Windows XP users have been warned by Microsoft for years now that support for the more-than-decade-old operating system, as well as for Office 2003, would end on April 8, 2014. However, there are still a significant amount of machines still on the operating system, posing a business risk that needs to be addressed now, say data security experts.
According to a recent blog post by Avast Software chief operations officer Ondrej Vlcek, “Our telemetry data shows that XP users are six times more likely to get attacked than Windows 7 users and once Microsoft stops issuing patches, this can worsen.” Vlcek cited widely reported estimates that around 95% of ATMs run on XP, but that is not the only concern. He added that “medical offices that store confidential patient information and stores that keep customer details, such as credit card numbers, on their computers running Windows XP could easily be attacked”
In yet another example of how entrenched XP is, Dutch News reported April 4 that the Dutch government has signed a “multi-million euro” deal with Microsoft for continued support for its Windows XP systems, for between 34,000 and 40,000 Dutch national government civil servants. The article said that all Dutch government PCs will be migrated to a new system by next January, but two out of five local councils in the Netherlands are also still using XP and this arrangement does not include them.
But the biggest risk may be posed to small-to-medium businesses, according to Sergio Galindo, general manager of the Infrastructure Business Unit of GFI. The company provides software and hosted services to SMBs (with generally up to 1,000 users) for collaboration, network security, anti-spam, patch management, mail archiving and monitoring. The difference between SMBs and large companies is that the large companies realize they have a problem and have in-house IT support that can come to their rescue or are dealing with it in some other way - even if that means contracting directly with Microsoft for extended support at a high cost. But, he said, SMBs that don’t address the problem soon are putting their businesses at grave risk.
A year ago, 35% of GFI’s cloud product users were on XP. That number has now dropped to 23%. The data is based on anonymous reporting back to GFI through its cloud platforms, GFI Max and GFI Cloud, which support over one million PCs among its customer base. While it is encouraging that companies are getting the message, Galindo noted that, from an overall business perspective, 23% is still a high percentage “for something that is going away and is unsupported – especially something that is so core to your business.”
What presents a risk, he said, is that Microsoft will continue to issue warnings to the world, including hackers, that there are holes in similar operating systems, such as Microsoft Vista, Windows 7 and Windows 8. They will not mention XP but - despite the fact that those other operating systems have the same code base, and often have similar problems - the holes for XP will not be patched. The result is that “The problem actually compounds itself the longer you wait.”
GFI is providing reports to customers telling them which machines are running XP and communicating that even if they cannot immediately upgrade their operating system for whatever the reason they should perhaps try to isolate machines running XP and not use them to surf the web or for email.
Sounding yet another alarm, last month, Simon Rice, group manager for the Information Commissioner’s Office (ICO), an independent authority in the U.K., issued a warning in his March 10 blog post telling organizations that it is their responsibility to maintain the security of any personal data they hold, and if a company is using old IT equipment it should be concerned about the end of support for Windows XP and Office 2003. “With 30% of PCs still using the 13-year-old operating system, this could become a serious problem,” wrote Rice, who cautioned companies not to forget that “this applies to third-party software too,” since “Java, Adobe Flash and web browsers regularly issue security updates which need to be managed.”
Underlining his message, he cited a more-than-$300,000 fine recently imposed on the British Pregnancy and Advisory Service as “a clear example of what can go wrong if you fail to keep your systems in a secure state.”
For his part, Galindo is monitoring the situation to see how many people are actually migrating at the eleventh hour. “There are always those people who wait until the very last minute,” he said observing that the end of March was the end of a quarter, and some companies may have wanted to push the cost of the upgrade into this quarter.