The End Is Nigh for Windows 10, Part 2:
The Coming Bring Your Own Device
(BYOD)
Disaster
Countless small businesses in the US (and I suppose around the world) rely on a cadre of independent contractors and consultants to get and keep their businesses up and running. From accounting to computing, many small businesses simply could not function without help from these self-employed consultants. According to the U.S. Bureau of Labor Statistics, self-employed workers numbered around 9.9 million in 2024. I include myself among this group self-employed consultants. And, like their clients, many of these consultants, myself included, operate on a shoe string budget.
It is common for these consultants to bring their own devices into their clients' workplaces. While BYOD might make sense from both a technical and economic perspective to all involved, as the Windows 10 End of Life (EoL) insinuates itself into the greater Windows ecosystem, the inherent risk that BYOD represents to clients' own computers and networks will become ever more acute. The risk lies in what security professionals call "lateral movement across a network." CloudFlare describes lateral movement thusly:
In network security, lateral movement is the process by which attackers spread from an entry point to the rest of the network. There are many methods by which they can achieve this. For instance, an attack could start with malware on an employee's desktop computer. From there, the attacker attempts to move laterally to infect other computers on the network, to infect internal servers, and so on until they reach their final target.
This kind of network traversal isn’t theoretical—it’s how ransomware spreads, how credentials are harvested, and how trust is weaponized.
Herein lies the risk of BYOD to a small business from an independent contractor's PC in the wake of Windows 10 EoL. Not every computer user knows or, even worse, cares about IT security. Malware infections, like auto accidents, happen to other people, and not to me. Even with up to date antimalware software, a computer will always be susceptible to a zero-day exploit. Wikipedia defines a zero-day exploit most succinctly.
A zero-day (also known as a 0-day) is a vulnerability or security hole in a computer system unknown to its developers or anyone capable of mitigating it. Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit, or zero-day attack.
When Microsoft , or any other software developer, issues a patch to its software product, it is most often to fix an issue that either has, or has the potential to become, a zero-day exploit. Herein lies the problem with Windows 10 EoL. Unless a user enrolls in the Windows 10 Extended Security Updates (ESU), as was discussed in-depth in the previous Dispatch, or the user takes the more costly, and yet more effective, alternative, and buys a new computer that runs Windows 11, because of lateral movement across the network, any Windows 10 computer that goes unpatched is a risk to all other computers in the same environment simply due to the fact that the different computers are sharing the same Internet connection.
Think of a shared network like a communal kitchen. If one person brings in spoiled food, everyone’s at risk. When multiple devices like laptops, desktops, or phones connect to the same router or modem, they’re typically assigned private IP addresses within the same subnet (e.g., 192.168.1.x). This forms a Local Area Network (LAN). Devices on the LAN can see and communicate with each other directly. Shared resources like printers or file servers become accessible across the LAN. Malware or attackers can scan the network for vulnerable devices and move laterally across the LAN. In practical terms, when one computer that is a security risk connects to a network to look something up on the web or read an email — even if only briefly — all machines will then share that same risk.
Most small businesses truly value the relationship with their independent consultants. Moreover, most small business owners have neither the time nor the expertise to perform even a modicum of device health check to verify that the device in question adheres to security best practices. Furthermore, if the consultant is an IT professional, then there is an assumption that the consultant would maintain security best practices on the own devices. Sadly, however, this is too often not the case.
This all came to light for me in my day to day consulting work. When it comes to IT best practices, I’m meticulous to a fault — some might say absolutist. A small business owner, who knows he must upgrade his small office Windows 10 EoL PCs, and who I have worked with on and off for several years, contacted me. It just so happened that another office I had worked with closed down. Although a few years old, the machines in the closed office were all maintained by me. Windows 11 ran perfectly on these computers. I would simply (for me) do a clean reinstallation of Windows 11 on each PC. Being four years old, the PCs had little actual resale value. I could offer them to the client who needed to upgrade for just a few hundred dollars for the group. The owner was happy to get something for the machines. The buyer would have saved several hundred dollars compared to buying new machines. I would get paid for the installations. All involved would come out a winner!
Except there is an independent contractor who comes in that office once a week. The independent contractor put his own old computer in the office. Without going into specifics, this particular independent contractor is somebody who is clearly dishonest and not trustworthy at all. He is somebody I will not do any work for. The contractor has a propensity to accuse others of things that they just did not do. We all know the type. Life is too short to waste time with a miscreant like this fellow. I told the buyer that the independent contractor had to upgrade his computer, too. And if he did not do so, he would risk the security of the entire office network. Thus, the whole deal has gone south — at least so far.
I suspect that some variation of this scenario is playing out in offices all across the US, indeed the world. I have read all that I can find about the Microsoft ESU program. What follows is my own opinion (or guess) about the ESU. That said, my thesis here is based on my being in this market since the 1980s. Since the introduction and resounding success of Microsoft Office, Microsoft has leveraged Office to keep its customers in the Windows ecosystem. Yes, there is a dedicated version Office built to run on Apple systems. But Microsoft's real competition is the various Linux OS distros. Office does not run on Linux, except for the stripped down web versions of Office. ESU may keep the OS patched, but it doesn’t guarantee compatibility with future Office features or cloud services. Windows 11, while costly, is the only path to full support.
Microsoft Copilot AI agreed with this assessment of mine. Here is its reponse.
That’s a sharp—and historically grounded—observation, Gerald. Microsoft has long used Office as both a productivity suite and a strategic lever to drive OS adoption. Your prediction that future Office features will require Windows 11 is not only plausible — it fits a well-established pattern.
As Mister Spock once said, "Change is the essential process of all existence." Windows computer users, either now or in the foreseeable future, will be required to change to Windows 11. And this change will be, to one degree or another, disruptive. Yet, as Kahlil Gibran wrote in The Prophet, “Your pain is the breaking of the shell that encloses your understanding.” If you are now a Windows 10 user I implore you to: Embrace the change. Endure the short term pain. And before any consultant plugs into your network, type ‘WINVER’ into their search box. If it doesn’t say Windows 11, they’re not ready. And you will be all the better for having done so.
Or be this guy, until you can't be this guy any longer.
Please remember and never forget. In a shared network, one outdated device is all it takes to invite the vultures.
As cyber threats evolve, we need
to evolve as well.
—
Christopher A. Wray
Gerald Reiff