OK, let’s have some straight talk about support for Windows XP being discontinued. I understand that there is no shortage of people knocking down your door telling you where and why you need to spend your upgrade dollars. Further, I understand we become numb to these discussions as the sky typically (as it turns out) doesn’t fall. However, let me present some other facts because the end of XP support is very real as are the implications.
It’s abundantly clear to me that there is not a consensus, even among seasoned IT professionals. Very likely they are professionals that haven’t been on the receiving end of an (the sky falling) audit, fines, or malicious attacks that could possibly cost them their job and the company days of production outage; and in many cases, data loss that couldn’t be recovered. I’ve personally seen all of these scenarios many times over; hence, our only stance will be to recommend that your best bet is a proactive approach to aggressively decrease your technology risk by keeping it up-to-date and in versions that are supported by the manufacturer.
Many industries have been forced to come up with work-arounds, including just accepting the risk since their software is not yet coded and/or approved to work with the latest Operating Systems. This is clearly a Band-Aid and not a fix, these strategies should not lull anyone into false sense of security. In our industry we have a saying “all software is broken we just don’t know how until someone discovers it;” hence the hundreds of patches that have been written for the XP OS since its inception.
Regardless of where you stand on the issue, here are some facts.
Windows XP has been supported for over 12 years. Of the 14 categories of updates, only security updates are available for support until April 8, 2014. After that, no new security updates will be issued for Windows XP.
As of April 8, these releases will no longer be written or released nor will Microsoft “support” the Operating System. While no one knows the exact number, it has been estimated that 29% of computers across the globe are still running Windows XP, according to NetMarketShare, and that means no one will be left watching over the herd. The vulnerabilities that are exposed will no longer be patched. This does not suggest that the system will stop working, or for that matter, ever even have a problem. However, it does indicate that the risks to your technology and exposure to threats will absolutely be increasing. Additionally, the XP operating system will be a preferred candidate for malicious efforts. Current articles explaining the risks:
Almost all regulatory compliance has language that effectively states you’re out of compliance if you’re not running supported software packages. Even if you aren’t directly impacted by a specific compliance requirement, this should be a wake-up call as to the level of concern over the matter. To soften the blow for its corporate and ATM customers, Microsoft will sell custom support that will allow companies to receive additional security patches.
Regarding Windows XP and PCI (credit card) compliance, here is an example reinforcing the above statement:
Without Microsoft’s technical support and security fixes, ATM operators also risk falling out of compliance with requirement 6.2 of the PCI DSS, which stipulates that all system components handling credit and debit cards are fully supported by a software or hardware vendor.
“If a vendor isn’t providing patches due to support having been discontinued, then by definition that system cannot be PCI DSS compliant,” said Jim Huguelet, an independent retail security consultant. “As a general rule, retailers would be concerned about running any systems without access to ongoing security analysis and patches, but it is PCI DSS requirement 6.2 that brings the issue to the forefront.”
See full article here:
This article by TechRepublic, a long standing go to source for engineers, puts it blatantly:
Running Windows XP means you are non-compliant and open to liability.
According to PC World magazine, Microsoft will offer a service to select industries for extended support at $200 dollars per unit for the first year.
This article from CNN Money confirms this; however, clearly states “this program is not for you and those industries it is aimed at have stated the program is cost prohibitive.”
Microsoft is about to take Windows XP off life support
So in summary, sure you can absolutely stand by and not address the XP systems running in your environment. According to the statics cited, 10-30% of the business community is doing just that. It is our responsibility to inform our customers that there are increased risks and they are very real. It’s up to the individual responsible to decide if computer problems in your business environment which come from a known and yet unmanaged increased risk could translate into The Sky Is Falling.