IP, Technology & Data

Does your business operate in a regulated industry or otherwise hold confidential or sensitive information? Are any of your key systems or platforms still reliant on Windows XP? If so, then you are running out of time.

Following various previous attempts, Microsoft will finally withdraw support for the ageing Windows XP operating system in April 2014. This means that security patches will no longer be issued as a matter of course for XP users, leaving those systems vulnerable to security breaches.

Last week, the Scotsman published an article picking up on a report from the US Financial Institutions Examination Council, highlighting that continued use of an out of support operating system would expose US banks to increased operational risks.

According to NCR, 95% of the world’s cash machines still use Windows XP. That’s a lot of ATMs to upgrade. Given the interfaces with all the other software running on an ATM, it’s not simply a case of plugging in a Windows 7 DVD and clicking “install” – the whole software stack needs to be tested and retested before it is rolled out into live use. That’s also a lot of new licences to purchase. And that is assuming that the hardware in the ATM actually supports Windows 7.

ATMs are one of the most obvious examples of continued use of outdated software, but I suspect that Windows XP still powers many thousands of other devices and servers. As the article notes, the lack of continued support and patching of security holes could cause issues with compliance with the PCI-DSS, data protection laws and other regulatory requirements.

What about the UL?

Whilst the UK’s FCA and Information Commissioner’s Office have yet to issue any formal guidance on the issue, the concerns over using out of support software apply as much to organisations in the UK as the they do in the US. Organisations that continue to use Windows XP may find themselves liable for fines and other enforcement action in the event of an information security breach.

Now is the time to review your systems (and those of your suppliers) and ensure that you have a plan in place to either move away from Windows XP or ensure that ongoing support is in place. In the case of RBS, the Scotsman reports that it has agreed a deal with Microsoft for ongoing Windows XP support for a further three years whilst it upgrades its network of 9,500 ATMs to windows 7. Whether such additional support will be available to other organisations remains to be seen, given the announcement to the market that support will end on 4 April.

Next up – Windows Server 2003

The next product to lose support will be Windows Server 2003. That will go out of support in July 2015. Again, Windows Server 2003 is still widely used.

PS The ATM industry is used to issues like this. The reason that many ATM manufacturers moved to Windows XP in the first place was in part down to IBM’s decision to cease supporting OS/2.

Follow me

Martin Sloan

Partner at Brodies LLP
Martin is a partner in Brodies Technology, Information and Outsourcing group and has wide experience of advising clients on technology procurement and IT and business process outsourcing projects. Martin also advises on data protection (including the GDPR), and general technology and intellectual property law, and has a particular interest in the laws applying to social media and new technology such as mobile apps, contactless/mobile payments, and smart metering.
Follow me