Why Running Unsupported Windows Could Make You Personally Liable

A blog entry from our member Slowey Consulting:

In October 2025, Microsoft ended support for Windows 10.  No more security patches, no more vulnerability fixes, no more protection against threats that emerge every month.  For many small and medium-sized businesses (SMBs) across the UK, that deadline passed without anyone noticing.

This article is written for the director who assumes someone else is keeping the lights on when it comes to cybersecurity.  When it comes to legal liability, that assumption will not protect you.

What "Unsupported" Actually Means

When Microsoft ends support for a version of Windows, it stops issuing security updates. Every new vulnerability discovered in that operating system will never be fixed.  The door stays open, permanently.

The very first month after Windows 10's support ended, a critical flaw in the operating system was confirmed as being actively exploited by cybercriminals.  Organisations covered by Microsoft's paid Extended Security Updates received a fix.  No-one else received it.  This pattern will repeat every month for as long as those machines remain in use.

Attackers don't need to be particularly skilled to exploit these weaknesses.  The vulnerabilities are well-documented, publicly known, and the tools to exploit them are freely available online.  Running an unsupported version of Windows is the digital equivalent of leaving your office unlocked overnight where everyone knows the lock is broken.

This applies to Windows 10, which reached end of life in October 2025, and equally to any business still running Windows 7, 8, or 8.1, all of which lost support years ago.

The Scenario Every Director Should Understand

A hacker identifies a PC in your business running an unsupported version of Windows.  Using freely available tools, they gain access without your knowledge.  They don't steal your data straight away.  Instead, they use your machine as a proxy to conduct attacks on other organisations: banks, healthcare providers, legal firms, or other regulated businesses ... anywhere in the world.

From the perspective of the organisation being attacked, the assault appears to originate from your network.

The consequences for your business can include involvement in a criminal investigation, regulatory scrutiny, civil claims, and serious reputational damage, even if you were entirely unaware that your machine was being used this way.

Ignorance, while understandable, is not a legal defence.

"We Already Have an IT Support Company"

Many SMBs have a relationship with an IT support company or Managed Service Provider (MSP).  That typically means someone to call when a computer stops working or emails go down: a reactive arrangement. Something breaks; you call; they fix it.

What it almost never includes is proactive strategic oversight.  Your IT support company's unlikely to be reviewing your operating system versions, assessing your exposure to emerging threats, or advising you on cyber risk.  That's not a criticism; it's simply not what most SMBs cover.

The legal responsibility for the security of your IT environment sits with you, the director. Delegating IT to a third party transfers the task.  It doesn't transfer the responsibility

The Legal Framework You Need to Know

The Companies Act 2006 requires directors to exercise reasonable care, skill and diligence.  Failing to ensure business systems run on supported software can constitute a breach of that duty.  If a serious incident occurs, regulators and courts will not ask whether you understood the technical detail, but whether you took reasonable steps to govern the risk.

UK GDPR and the Data Protection Act 2018 require businesses to implement appropriate security measures for any personal data they hold.  Running an unsupported operating system makes that very difficult to demonstrate.  Under section 198 of the Data Protection Act 2018, directors can be prosecuted personally where a company commits a criminal offence attributable to their neglect. Enforcement is already happening: a UK law firm was fined £60,000 for inadequate security, and a water company faced a fine of nearly £1 million where the ICO explicitly cited unsupported software as a contributing failure.

The Cyber Governance Code of Practice, published by the UK Government and the NCSC in April 2025, sets out what boards are expected to do on cyber risk.  It applies to organisations of all sizes, cannot be delegated away from the board, and removes any defence of not knowing what was required.

Cyber insurance is a further risk.  Running unsupported software can void your policy entirely, leaving your business to absorb the financial consequences directly.

What You Should Do Now

A director acting with reasonable care should be able to confirm which operating systems are running across the business, when the last security review was conducted and by whom, whether your cyber insurance covers incidents arising from end-of-life software, and what the plan is for upgrading machines that cannot run a supported operating system.  If you can't answer these questions today, that's a risk indicator in itself.

If you have an IT support company, contact them and ask for a security audit covering operating system versions, any unsupported machines, and a remediation plan with a timeline.

If you do not have an IT support company, or if you want an independent strategic view rather than a purely technical audit, that's precisely the gap a Strategic IT consultant can fill - and they will introduce you to a reliable MSP if required.

The Bottom Line

Unsupported Windows is a known, documented security risk.  The tools to exploit it are accessible to attackers with modest ability.  UK law places the responsibility for managing that risk squarely on company directors.

Having an IT support company doesn't change this.  Being a small business doesn't change this.  Not having been attacked yet doesn't change this.

The door is currently unlocked. The question is whether you choose to lock it.

Martin Slowey is the founder of Slowey Consulting, a Strategic IT Leadership consultancy working with SMB directors and leadership teams across Moray and the North East of Scotland.  For an independent strategic review of your organisation's IT, contact him at contact@slowey.biz or visit www.slowey.biz.

This article represents the professional opinion of the author and is intended for general informational purposes.  It does not constitute legal advice.  Directors with concerns about their specific legal exposure should seek independent legal advice.