Windows 10 end of life: Is your SME prepared and protected?

How end-of-life systems cost the world $4 billion

On 12 May 2017, a ransomware attack began to spread across computers globally, which would ultimately cost businesses and governments worldwide an estimated $4 billion.

WannaCry exploited a vulnerability in computers that were mostly running older versions of Microsoft Windows. The attackers encrypted critical data files on over 230,000 business computers and essentially held them hostage – demanding a Bitcoin ransom in return for not deleting the data. Many of these businesses paid the ransom, yet their data was deleted anyway.

The ransomware moved quickly. Once it entered a computer, it spread to other devices with the same vulnerabilities on the same network. WannaCry took just five days to spread across over 150 countries.

One of the most disastrous outcomes of WannaCry was its impact on hospitals. They were forced to cancel thousands of surgeries and care services. The attack cost the UK’s NHS nearly £100 million in damages. However, WannaCry didn’t only attack government institutions. Businesses across sectors – telecoms providers, automotive manufacturers, logistics firms – lost billions in damages.

Windows 10 end of life: what’s the risk?

On October 14, 2025, Windows 10 will reach its end of life. This means the operating system won’t receive new security updates from Microsoft unless they extend the end-of-life date.

End-of-life systems are one of the easiest entry points for cyber attackers. According to CrowdStrike’s latest Global Threat Report, end-of-life cyber attacks have become more common since 2023. Bad actors are developing exploitations for end-of-life products, which are easy to deploy and difficult to detect.

Windows 10 is integral to many SMEs. Since its launch in 2015, it’s become the most popular Windows operating system – today, it still runs on more devices than Windows 11. After 14 October 14 2025, devices running Windows 10 will continue to work but they will be vulnerable to cyber threats. SMEs that continue to run Windows 10 after its end-of-life date will be at serious risk.

Here’s how a WannaCry-like ransomware attack could take hold of an SME:

1. Ransomware arrives on a Windows 10 device via an unpatched vulnerability. After Windows 10 reaches end of life, the possible vulnerabilities will increase.
2. Once it’s entered a device, the ransomware will find and encrypt core file types like Microsoft Office documents, which could contain sensitive company data.
3. WannaCry was particularly dangerous because of its ‘worm’ component. Worms use vulnerabilities to jump from device to device via shared networks, encrypting files in each one. This is how WannaCry spread to over 200,000 devices in less than a week.
4. With ransomware, the clue is in the name: attackers will demand a large ransom to release the data they’ve stolen. Like any ransom, paying the fee doesn’t guarantee the safe return of the hostage – in this case, your data.

Three ways end of life systems can damage an SME

Barracuda Networks has found that SMEs are three times more likely to face cyber attacks than larger companies. This is down to a combination of inadequate cyber security tools, outdated systems, a lack of cyber security skills in workforces, and ineffective internal policies. Any of these weaknesses can provide a window of opportunity for cyber attackers.

Cyber attacks affect SMEs in both obvious and unexpected ways. For example, a ransomware attack on an end-of-life system like Windows 10 could cause several long-term challenges:

• Downtime: your core systems could be temporarily or permanently inaccessible, bringing your company’s production or operations to a standstill. Recent research from Sky Business found that SMEs which suffered a cyber attack had to close operations for 4 days, incurring losses of over £120,000.
• Costs: the cost of a cyber attack extends beyond downtime revenue losses. If an end-of-life system is attacked, you’ll need to upgrade your technology immediately – a capital-heavy investment without prior planning. What’s more, the legal fees if sensitive data is breached could be crippling.
• Impact on your stakeholders: ransomware is designed to steal and exploit your company’s most sensitive data. Bad actors could steal your intellectual property, use your customers’ information for nefarious purposes, or manipulate your employees. Not only is this all immediately disastrous, it puts your company’s future growth at risk.

Secure your SME: how to prepare for Windows 10 end of life

If your SME is running Windows 10 in any capacity, now’s the right time to act. Waiting until the October 2025 deadline looms could leave you open to a cyber attack.

Upgrade your devices to Windows 11

Upgrading to Windows 11 is the most straightforward action you can take. If your devices meet the requirements, upgrading to Windows 11 is free.

If your devices don’t meet the requirements for Windows 11, it’s time to consider investing in new hardware. The cost of a hardware upgrade will vary depending on your company, but it’s likely to be an investment worth making when compared to the potential cost of a cyber attack.

Review your SME’s data security and backup strategy

Windows 10 isn’t the only system vulnerable to cyber attacks. Thinc’s managed services team helps SMEs ensure their data is safe managed data backups, cloud migration and storage solutions and expert support.

Assess your SME’s overall cyber security measures

If you’re concerned about how Windows 10 – or end-of-life systems in general – could pose a threat to your company, consider a wider cyber security assessment. UK businesses have suffered an estimated 7 million cyber attacks in the last 12 . Conducting a holistic cyber security assessment protects your company from all angles, preventing risk from end-of-life systems and the many other cyber threats.

To achieve this, we recommend SMEs undertake the Cyber Essentials Plus certification. It’s a government-backed programme that verifies a company’s cyber security measures with an independent assessment.

Preparing for Cyber Essentials Plus requires an in-depth assessment of your current cyber security measures. We help SMEs secure their certificate with an end-to-end to identify and mitigate any possible issues.