You can’t claim you didn’t have plenty of warning: Microsoft™ announced way back in 2011 that the end of extended support for Windows XP would come in 2014. Full mainstream support ended in 2009, but security updates have kept on coming. Even so, according to a recent IDC study, XP gets 27 percent more virus attacks than Windows 7 and the average time to repair a malware attack is over 7 times as long. Supporting an aging operating system is expensive, and the price will go up next April, when security fixes stop (for all but a few select organizations with very deep pockets).
There are a number of reasons that some companies have made the decision to hang onto XP until the very end. Change is never easy; in the IT world, it often means hidden costs, a steep learning curve (for both admins and users) and unexpected bumps in the road in the form of hardware and software incompatibilities. No wonder the philosophy of “if it’s not broke, don’t fix it” is popular. The problem is that a Windows XP that’s frozen in time in terms of security is going to be irretrievably broken.
Some XP users have been in denial, even speculating that there would be a last-minute “bailout” to extend support if only enough individuals and companies are still using XP when the deadline arrives. Even some experts believed, less than a year ago, that Microsoft would “have no choice but to continue supporting XP.” However, Microsoft has made it clear that they are serious about XP’s end of life date. Critical updates will be provided only to companies with Premier Support contracts who also purchase a Custom Support option. Few companies can afford that, with fees reportedly starting at more than half a million dollars per year.
What does this mean to everyone else? To hackers, it means a golden opportunity. To Windows XP users, from home to enterprise, it means no more patches. It means any new vulnerabilities that are discovered will be wide open for attackers to exploit, unless third parties take it upon themselves to create fixes. That may not be possible even if there are third parties who want to take on the expense (and possible liability) of doing it. Because Windows source code is closed, those outside the company can’t legally modify it without Microsoft’s permission.
Although security companies such as Symantec have announced that they will continue to release antivirus definitions for XP “for the current product cycle,” they also caution that the lack of OS and application patches will still negatively impact the security level of Windows XP systems. McAfee says they will continue to support XP SP3 after April “for a limited time, as long as it is technically and commercially reasonable.” In the security ecosystem, AV, antimalware, vendor-provided updates and other security mechanisms must work together in a multi-layered security approach.
All of this means the potential for huge hits to the bottom line due to downtime and lost productivity when (not “if”) unprotected XP systems are compromised. And it’s not only about direct monetary loss. If unpatched systems result in exposure of client data, companies may find themselves not only losing business, but in violation of the law. In regulated industries, companies have a legal obligation to reasonably protect such data and not doing so could subject you to fines or even criminal charges. In any industry, failure to secure systems could be viewed as negligence, resulting in civil lawsuits.
Statutory requirements in some countries, such as the U.K., explicitly impose a duty to have “modern and up-to-date software” as part of privacy laws. In other countries, such as the U.S., the standard is based on what would be considered reasonable and prudent and thus is open to interpretation by the courts. Even if a company escapes legal repercussions in the wake of an XP-related breach, media attention can drive customers away. Trust is a big factor in the business/customer relationship and a major security breach can damage a company’s reputation in ways from which it may never recover.
According to the August statistics from NetMarketShare, slightly more than a third of PCs worldwide (33.66 percent) were still running Windows XP and the Washington Post reported that Microsoft’s own statistics show about 30 percent of SMB customers haven’t yet upgraded. It’s time for the companies in that position to develop a plan – sooner rather than later.
GFI Cloud™ is offering free asset tracking which will help you start your plan by finding out which workstations are still using Windows XP.
Like our posts? Subscribe to our RSS feed or email feed (on the right hand side), and be the first to get them!