Noel Bradford in a bright modern office holding a printed asset inventory list, with a whiteboard showing Use By and Best Before columns behind him

Podcast

The Milk Carton Test: Does Your Tech Have an Expiry Date?

By Noel Bradford ·

You would never drink milk without checking the date. Yet right now, thousands of UK small businesses are running their entire operation on software that went out of security support months or years ago.

No patch. No protection. Just blind faith that nothing bad will happen.

This week on the podcast, Noel, Graham, Lucy, and Mauven introduced the Milk Carton Test: a brutally simple framework for deciding which of your tech deserves a place on the counter and which needs to go straight in the bin.

Listen to the full episode here: [The Milk Carton Test — Episode Link]

The Problem in One Sentence

The food industry spent decades training us to respect expiry dates. The tech industry never bothered.

Your milk carton has a bold “use by” printed right on the front. Your router doesn’t arrive with “Best before: three years after install, after that it’s basically a welcome mat for hackers” stamped on the box. Your Windows laptop doesn’t come with a sticker reading “Use by: October 2025, or ransomware may occur.”

Instead, you get “end of life” and “end of support” buried in vendor documentation that reads like a pension brochure. And because there’s no obvious label, businesses do things they would never do with food. They throw away perfectly good milk one day over the date. But they’ll happily run a mystery Windows box on the shop counter, taking card payments, for years past its security deadline.

That is not a minor inconsistency. That is a genuine business risk.

What the Labels Actually Mean

Let’s decode the three phrases that come up in every tech conversation, because they are not the same thing.

“Still turns on” is the lowest possible bar. A 1970s deep fat fryer still heats oil. You wouldn’t pass a kitchen safety inspection with it. “Still turns on” means electricity goes in and lights come out. It says nothing whatsoever about whether the thing is safe to use.

“End of life” in vendor language usually means the product is no longer being sold and new features are no longer being added. It’s like the clearance shelf: on the way out, might still be getting the occasional safety notice.

“End of support” is the one that matters. That is when security updates stop. From that point, every new vulnerability found in that software stays open permanently. No patches. No fixes. Your device just stands there in the rain, shivering, while attackers make a list of everything they can exploit.

As Mauven put it on the podcast: once security updates stop, you are on borrowed time, especially if the device touches the internet, handles payments, or stores customer data.

The Stuff People Forget Has an Expiry Date

Windows PCs get most of the attention, and rightly so. Windows XP stopped receiving security updates in April 2014. Windows 7 followed in January 2020. Windows 10, which still powers a significant number of UK business machines, reached end of support on 14 October 2025. That date has passed. Anyone still running standard Windows 10 without paying for Microsoft’s Extended Security Updates programme is operating an unpatched operating system.

But the conversation is bigger than Windows. Think about:

Routers. That plastic box your ISP sent you in 2019 or earlier. Do you know if it still receives firmware updates? Most consumer and small business routers have a support window of three to five years. After that, known vulnerabilities accumulate and the vendor does nothing about them.

Network Attached Storage (NAS) devices. The little humming brick in the corner, usually labelled “accounts” or “backups.” These are frequently set up once and never touched again. They are both your most important asset and your softest target.

Card machines and POS systems. Payment processors maintain their own support schedules, and out-of-support payment kit can put you in breach of PCI DSS. Your payment provider can tell you whether your terminal is still supported. Ask them.

Specialist kit. The manufacturing control unit, the X-ray machine, the dental practice management software that “only runs on the old box.” These are the trickiest, because they often genuinely cannot be upgraded without replacing expensive hardware. The answer is not to ignore the problem. It’s to isolate those devices as thoroughly as possible and plan a realistic replacement timeline.

The “Use By” vs “Best Before” Framework

We introduced a simple two-tier labelling system on the podcast, and it’s worth repeating here.

