Microsoft plans to end support for its 12-year-old Windows XP operating system (OS) on April 8, which means that the company will no longer provide security patches, technical assistance and other forms of service for those still using the software—a development that could leave businesses at increased risk of cyberthreats and other glitches if they don’t upgrade.
Microsoft has been warning users about the April 2014 cutoff for the past two years, noting in a statement on its own website that it intends to put its “resources toward supporting more recent technologies.” Sales of PCs preinstalled with Windows XP ended in 2010, and retail sales of the XP software itself ended in 2008.
Still, XP remains a fixture in homes and offices. In January, it comprised nearly one-third of the total operating system market share for desktop and laptop computers, according to the research firm Net Analytics. And as of last April, the operating system was being used by 45 percent of businesses, according to AppSense, an independent software vendor partnered with Microsoft.
Over time, those businesses that fail to upgrade their systems will become more vulnerable to threats like data breaches and malware, which could have an effect on their overall operations.
Indeed, in a press release last fall, the Federal Financial Institutions Examinations Council, a governmental standards body that develops uniform reporting systems for financial institutions, warned that potential problems could “include degradation in the delivery of various products and services, application incompatibilities and increased potential for data theft and unauthorized additions, deletions and changes of data.”
Earlier this year, Microsoft did offer a concession, announcing that it will continue to provide updates for its XP Security Essentials antimalware tool through July 14, 2015, instead of terminating it next month. But the reprieve comes with a caveat: Security Essentials will not be available for download after April 8, so users would have to download it before that time. Moreover, it only offers partial protection, given that Microsoft will still be ending other services.
Consequently, businesses that rely on XP are now faced with a choice as to whether they want to upgrade to a more modern system or stay with the old OS and deal with the increased risk. Joel Lanz, a member of the NYSSCPA’s Technology Assurance Committee and a tech columnist for The Trusted Professional, acknowledged that the choice can be more complicated than it sounds:
Upgrading something like an operating
system, he said, entails more than just going to the store, picking up a box and passing it off to the IT department. While the cost itself of getting a new OS can be managed, he said, of greater concern for companies is the long list of additional considerations that comes with such a move. “What freaks everyone out is if you move to a new OS, [you then have to ask,] ‘Does this mean we have to upgrade equipment? Will our software work?’” he said.
For example, companies considering a change from Windows XP to Windows 7 might find that if they do make the switch, they will also need to upgrade their payroll software, database software, server architecture and security software. In addition, Lanz said, executives would have to think beyond their own internal operations to the network of vendors they rely upon.
“Even if I go out and spend money, buy new computers and get the new operating system, to what extent will my other application vendors be updating their systems to run with my new software?” he asked.
But the bottom line, many experts feel, is that an obsolete operating system is “inherently insecure,” Lanz said. And if a company doesn’t upgrade right away, it’s just biding its time until some kind of situation forces it to—and it won’t always be a good one. “I know whenever I walk into an environment and see that they have one of these older operating systems, they fail on controls,” he said.
Moreover, while there are certain businesses where security might not be as crucial—a pizzeria that takes orders over the Internet for example—Lanz emphasized that CPA firms do not fit into that category.
“A lot of CPA firms will play around and say, ‘I don’t need to do it.’ But guess what?You’re probably most vulnerable because you have confidential client information that you have to be careful to protect.”
A closer look at the upgrading process
Michael Pinch, also a member of the Technology Assurance Committee, knows all too well the challenges that Lanz is talking about: For the past year, Pinch has been overseeing a systems upgrade from Windows XP to Windows 7 for his entire company, a major health-care provider with more than 15,000 machines. While the risks for any company that fails to update its OS can be significant, Pinch said they’re especially pronounced in the health-care field. His organization, for example, has to comply with the Health Insurance Portability and Accountability Act of 1996, which contains numerous security standards to protect the confidentiality of medical records.
Pinch explained that the upgrading process began with a high-level inventorying of all the machines that needed to be targeted, which was challenging, since it’s not always so apparent, as in cases where the operating system is embedded in specialized medical devices.
The next step, he said, was to assess whether the machines that needed to be upgraded actually met the minimum hardware specifications for that upgrade. To that end, Pinch said his team divided the list between those machines that could and could not handle the upgrade, and then figured out which machines they could completely replace.
After that, it was a matter of putting in place an automation tool that would migrate user data, with a hands-on technician intervening, in the event of a problem. Having begun the process last April, he said that his team expects to be finished with it next month. But even after it’s completed, Pinch added that challenges will remain.
For example, there’s the matter of what to do with the machines that, because of hardware problems, can’t be upgraded to the new OS—there may not be money in the budget to upgrade the hardware or replace the machine. Pinch also echoed Lanz’s point that, beyond the software itself, another factor is how different programs interact with each other.
“There’s software requiring Windows XP that isn’t going to run on Windows 7 that we need to run for medical reasons,” he said. “That’s where it gets more complex.”
Pinch said that his team is exploring several options, such as running a virtualization of Windows XP, putting it in read-only mode, or running the process on the server instead of the machine itself. He noted that they also need to get their vendors on board to make sure that they get upgraded as well.
“There are a lot of permutations we can go down for how to handle this, but it’s definitely a very complex problem,” Pinch said.
Overall, though, he commented that the main drag has been on manpower, rather than on the organization’s purse strings. He pointed out, however, that his organization is one that regularly cycles out old hardware and upgrades its machines. It’s company policy that every five years, a computer is automatically up for an upgrade or replacement.
“Other than the fact that our IT department has had to put a great number of hours into it, as far as end users [are concerned] our goal was to make it as painless as possible and I think we did a good job with that,” he said. “But the critical thing is trying to make an automated process to migrate the user data.”
Still, Pinch noted that it may not go as smoothly for other companies.
“I think it largely depends on how quick your organization is to upgrade and refresh,” he said. “If you’re an organization that continues to run computers that are six or seven years old, you will probably have cost issues and performance issues. But if you have a healthy refresh cycle, you probably won’t have much cost.”
- See more at: file:///T:/TrustedProfessional/2014/02-feb/feature/stories/windows-xp.html#sthash.OYWLW9QG.dpuf