At the end of a busy day, the last thing a CIO or email system administrator wants to read is an end-of-life (EOL) notice from one of their software providers. Work is hectic enough – with security threats, budget cuts, employee and system performance targets, customer satisfaction reports and digital transformation objectives to be met – without needing to go through another risk assessment process for outdated software.
So, the inevitable question is usually, “Does it really matter if I run software beyond it’s end of life date?”
To help you make your decision, we’re going to take you through 5 risks you need to be aware of if you decide to continue running software after it’s EOL date.
5 Risks of End-of-Life Software
1. Jackpot for hackers
Software that has reached its end-of-life generally means that it is no longer supported by its maker. This commonly translates to no security fixes or critical bug resolution. Let me repeat, no security fixes or critical bug resolution. How many software products do you know that never need a security or bug fix?
In 2014, when Tom’s Guide asked Scott Kinka, chief technology officer at Evolve IP in Pennsylvania, United States, if it was still safe to use Microsoft XP post its end of life on April 8, Kinka replied:
“Every standard desktop-security risk that a computer faces will be amplified, because there are no fixes being written by Microsoft. This involves every form of malware possible. Just assume someone is on your PC while you’re working. Every password, trade secret and bit of personal information is at risk. You just invited [hackers] in the front door.”
If in 2017, the number one concern for 2,600 CIOs in 26 major US markets was maintaining security of IT systems and safeguarding company information (and the number three concern was upgrading existing systems for business efficiency) and in a separate survey, 400 IT decision makers said that the greatest security risk keeping them awake at night was employees not taking the proper security measures, why would any CIO choose to run outdated and hacker-vulnerable software?
2. Compliance violations
Talk to any IT industry auditor and they will tell you that running end-of-life software represents not only a significant risk to your security, but it also likely constitutes a compliance violation under various regulatory and compliance standards.
As an example, Mike Chapple, a senior director of IT with the University of Notre Dame, who previously served as an information security researcher with the National Security Agency and the U.S. Air Force, puts this in a US context for TechTarget:
“Almost every IT compliance regulation that comes to mind requires an organisation to take reasonable steps to protect the security of information and/or systems under its control. For example, section 164.308(a)(1)(ii)(B) of the HIPAA Security Rule states that covered entities must “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” Any company would be hard pressed to argue that running unsupported software has reduced risk to a reasonable and appropriate level, absent some significant compensating controls. Some regulations also address the issue of end-of-life software directly. For example, PCI DSS section 6.1 states that all organisations must “Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release.” If the vendor no longer supplies security patches, you fall outside of compliance as soon as a new vulnerability is discovered.”
3. Higher operating costs
If you have an in-house technical team, you may decide that it’s not a priority to upgrade a vendor’s software and you’re at peace with running it past its EOL date because your organisation has the internal know-how for security patches and to adapt as/when needed. You’ve never had any major issue with that software in the past, so what could possibly go wrong, right?
But, what might seem like the cheapest and easiest option often turns out not to be. The fact that you have purchased external software (or the rights to use it) usually means that you don’t have the expertise in-house to easily and quickly resolve bugs and security fixes (so it effectively costs you more money than it should to do this) and/or it’s not your core business, so why would you suddenly redirect resources that you are paying to run your core business, to maintain externally-purchased software that is beyond it’s EOL date?
4. Barrier to digital transformation
In the 5th annual Logicalis Global CIO Survey, which surveyed 890 CIOs in 23 countries to assess the role of CIOs and IT departments in driving the digital transformation of business in 2017-18, 44 percent of CIOs believed that complex legacy technology is a main barrier to digital transformation.
In other words, running old systems has been identified as a key reason that CIOs are not moving faster to adopt transformative technology such as hosted cloud products, artificial intelligence (AI) and greater automation, Internet of Things (IoT) and more.
5. Inferior product and software incompatibility
Product development is a very expensive process. Companies don’t typically release new products unless there is a clear value-add differential between the old product and the new product, from which customers could benefit.
