April 14th, 2014 / Insight posted in Articles

Windows XP support cessation: SMEs warned of cyber-attack risk

With Windows XP residing within 77% of UK IT environments(1), Kingston Smith Consulting urges SMEs to review their IT infrastructure to avoid cyber-attacks.

Following Microsoft’s decision to cease producing any new security patches for Windows XP from 8 April 2014, and to withdraw any technical support for the programme unless customers have a paid support plan, Mark Child, partner at Kingston Smith Consulting LLP, advises businesses on how to avoid being caught out by cyber-attack vulnerability in the following Q&A.

1.   What will this mean for SMEs?

Windows XP systems won’t stop functioning; you can continue to use them and even download old security patches, but no new ones will be produced.
As Microsoft has dropped support for XP, the industry will follow. New software won’t necessarily be tested to work on Windows XP, and new hardware may not have drivers for Windows XP at all.

2.   How will this affect me?

With the withdrawal of security patches, which close known gaps in the software that compromise the integrity of your IT infrastructure, unpatched vulnerabilities will soon be identified and exploited.

This will lead to a higher amount of botnet spam. It is also possible that these PCs will be harnessed for the distributed denial of service (DDoS) attacks.

The increased vulnerability of an ‘unpatched’ Windows XP-based system could increase the chances of cyber-attacks, data breaches or competitors stealing company secrets.(2) 

3.   How do I know if my organisation is affected?

It’s more likely than not that your organisation will be affected. Given that Windows XP was the most popular operating system in the world until August 2012(3), it’s highly likely that Windows XP had some impact on your infrastructure.

Although sales of enterprise-level Windows XP licenses ceased on 30 June 2008, Microsoft continued to provide licenses for use on ‘ultra low-cost’ devices such as netbooks until 22 October 2011. As many organisations now rely on third party service providers for all or part of their IT estate, you may not realise that you are exposed through these third parties.

To find out exactly how your business is affected, one option is to carry out a comprehensive IT audit and demand that your service providers do the same. This may provide not only peace of mind, but also highlight any related ‘gaps’ in your system security.

4.   My organisation moved to ‘the cloud’ last year. Might we still be affected?

Although many cloud providers have up-to-date technology and interfaces, a number still rely on Windows XP at server level. Without asking specific questions as part of an IT audit, it’s difficult to assure any organisation that they won’t be affected by this change.

5.   So if we upgrade our systems we will be ok?

If your organisation has a Windows XP deployment, you should already be working on migrating to a new version of Windows. If you’re a home user, you should be looking at upgrading, too. Most longtime Windows XP users generally agree that Windows 7 is a worthy upgrade (Windows 8 is more controversial), and Microsoft will be supporting Windows 7 until 2020. The cost to small businesses of upgrading is estimated to be around £70 per machine to Windows 7 or £100-190 per machine to Windows 8(4).

A system upgrade may solve the initial problem. However, the reality is that most organisations now have an interaction with a third party within their IT estate. For example, your printer is likely to run off remote servers. If these servers are upgraded, but your desktop PCs and tablets are not, you probably won’t be printing out many documents.

Some other common outsourced services include:

  • Payroll applications;
  • E-commerce / payment applications;
  • Specialist or industry-specific software packages;
  • Banking applications;
  • Client/customer portals;
  • Financial or other databases.

Recent research quoted by the UK Information Commissioner’s Office indicates that 77% of organisations “are running XP somewhere in their IT estate”.(5) You should think carefully about the nature of the assurance you obtain from your third parties that they are taking steps to mitigate the risk; will they consider an upgrade? Most organisations still employing Windows XP have already chosen not to undergo an upgrade since 2001, when XP was launched.

6.   What action should I take?

Firstly, check with the people that provide your IT infrastructure and service whether they think your organisation will be affected. This is usually your internal IT team or your outsourced provider. Secondly, consider whether you are happy with their answers. Given that the potential risks from a Windows XP-based vulnerability are high, should you consider seeking independent assurance over what you have been told? Finally, consider the number of third parties on which your organisation relies (see question six for some examples). How will you go about obtaining confirmation from them that Windows XP is no longer an issue?

This may be a good time to reconsider your company’s information security strategy. Many organisations now employ systems to mitigate the risk of malware or viruses. However, some recent examples of costly data breaches (leading to the loss of reputation) have come from:

  • Insider leaks (BBC);
  • Third party failure (Mastercard, Visa); and
  • Failure by organisation to follow its own policies (NHS).

Is your information security strategy reflecting ‘best practice’ in the market?

7. Is there anything else you recommend?

The end of Windows XP support presents businesses with an opportunity to assess whether their current technology is a good fit for their organisational strategy (in addition to their information security and operational effectiveness).

We regularly see many clients with systems they don’t need or fully understand. Many are not clear what they are paying for – and whether, in fact, they are getting value for money.

If your service provider has not talked to you about this issue, it could be a sign that they have not yet finalised their transition plan. Kingston Smith Consulting is happy to answer your questions regarding any of the above issues and can provide independent assurance around your IT systems, information security or data protection.

Mark Child is a partner at Kingston Smith Consulting LLP.

Kingston Smith Consulting LLP
11 April 2014

Press contact:
Shourik Chatterjee
Kingston Smith Consulting LLP
schatterjee@kscllp.co.uk
07880 43337507880 433375

(1) Research quoted by the UK Information Commissioner’s Office
(2) http://www.networkworld.com/community/blog/debunking-data-breach-myths
(3) http://marketshare.hitslink.com/operating-system-market-share.aspx?qprid=11&qpcustomb=0
(4) City A.M. http://www.cityam.com/blog/1396969530/three-industries-will-be-hit-death-windows-xp
(5) http://www.computerweekly.com/news/2240217623/ICO-issues-data-protection-warning-on-Windows-XP?asrc=EM_ERU_27955624&utm_medium=EM&utm_source=ERU&utm_campaign=20140407_ERU%20Transmission%20for%2004/07/2014%20(UserUniverse:%20771181)_myka-reports@techtarget.com&src=5229875