Use by applies to anything internet-facing or holding sensitive data: routers, firewalls, VPN concentrators, POS systems, card machines, PCs handling customer data, financial records, or anything touching medical or health information. When these hit end of support, you plan to stop using them. Full stop.

Best before applies to lower-risk, internal-only equipment: a PC running a label printer in a back office, a display screen showing a dashboard, a standalone device with no network connection and no sensitive data. You still don’t want it running forever, but if it overruns the deadline slightly while you plan a migration, the blast radius is smaller.

Your Homework

Block out 30 minutes this week. Walk round the office or your workspace as if you’re cleaning out the fridge. Write down the obvious devices: laptops, desktops, the router, any server or NAS box, card machines, specialist kit. For each one, note what it is in plain language, what operating system or firmware it runs, and what it actually does for the business.

Then look up the end-of-support date for each critical item. “Windows 10 end of support” takes 10 seconds on a search engine. Your router model plus “end of life” takes another 10 seconds. If you can’t find the information easily, treat the item as “unknown, needs checking.”

Tag everything as use by or best before. Anything use by that is already past its support date goes on the urgent list: not “someday,” not “when the budget allows,” right now.

How to Turn This Into a Competitive Advantage

Here is something most small businesses miss entirely: your customers don’t know what software you’re running, but they can feel the consequences.

When your tills freeze on a busy Saturday, when your card machine sulks at payday, when your booking system goes down for three days following a ransomware infection, customers draw conclusions. Not about technology. About how seriously you take your business.

Businesses that actively manage their tech lifecycle have fewer unplanned outages. They have a smaller attack surface. And increasingly, they can demonstrate that commitment in writing: through Cyber Essentials certification, through their privacy notices, through the answers they give when a procurement process asks “do you run supported software?”

Cyber Essentials, the UK government-backed certification scheme, requires that all software receives vendor security updates. Getting your lifecycle management sorted is not just risk reduction. It opens doors.

How to Sell This to Your Board

The insurance argument. Cyber insurers are increasingly declining claims where the insured was running out-of-support software at the time of the incident. If you want your insurance to be worth the paper it’s printed on, you need to be able to demonstrate that your devices were running supported software.

The regulatory argument. UK GDPR requires that organisations implement “appropriate technical and organisational measures” to protect personal data. Running out-of-support software on systems that handle customer, employee, or financial data is difficult to defend as “appropriate.”

The cost argument. Replacing a £400 laptop on a planned schedule is a budgetable, manageable expense. Recovering from a ransomware incident that entered through an unpatched machine is not.

What This Means for Your Business

  1. Do the audit. 30 minutes, notepad, walk round the office. List every device that touches the internet, handles payments, or stores data.
  2. Check the dates. For anything running Windows 10 or older, your operating system is already past standard support. For routers, check the manufacturer’s website.
  3. Tag your risk. Use by, or best before. Anything use by and past its support date goes on a list with a deadline attached.
  4. Isolate the stragglers. If you genuinely cannot replace out-of-support kit immediately, take it off the main network, restrict access, and set a fixed replacement date.
  5. Ask your IT provider. Ask them directly: which devices in our environment are running out-of-support software? The answer should be immediate and specific.

Listen to the full episode here: [The Milk Carton Test — Episode Link]

Next week on the podcast: [Preview of next episode]

Sources

SourceArticle
Microsoft SupportWindows 10 support has ended on October 14, 2025
Microsoft LearnWindows 10 Home and Pro – Microsoft Lifecycle
NCSCObsolete products: guidance for organisations
NCSCGetting your organisation ready for Windows 11 upgrade before autumn 2025
Which? (via UK IT Service)Windows 10 End of Support 2025 and What It Means for Business Security
The RegisterMillions of business PCs still on Windows 10 as D-Day nears
ICOA guide to data security under UK GDPR

Related Posts:

Filed under

  • smb-security
  • uk-business
  • end-of-life-software
  • legacy-systems
  • tech-lifecycle
  • supported-software
  • cyber-essentials