Windows XP: To Upgrade or Not to Upgrade?

Written by

By Mark Brown

Much has been made of Microsoft’s decision to stop security support for Windows XP over the last few weeks.

Some commentators have likened it to something of a Y2K-esque tech apocalypse with fears of a field day for hackers and cybercriminals, and others have derided the doom-mongers for making over-the-top predictions. Although operating systems reaching end-of-life is nothing new, XP’s end-of-life is significant for several reasons.

First, Windows XP has become a victim of its own success. Users' experience with XP has, by and large, been so successful that it has become difficult to persuade them to voluntarily upgrade.

Second, the growth in the number of cyber-attacks and threats has risen dramatically over the last few years. Previously, having an unpatched system did not carry the same risk as today.

Finally, CIOs constantly find themselves going cap-in-hand to the board, making another case for a major operating system upgrade, and this has become difficult to argue in times of tight budgeting. Even the UK government is spending £5.5 million on extended support for XP rather than undergoing a systems upgrade to Windows 7.

So what are the options out there? Nobody wants to be left in the lurch with a potentially exposed IT system. This is where businesses can take advantage of some burgeoning trends – namely Bring Your Own Device (BYOD) and the Cloud.

Some businesses may choose to continue operating on the XP system but to move toward cloud-based solutions for the storage of their data, and there are many advantages of this approach because it significantly reduces the risk of a cyber-attack by placing data in a secure location.

With BYOD, employees bring their own personal devices for work purposes, and this is a quick and simple solution to the problem. BYOD potentially offers a fast track to upgrading outdated systems because employees, who tend to use newer operating systems at home, can thus increase the levels of protection to a business’ IT system.

However, there isn’t a ‘one-size-fits-all’ solution, and both of these will need judging on their respective merits and how they meet the needs of an organization.

For example, with cloud, there needs to be some due diligence that takes place before contracting out to a cloud provider because of the inevitable loss of control once data is shared with a third party.

For BYOD, the challenges are around whether an organization will be comfortable moving away from traditional enterprise IT platforms. For example, can a small business’ IT helpdesk manage such a broad range of personal IT devices and can the IT infrastructure cope with such a range of operating systems? It may seem a desirable option for small businesses, but without adequate planning it could result in chaos and employees being unable to fulfil the duties of their roles.

Events like the Windows XP end-of-life pose challenges but also opportunities for organizations willing to think outside the box. Those on the front foot will already be thinking about how they can take advantage of tech trends and how these can deliver savings for an IT function, as well as providing additional security benefits in situations such as this.

Mark Brown is a director in EY's IT Risk and Assurance (ITRA) practice, based in the firm’s London office, specializing in information security, business continuity and information risk management.

What’s hot on Infosecurity Magazine?