On April 8, 2014, Microsoft ended support for Windows XP, the beloved 13-year old operating system that powered the overwhelming majority of computers for a stretch of time. Over the past few weeks, analysts, news sources and other commentators have tried to estimate how many computers are still on Windows XP and what these machines are used for. The results have not been pretty. Our own findings at SysAid Technologies are even more alarming.
Crunching the Numbers
On April 3, Gartner estimated that up to a quarter of enterprise machines still run Windows XP. The Washington Post also reported that 10% of several million government machines still run Windows XP, including those that operate on classified military and diplomatic networks. Meanwhile, VentureBeat claims that the governments of the U.K., the Netherlands and allegedly China have coughed up millions to extend Windows XP support. Even the IRS paid up to make sure that Windows XP would be protected come tax day on April 15.
As an IT service management (ITSM) tool provider, we, at SysAid, decided to investigate this matter as well—specifically amongst our U.S. cloud-based customers. We looked at IT asset management data from 699 U.S. customers and a total sample of more than 150,000 Windows machines. Our clients span all industries.
As of April 9th, we discovered that 75% of customers still run at least one XP machine, and are therefore exposed to security threats.
Still more surprising, we found that 15% of American companies are running more than half of their machines on Windows XP. Based on our sample, it appears that 27% of American corporate computers still run the operating system.
Why This Is Scary
Now that Microsoft will no longer make security patches for Windows XP, unless of course you coughed up millions of dollars, every XP machine will become more and more susceptible to malware, advanced persistent threats (APTs) and other types of cyber dangers. This means that just one XP machine on a network can provide cybercriminals or cyber activists with access to an entire network of Windows 7 and Windows 8 computers.
Our estimate suggests that criminals could penetrate three quarters of the U.S. corporate world using unpatched Windows XP vulnerabilities.
The opportunities for crime and mischief cannot be understated. For instance, on March 19, ComputerWorld reported that just 38% of the nearly 425,000 ATMs in the U.S. powered by Windows XP would be migrated off the OS by the deadline, leaving 250,000 or more machines unsecured. No banking customer can possibly tell which machines are on XP or not without some investigation.
Plenty of organizations handle payment card information, social security numbers, health records, driver’s license and all sorts of materials that could lead to identity theft, fraud and robbery if leaked. Even more worrisome, organizations without an asset management solution might not even know if they’re still running XP machines on their network.
The Next Steps
Corporations have a responsibility to protect their customers, employees and investors by immediately upgrading their machines. To be fair, Microsoft gave plenty of warning that this day would come, and trying to maintain the security of a 13 year old product is no easy feat. Rather than busting Microsoft’s chops for making corporations upgrade, business leaders need to see this as a prudent business and security decision on Microsoft’s part. Windows 7 and 8 were still much safer than XP before Microsoft stopped patching XP.
Corporations that don’t know if they’re still running XP machines need to do a thorough inventory check, preferably using an asset management solution. A physical check is liable to miss machines at any sizeable organization.
Sometimes the “digital divide” can leave the IT and business side of corporations at odds over expensive maneuvers like upgrading thousands of XP machines. This is case where IT and business must unite and get the job done for the safety of the organization, its customers and its partners. There cannot be further delay.
[su_box title=”About Sarah Lahav” style=”noise” box_color=”#336588″]SysAid Technologies’ first employee, Sarah is now CEO and a vital link between SysAid and its customers since 2003. As CEO, she takes a hands-on role evolving SysAid with the dynamic needs of service managers. Previously, Sarah was VP Customer Relations at SysAid and developed SysAid’s Certification Training program, advancing the teaching methods and training technology that is in place today.
Sarah holds a B.Sc. in Industrial Engineering, specializing in Information Technology from The Open University in Israel, and spends her free time with her three beautiful children.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.