In terms of computer software, the improvements are usually in terms of: speed; aesthetics; usability; efficiency; capability; and/or security. So, to continue to use an unsupported and/or obsolete product means you risk missing out on all of these core benefits, as well as all of their associated side benefits. Plus, old software typically becomes incompatible with new operating systems at some point, so running software past it’s EOL date is never a smart long-term decision.
Example: atmail’s newest products
Our newest products, atmail suite and atmail mail server, aren’t just the same products with different packaging. They represent a completely rearchitected email solution for a faster, scalable and more awesome user experience, built on the following cutting-edge technology:
- JMAP – a new standard for email clients to connect to existing mail stores, for live event updating and real-time synchronisation with JMAP Proxy; and
- Go(lang) – a server-focussed programming language created by, used and extensively tested by Google. Go has a highly performant, compiled, native binary, with strong typecasting and a small resource footprint.
If you continued to use our old products, you would not only risk security vulnerabilities, but you would miss out on all of the improvements we’ve worked so hard to include for you in our new products.
Is software end-of-life a blessing in disguise?
Whilst it might not seem like good news at the time, software EOL can actually be a blessing in disguise. It means that your vendor is committed to keeping their software products up-to-date and at the cutting-edge, which means that as a result of the domino effect, your organisation is too.
If you’re not receiving regular end of life notices from your software vendors, you shouldn’t be relieved, you should be asking why.
End-of-life is a natural and logical part of a product’s lifecycle:
- beginning of life (product development and testing);
- middle of life (general availability and customer feedback); and
- end of life (retirement strategy and last sale date).
So, to deliver you the absolute best product possible, vendors need to be actively investing in product development, retiring old products and releasing better products.
atmail 7’s EOL date
Here at atmail, we’re committed to ongoing product development to improve the customer experience. That’s why, in the past 20 years, we’ve released eight new email software products. And that’s why we’re announcing today that the end-of-life date for our atmail 7 product will be 31 July 2019.
What does this mean for atmail customers?
To help you understand what atmail 7’s EOL date means, we talked to Daniel Viney, our Innovation Director:
atmail: Daniel, what does atmail 7’s EOL mean for current customers?
Daniel: atmail 7 (a7) was released in December of 2012 and has been the flagship product for atmail for the past five years. a7 is built in PHP on the Zend framework, but it is a mature product and it now approaching the end of its lifecycle.
- From 1 August 2018, we will no longer be selling atmail 7 or actively developing the product. However, for 12 months, we will continue security fixes and the resolution of critical bugs. (Current customers can renew their licences and/or purchase extra mailboxes only if they agree to these terms.)
- From 1 August 2019, we will cease all security fixes and bug resolution. This means that from this date, the product will unfortunately become vulnerable to security threats and you will be running it at your own risk.
atmail: What will replace atmail 7?
Daniel: atmail suite and atmail mail server. These were publicly released in March 2017 and our customers have been gradually transitioning over to the new technology. We redesigned every aspect of our product stack to address the dramatic changes that have occurred for both ICT infrastructure and user expectations in the years since a7 was originally designed and released. Our new products leverage best-of-breed technologies (React, Golang, JMAP, IMAP, DAV) and the latest trends and standards in interaction design, user experience design and user interface design, to support a highly available, highly scalable, reliable email architecture and to provide a modern, fast and intuitive user experience for our customers and their users.
atmail: What does the new webmail product look like?
Daniel: Here is just one visual of our new webmail product (atmail suite), which offers a simple, elegant, intuitive interface and customer experience.
atmail: What are the benefits of atmail’s new webmail product, atmail suite?
Daniel: This table summarises the main features, advantages and benefits of our newest webmail product, atmail suite (a8):
atmail: In summary, can customers continue to use atmail 7 after it’s end-of-life date.
Daniel: We do not recommend it because: (a) there will be no security fixes; and (b) our newest products deliver superior user experiences. We want our customers to be using the best and safest products possible, so we encourage all customers to migrate to atmail suite and atmail mail server prior to 31 July 2019.
atmail: Where can customers ask further questions?
atmail: Anything else you’d like to add?
Daniel: Yes. A big thank you to all of our customers for your support to date. If it were not for your ongoing feedback and suggestions, we would not have the new, higher-quality products that we have today. So, thank you!