Since Microsoft's announcement in 2011 that support for Windows XP will cease in 2014, speculation has been ripe over just how this move will impact users. Ahead of the 8th April cut-off date, it was estimated that 40 per cent of corporate desktops/laptops were still running Windows XP.
A lucky few, like the NHS, are likely to receive extended support from Windows past the deadline. For most others still running XP their businesses will be exposed to an onslaught of vulnerabilities, as technical support and security updates will no longer be provided.
These organisations are left with a tough choice to deal with the inevitable: continue as usual with XP, or upgrade to Windows 7 or 8. The fundamental choice hangs on the question of whether an organisation consistently patches their operating systems and software.
For some systems, like those used within SCADA environments, the answer may well be no, in which case they will likely notice no change to their security posture when the Microsoft support drops. However, for those which rely on patches and updates to keep business and customer information safe, the answer has to be 'upgrade'.
As these organisations are pondering the risks vs. rewards of upgrading, they all too often overlook that cyber security is a business risk issue routinely discussed at board level, gone are the days where this is an IT issue. In fact, those who have not already realised this are already on the back foot.
Sure, upgrading is costly and can be disruptive – yet the consequences of cyber-attacks are now so severe that cyber defence has become a (for some organisations) the main risk they face and therefore needs to be approached proactively and holistically.
Microsoft itself predicted that after the 8th April, the chance of malware infecting PC's running XP could jump by two-thirds.
The ugly truth is that businesses should only continue using Windows XP if they are prepared to accept that a breach could compromise any data, information or IP on their networks – and are therefore, happy to face the consequences.
Windows XP will be vulnerable after support ceases – no amount of alternative measures will be able to change that. We exercise caution when we subject ourselves to risk – and whether businesses like to accept it or not, the same has to apply for the 'health' of businesses.
If a car is failing its MOT due to faulty brakes it would be highly risky to continue driving it – especially if there are no new breaks available. In most cases people would resort to getting a new car as the risk is simply too great.
For businesses that are risk averse, value their privacy and want their property to remain theirs – without theft or tampering – upgrading to a more secure OS is essential.
Security has to be holistic rather than a patchwork of disparate tools designed to fire fight, security is about being proactive and being ready to be reactive.
Only if businesses ensure the security foundations are in place across their entire supply chain can they rest assured that their people, places and information are protected.
- Jason Kalwa is a cyber security consultant.