The Largest Cybersecurity Event Since Y2K Is Going Unrecognized

Alan McCafferty · uOttawa PDI News · Posted: May 29, 2025 1:28 PM EST | Last Updated: 2 minutes ago

One of the greatest challenges in cybersecurity is that it’s a constantly evolving discipline. This would be challenging enough if it were simply the discipline that was always changing. But not only is the broader business environment in a constant state of flux, there’s a parallel industry of cybercrime that is itself always learning and experimenting.

Zero-day attacks by sophisticated cybercrime organizations have become regular news items, like this recent attack on Microsoft. Cybercrime has long since gone from fragmented and opportunistic attacks by independent bad actors to a sophisticated criminal enterprise. These are, in a word, businesses.

Like any business, these are operations designed to be cost-effective. They’re looking for low-hanging fruit and the opportunity to make the greatest possible amount of money for the least amount of time and effort. Paradoxically, this means the most efficient targets for cybercriminals are the largest software companies in the world.

And the reality is that one of the biggest cybercrime opportunities in history is looming right on our doorstep, and many businesses that are caught up in it don’t even realize.

End of Windows 10 Support Is a Cybersecurity Wakeup Call

Today, many organizations still rely on Windows 10 for enterprise applications, industrial control systems, and operational workflows. In fact, Windows 10 is in more than 600 million PCs globally. Upgrading these systems isn’t always straightforward. Free upgrades to Windows 11 can fail, your system CPU is outdated, and, in many cases, Windows 10 is embedded in critical infrastructure where upgrading may not be possible without significant downtime or re-engineering.

However, it is imperative that all organizations conduct a thorough inventory of Windows 10-dependent machines and applications and perform a full dependency analysis before September 2025. Yes, September, because as of October 14, 2025, Microsoft will officially end support for Windows 10, a move that will leave approximately 60% of business and small office computers worldwide without critical security updates.

This transition is one of the most significant cybersecurity challenges since Y2K. Once support ends, Windows 10 systems will no longer receive patches for newly discovered vulnerabilities. So, if your organization has ever considered doing a Threat Risk Assessment of your systems, the end of Windows 10 support is the perfect reason.

Another reason is the increasing sophistication of cyberattacks. According to a recent Forbes article by Zak Doffman, of the 600 million PCs running Windows 10, 240 million are ineligible for upgrades, so hackers are already stockpiling zero-day exploits, planning to launch targeted attacks once systems are left unprotected. Without Microsoft’s regular patch cycles, these machines will remain indefinitely exposed to emerging threats.

Regulatory Compliance May Also Be at Risk

Beyond the technical risks, organizations must also consider their compliance obligations. Regulatory frameworks such as ISO, NIST, SOC 2, HIPAA, and others mandate that systems be regularly patched against known vulnerabilities. Privacy regulations such as PIPEDA, Privacy Act, and GDPR have very strict requirements around the protection of personal identifiable information. Like the TRA, a detailed and comprehensive Privacy Impact Assessment should be completed for all your affected systems. Continuing to use Windows 10 beyond October 2025 may put your organization in breach of one or all these requirements.

Consider the implications of operating on an unsupported OS and non-compliance with security frameworks:

• Internal and regulatory audits are likely to flag Windows 10 machines as high-risk or non-compliant.
• Non-compliance may result in fines, penalties, and even loss of client contracts.
• Cyber insurance policies may be voided or premiums increased due to unsupported systems.
• Critical systems may be exposed, increasing the likelihood of data breaches and service disruptions.

After October, maintaining security on Windows 10 will be exponentially more difficult. Microsoft’s Extended Security Updates (ESU) program offers a temporary paid solution, but the cost is high, and it merely buys you time. It is not a long-term solution. If you plan to keep any Windows 10 systems running, you must be prepared to implement strong compensating controls, including virtual isolation, strict access restrictions, and advanced endpoint protection.

Ultimately, the broader infrastructure risks of running an unsupported operating system after October are profound. There is no magic bullet and no silver lining. Organizations that delay are placing themselves at unacceptable risk.

IT leaders must act and conduct the necessary TRA, PIA and Internal Audit, plan their upgrades or mitigations, and ensure their organization is not caught unprepared in what may be the most underestimated cybersecurity event in a generation.

Overcoming This Challenge Won’t Solve Cybersecurity

This is not the first time there’s been a situation like this, and it won’t be the last. Supply chains will likely struggle to cope with the massive device overhaul that’s needed for organizations to secure themselves. Much like planting a tree, the best time to investigate and ensure your cybersecurity is up to snuff and isn’t about to be compromised is, while maybe not 20 years ago, certainly earlier than now.

But this requires your organization to know what to look for. After all, you can’t fix problems you aren’t even aware exist. That’s why the uOttawa PDI Information and Cybersecurity Management Certificate is structured to provide industry professionals with the skills needed to identify potential risks, as well as perform the necessary technical steps to test and mitigate them. And the course goes beyond technical knowledge with training in the management skills needed to lead and guide teams, projects, and organizations through the process of recognizing and adapting effectively to cybersecurity risks.

By completing the Information and Cybersecurity Management Certificate program, you and your team will have the skills needed to effectively evaluate current and future risk exposures and make informed decisions that align with your specific business needs.

Check out our website for more info.

About the Author
Alan McCafferty is a Senior Business Analyst with 25+ years of progressive experience working with public organizations, not-for-profits, start-ups, and multi-national corporations. Educated in Canada, the USA and Europe in multiple disciplines including Engineering, Business, Risk Management, and Lean 6 Sigma, he is the author of more than 25 white papers and the recipient of the Canada Award for Excellence. During his career, Alan has led the delivery of multi-year $1 billion+, mission critical information technology projects. As a Cyber Security SME, Alan was key in the developed of the University of Ottawa Professional Development Institute cyber security program and teaches several of the courses. Alan has successfully completed IT, Security, Process, Threat Risk Assessments (TRA), Privacy Impact Assessments (PIA), health and safety projects for federal government departments, provincial healthcare organizations and national not-for-profit organizations. As a senior consultant, he uses his Lean 6 Sigma skills, along with his risk and security experience to help organizations implement low waste, and effective lean processes in areas such as information security management systems, business continuity, department security plans, quality management systems, health, and safety management systems.