1

My friend uses Microsoft Phone 8.1 mobile for a tax accountancy firm. As it hasn't received security updates for five years I believe that is a significant information security risk. However, the principal of the firm does not believe it to be a significant risk.

Only MMS, SMS and phone calls are made on the phone. MMS is sometimes used to send tax documents to the firm via pictures. No browsing of websites is done and it isn't even connected to the corporate network.

Can you help me explain to a CPA accountant principal in Australia why it's a business risk? Do you have links to Australian government websites or professional association websites?

Darryn Brisdaz
  • 111
  • 4
  • Related: https://security.stackexchange.com/questions/57203/specific-security-concerns-with-now-unupdatable-win-xp/57210 – schroeder Oct 29 '20 at 12:58
  • Tasmania is important so as to put in relevant local knowledge. – Darryn Brisdaz Oct 29 '20 at 13:06
  • 1
    Cyber Essentials is not regional. It's applied globally. Why do you need local knowledge? Have you googled it? – schroeder Oct 29 '20 at 13:07
  • 2
    It took me 2 minutes to google "australia cybersecurity guidance" : https://www.cyber.gov.au/acsc/view-all-content/guidance/operating-system-hardening – schroeder Oct 29 '20 at 13:09
  • I clicked on your link but by using local knowledge it will help persuade the CPA principal that this is a serious threat. Unfamiliar overseas site aren't as useful for this purpose. – Darryn Brisdaz Oct 29 '20 at 13:12
  • This is such a basic, universal issue, getting local or general links is trivial. If you need something specific that will say this particular person, then you might be the best person to know what would work. – schroeder Oct 29 '20 at 13:15
  • I guess I'm looking for case studies or examples of breaches. Thank you for your help. – Darryn Brisdaz Oct 29 '20 at 13:20
  • Your question is evolving fast and getting more and more complex. You now appear to want a risk assessment for this very specific context. This is not the best format for that, – schroeder Oct 29 '20 at 13:28
  • What is the best format for that then? – Darryn Brisdaz Oct 29 '20 at 14:28
  • 1
    If you want guidance on the general risks of running an unsupported OS, I've provided that. If you want to perform and full-fledged, targeted risk assessment for this specific scenario, an anonymous Q&A site is not going to work. You need to talk with someone who can help you delve into the assessment and ask the right questions. But, if you have a non-expert pushing back against experts, then you have to address the underlying human issue, not the technical security issue. – schroeder Oct 29 '20 at 15:32

1 Answers1

2

Unsupported operating systems can have vulnerabilities that have no patch. Over time, that threat grows. That means that it becomes trivial for an attacker to be able to breach the device. A breach of the device means that all data on it is exposed as well as all the accounts (business, email, personal, banking, etc.).

Yes, there is a chance that the OS does not have a serious flaw, but there is a small set of people in the world who can make that assessment, conclusively. And a CPA is likely not in that set.

Updating from unsupported software is listed as an "essential" item in the NCSC's Cyber Essentials certification. If you don't, you are rolling the dice.

Links:

schroeder
  • 123,438
  • 55
  • 284
  • 319