CIOs) or Chief Technology Officers (CTOs) managing the budget and upgrades for obsolete technology. This perspective, according to Qualys, exposes businesses to critical cyber risks. Attackers frequently target EoL and EoS technologies, making it necessary for Chief Information Security Officers (CISOs) to address these issues in partnership with their counterparts in IT.

Data from the Qualys Threat Research Unit underscores the severity of the issue: 20% of critical assets were found to have high-risk EoS software, and 48% of vulnerabilities listed in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploitable Vulnerabilities (KEV) catalogue were present on EoS software.

Furthermore, vulnerabilities in EoS software are four times more likely to be weaponised than those in supported versions.

The report points out that prominent cyberattacks have been linked to outdated software. For example, more than half of all application installations with Log4j were in an end-of-support state at the onset of the Log4Shell vulnerability. Additionally, 98% of computers affected by the 2017 WannaCry attack were running an EoL version of Windows 7.

Qualys notes that despite increasing regulations and guidelines from bodies such as the National Institute of Standards and Technology (NIST), many organisations still fail to prioritise cyber risks in their technology upgrade plans. IT teams often focus on minimising disruption and only react to threats after breaches have occurred, evidenced by incidents like Log4Shell.

In an effort to shift from a reactive to a proactive stance, Qualys is offering its Tech Debt Report to all customers at no cost.

The tool aims to provide a comprehensive snapshot of current and upcoming EoL/EoS technologies, associated cyber risks, and tailored recommendations for priority upgrades. These insights are designed to be shared with IT leadership to foster collaboration between IT and security teams and to develop a tech debt programme that considers cyber risk from the outset.

The Tech Debt Report includes several key features. It facilitates proactive management by helping organisations plan technology upgrades six to twelve months in advance.

The report draws on the extensive database of the Qualys Threat Research Unit, encompassing data from over 5,000 software publishers and 1,400 hardware manufacturers.

Additionally, it maps tech debt to Common Vulnerabilities and Exposures (CVEs) and threat intelligence, taking into account asset criticality to identify the most pressing cyber risks.

Qualys encourages businesses to utilise the Tech Debt Report to gain a detailed overview of their EoL/EoS technology landscape, thereby enabling them to safeguard against hidden cyber threats.

The report aims to empower organisations to prioritise technology upgrades in a way that integrates both operational and security considerations, helping to mitigate risks before they manifest in cyber incidents.