Security & financial impacts of not upgrading to Drupal 9

Drupal 7 and Drupal 8 end-of-life

drupal 9 goal

Since being released in January 2011, Drupal 7 has been widely used in many organizations’ digital projects. Previously, Drupal 7's end-of-life was scheduled for November 2021. Given the impact of COVID-19 on budgets and businesses, it will be extended the end of life until November 28, 2022.
 
Drupal 8 will still be end-of-life on November 2, 2021, and this is due to Symfony 3's end of life. This raises a lot of questions for companies whose websites are built with these platforms. 
 
First, a little reassurance: there’s still time. The end-of-life hasn’t yet taken place and it’s not too late to start a migration. At the same time, the clock is ticking. It’s advisable to put your decision-making process in motion and start evaluating options and risks. To that end, it’s important for Drupal users to know precisely what their timeline for decision-making looks like and what the impacts and risks are – both of putting off a migration decision a little while longer, and of choosing not to re-platform at all.

How Long Can I Delay?

The short answer is: it depends what version of Drupal you’re running.
 
“End of life” means that the source code will no longer receive security updates, bug fixes and new features. Like an abandoned building, it will slowly deteriorate, becoming less stable and safe over time

With Drupal 8, the deadline is closer than Drupal 7, but the good thing is that the update is way easier, especially if you have been doing your regular updates. However, any migration project should begin as soon as possible. Drupal 8 to 9 transfers are low risk, fairly seamless and can be completed over weeks, depending on the complexity of the website.
 
With Drupal 7, it’s a different story, the CMS changed in fundamental ways after this version and it makesthe upgrade much more complicated. Transfers from Drupal 7 to 9 are challenging, higher risk projects and need time. That means companies should start migrating as soon as possible even if the deadline was pushed to 2022 – not only to meet the Drupal 7 end-of-life deadline, but to use the re-platforming opportunity to improve and redesign their site.

What if I Don’t Migrate? 

Cost Implications

A migration project can seem expensive, but there are hidden costs of avoiding one. First, since the Drupal community will no longer be maintaining the code,the safest route would be to ensure extra protection and custom infrastructure configurations. Options on the market right now are moving to a PAAS that has committed extended support. Acquia Cloud and Pantheon will both offer such services. Depending on the level of security needed, this could mean tens of thousands dollars of extra costs a year. It’s possible that another platform or hosting company will develop a product for this purpose in future, but there’s no guarantee of that happening, or what the cost will be. 
 
Maintenance costs will also increase. Companies staying with Drupal 7 will misspend an estimated 70% of their website budgets on maintenance and bug fixes instead of evolving and improving their websites.
 

Security Risks

Maintaining Drupal 7 without taking those extra security measures puts websites at increased risk from hackers. Other technologies in your digital environment – PHP, libraries, etc. – that run on Drupal 7 will enter the end-of-life phase as well, leaving them vulnerable to attack as well. These risks increase over time as security vulnerabilities are discovered. There’s therefore a high collateral risk of losing sensitive information, such as client account information and transactional data.

Business Risks

A website that lives on an unsupported platform is fragile and prone to downtimes and bugs. If your digital experience doesn’t meet the expectations of internal users and visitors alike, there’s a risk of losing clients, customers, and that competitive edge in the market. 
 
System attacks can jeopardize entire organizations. Ransomware attacks on businesses have increased over the past decade and are expected to continue, with outdated software one of the primary vectors of attack.
Risks of cryptojacking increase as well since CMS vulnerabilities are often targeted by cryptojacking attacks.

Replatforming is a better long-term investment

The question companies need to ask themselves when evaluating their Drupal end-of-life strategy is: How can I keep getting value out of my website? By all measures, this will be best achieved through re-platforming. Without it, hosting costs and maintenance costs will rise and organizations will face increasing security and business risks over time.
 
Delaying your replatforming will come at a significant long-term expense, even if it might seem like a major cost up-front.
 

Instead of wasting resources to maintain and support an outdated version of Drupal, use them to create more value for your company. 

The costs, investments, impacts, and risks of Drupal re-platforming will vary for every company. Our experts will be happy to help you understand your scenario and develop an effective and implementable strategy.

Sign up for the Newsletter.

The ideal scenario is easier to imagine than to implement.
Subscribe to the Symetris newsletter to find out where to start.