8 April 2014: Windows XP Dead

Does the date 8th April 2014 mean anything to you?

If you’re a business and care about the security of your IT equipment then it should.

On the 8th April, Microsoft’s Windows XP and Office 2003 products will no longer be supported. The products wont stop working, but critical security updates will no longer be developed and rolled out for these products. That means that if a major security flaw is discovered, Microsoft will do nothing about it.

30% of PCs still use Windows XP and at least a handful of our clients still have one or two Windows XP machines in their office (thankfully they’re moving away this week).

Keeping your IT infrastructure secure is serious business and only at the beginning of March, The British Pregnancy Advice Service (BPAS) was fined £200,000 for not making sure the data they held about people was stored securely.

David Smith, Deputy Commissioner and Director of Data Protection said about the case:

“There’s a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it’s subject to up-to-date and effective security measures.”

The organisation’s failure to spot problems with their software has led to a serious breach of the Data Protection Act, caused substantial damage and distress to those affected and left the organisation with a fine of £200,000. The hacker, meanwhile, is now in prison.

For a small office environment, the steps you need to take can be relatively simple. Making sure you stay on top of the updates that need to be regularly applied to desktop and laptop operating systems is relatively easy to do. All of the major vendors have a system to regularly check for updates and a pop-up will usually display on the screen alerting you to the fact that a security update is required.

In a more complex environment you might need to test these updates first to make sure they are compatible with your existing infrastructure. Where you cannot apply an update, you may need to put additional measures in place to mitigate the risk.

The UK government’s National Technical Authority for Information Assurance (CESG) has published short-term mitigation advice for public sector organisations that are unable to fully migrate away from Windows XP prior to its end of support date.

You should also consider whether your other IT assets need an update. Recently, a number of vulnerabilities have been discovered in the firmware of routers and firewalls. You can check the manufacturer’s website to see if an updated firmware has been released. For the novice user these are not as easy to update as an operating system or desktop software. If you get the configuration of your primary defence wrong you could be leaving your organisation in a worse position than if you’d done nothing at all; so call in the professionals if you are unsure.

So if you are unsure whether your security software is up-to-date across all devices make sure you follow these three basic steps:

Step one – Carry out an audit of your IT equipment so you know the size of the problem. Make a list of devices, operating systems, serial numbers, installed software and which members of staff this kit is issued to.

Step two – Plan and Prioritise. Work out which updates you need to apply and in which order you are going to do these. If you are disposing of equipment that has reached the end of its life, make sure this is done securely by following the Information Commissioner’s Office’s IT asset disposal guidance and any other guidance provided by the manufacturer.

Step three – Roll out security updates to the remaining equipment where required and continue to keep the software up-to-date.

Remember, from 8th April 2014 there will be no updates to apply to Windows XP or Office 2003. Do not fall into a false sense of security by believing that because there are no updates then there are no vulnerabilities. Anyone using these two products must consider their options to look at migrating to a supported operating system. Failure to do so will leave your company’s network vulnerable over time and significantly increases the risk of a data breach that you could have prevented.