Security & Financial Impacts of Not Upgrading to Drupal 9

What if I don’t upgrade to drupal 9? This might be your question, and we’re here to answer it. This blog post will give you more insights into the potential risks and negative impacts of not upgrading to drupal 9. The three significant impacts of not migrating to the latest version of Drupal are financial, security, and business risks.

Security & financial impacts of not upgrading to Drupal 9

Since being released in January 2011, Drupal 7 has been widely used in many organizations’ digital projects. Previously, Drupal 7's end-of-life was scheduled for November 2021. Given the impact of COVID-19 on budgets and businesses, it will be extended the end of life until November 28, 2022.

Drupal 8 will still be end-of-life on November 2, 2021, due to Symfony 3's end of life. This raises a lot of questions for companies whose websites are built with these platforms. 
First, a little reassurance: there’s still time. The end-of-life hasn’t yet taken place, and it’s not too late to start a migration.
At the same time, the clock is ticking. It’s advisable to put your decision-making process in motion and start evaluating options and risks. To that end, Drupal users need to know precisely what their timeline for decision-making looks like and what the impacts and risks are – both of putting off a migration decision a little while longer, and of choosing not to re-platform at all.

The Clock is Ticking for the Older Versions of Drupal

The short answer is: it depends on what version of Drupal you’re running.

 “End of life” means that the source code will no longer receive security updates, bug fixes and new features. Like an abandoned building, it will slowly deteriorate, becoming less stable and safe over time.

With Drupal 8, the deadline is closer than Drupal 7, but the good thing is that the update is way easier, especially if you have been doing your regular updates. However, any migration project should begin as soon as possible. Drupal 8 to 9 transfers are low risk, fairly seamless and can be completed over weeks, depending on the complexity of the website.
With Drupal 7, it’s a different story, the CMS changed fundamentally after this version, and it makes the upgrade much more complicated. Transfers from Drupal 7 to 9 are challenging, higher-risk projects and need time. That means companies should start migrating as soon as possible, even if the deadline was pushed to 2022 – not only to meet the Drupal 7 end-of-life deadline but to use the re-platforming opportunity to improve and redesign their site.

3 Major Impacts of Not Upgrading to Drupal 9

1- Financial Risks

A migration project can seem expensive, but avoiding one has hidden costs. First, since the Drupal community will no longer maintain the code, ensuring extra protection and custom infrastructure configurations is the safest route. Options on the market right now are moving to a PAAS that has committed extended support. Acquia Cloud and Pantheon will both offer such services. Depending on the level of security needed, this could mean tens of thousands of dollars of extra costs a year. Another platform or hosting company may develop a product for this purpose in future, but there’s no guarantee of that happening or what the cost will be. 
Maintenance costs will also increase. Companies staying with Drupal 7 will misspend an estimated 70% of their website budgets on maintenance and bug fixes instead of evolving and improving their websites.

2- Security Risks

Maintaining Drupal 7 without taking those extra security measures puts websites at increased risk from hackers. Other technologies in your digital environment – PHP, libraries, etc. – that run on Drupal 7 will also enter the end-of-life phase, leaving them vulnerable to attack. These risks increase over time as security vulnerabilities are discovered. There’s, therefore a high collateral risk of losing sensitive information, such as client account information and transactional data.

3- Business Risks

A website that lives on an unsupported platform is fragile and prone to downtimes and bugs. If your digital experience doesn’t meet the expectations of internal users and visitors alike, there’s a risk of losing clients, customers, and that competitive edge in the market. 
System attacks can jeopardize entire organizations. Ransomware attacks on businesses have increased over the past decade and are expected to continue, with outdated software one of the primary vectors of attack.
Risks of cryptojacking increase as well since CMS vulnerabilities are often targeted by crypto-jacking attacks.

A Better Long-term Investment: Replatforming

The question companies need to ask themselves when evaluating their Drupal end-of-life strategy is: How can I keep getting value out of my website? By all measures, this will be best achieved through re-platforming. Without it, hosting and maintenance costs will rise, and organizations will face increasing security and business risks over time.
Delaying your replatforming will come at a significant long-term expense, even if it might seem like a significant cost up-front.

Instead of wasting resources to maintain and support an outdated version of Drupal, use them to create more value for your company. 
The costs, investments, impacts, and risks of Drupal re-platforming will vary for every company. Our experts will be happy to help you understand your scenario and develop an effective and implementable strategy.

Sign up for the Newsletter.

The ideal scenario is easier to imagine than to implement.
Subscribe to the Symetris newsletter to find out where to start.