Gartner: 'Prepare now' for the death of Windows XP; security at risk

Microsoft flips the 'off' switch on Windows XP and Office 2003 support a year from now, and with no more security updates and patches coming, corporate security could be at risk.
Written by Zack Whittaker, Contributor

Jump, and jump quickly.

That's the message from research firm Gartner, which through their latest research have found that more than 15 percent of midsize to large enterprises still have Windows XP running on at least 10 percent of their PCs.

Image: Screenshot by ZDNet

Earlier this month, Microsoft warned that as of April 8, 2014, there will be no more support for Windows XP, which is rapidly approaching its 13th birthday. 

Is it really such a big deal? Actually, yes. That support entails security fixes, patches for vulnerabilities, and updates to software that will all disappear this time next year. When a new exploit comes along, it won't be fixed, leaving your entire network and systems vulnerable to cyberattacks, denial-of-service attacks, data theft, hacking and network intrusion.

And we, here at ZDNet HQ in New York, know only oh-so-well. We're still running Windows XP.

Despite being a Web-based media organization focused all but entirely on technology, we're still using an operating system that has been in the workplace longer than many of our editorial staff members. 

To be fair, this isn't the first time a ZDNet writer has thrown his own company under the IT bus. ZDNet's Andrew Nusca notes, while CBS Interactive — the owner of ZDNet, CNET and CBS News, and many more — jumped ship to outsource the corporate email to Google Apps, it also took the opportunity to ditch the aging Lenovo laptops in favor of Apple MacBooks.

But those devices aren't thrown away. The waiting list for the shiny MacBooks is long, and the migration is step-by-step.

Even at the most advanced companies, there are issues surrounding an impending gap in network and data security. But Mr. Nusca's, and many other machines at work, are still running the Windows XP operating system and will fall foul of a lack of security patches and updates this time next year.

It looks like those Gartner folks know (at least for once) what they're on about.

No more security patches, no more software support

"New vulnerabilities are always being found, and new vulnerabilities that are found in more current products could affect Windows XP and Office 2003. Any unpatched device can be vulnerable to attack," say Gartner analysts Michael Silver and Steve Kleynhans. 

Even if a vulnerable Windows XP-based machine, or any other software that falls out of security update support, is on a private network and has no Internet access, another device, such as one running a supported product, can be infected with malware outside that private network and can infect other devices on that private network.

This is almost exactly what happened to Facebook and Apple, among others, whose employees were running unpatched versions of Java on their Apple OS X machines. A popular website was laden with malware, which then infected employee machines. Once they joined the private corporate network, DNS logs showed suspicious behavior suggesting the malware had impacted internal-only systems. 

Not only is the security concern enough to be worried by, many third-party applications and services have moved on from Windows XP and organizations may be on their own to resolve issues. This could result in downtime and ding a company's bottom line.

Migration over cloudification?

"For a lot of organizations it may very well be too late to finish on time," Gartner analyst Michael Silver told ZDNet earlier today. "But they still need to address it in some way — even if that’s just to assess the risk and know what the potential problems will be." 

The "Windows XP problem" still spans across all industry sectors because organizations are cutting corners in IT to save money.

Healthcare remains one of the more problematic sectors, according to Silver, "because their applications generally take longer to be supported by their vendors on a new OS, leaving them less time to complete the migration."

Particularly as many health providers in Europe and further afield are public sector funded, entirely or in part, the question of receiving such funding from local or state governments can be tricky.

"At that point, lack of money to spend on the project often becomes the issue that prevents them from migrating," he said.

Also speaking to ZDNet, Gartner analyst Steve Kleynhans, who co-authored the latest report, said that above all else, there is "urgency to get off of Windows XP and it must be done in the most expedient and risk-free way possible."

He added: "Moving to a new cloud-based solution might be elegant and even better in the long run, but the simplest most expedient approach is a direct migration to Windows 7. And most companies are already somewhere along the Windows 7 migration project. Moving to anything else is likely to set the project back by some significant amount of time."

Silver noted that the time to experiment with the cloud was "a few years ago," but while that doesn't preclude a try-out period in the future, it's time to focus on certain priorities now.

"It depends on what applications [organizations] need to run," referring to the cloud. "Service providers can be pretty good at supplying commodity applications and services, but most organizations have a lot of software that’s not mainstream that they rely on to do their business."

"Organizations are still way too concerned about supporting the hardware and the operating system — the whole stack. With consumerization and BYOD, organizations would be in much better shape spending time provisioning, securing, and supporting applications and data."

The fact is that anyone who has yet to start a migration plan for Windows XP, for apps such as Office 2003, and Web-based services reliant on Internet Explorer 6, is already facing some serious IT headaches and may not have enough time to fully migrate before the cut-off date hits.

After all, for home users it's a case of banging in a DVD and hoping for the best. Enterprises require planning, budgeting, negotiation, and the likely chance of hardware upgrades. And, above all, the possibility that mission-critical apps written for an old, no-longer-supported operating system will fail to work properly in a new environment.

CIOs take note. If you're leaving it this late, clear your schedule for the next 11 months. You and your IT staff may have to pull a few all-nighters.

Editorial standards