Stuck in the past
Microsoft is looking to the future with the launch of Windows 10, but it appears many local councils are still clinging to Windows XP. Hannah Breeze reports
Windows 10 has been on the market for about two weeks now, and the upgrade bonanza is in full swing. Microsoft has been shouting about the benefits of migrating for months, and at its Worldwide Partner Conference in Orlando last month boasted how simple it is for customers to upgrade from Windows 7 and Windows 8 to the new OS.
With the Windows XP migration campaign dead and buried - support ended in April 2014 - the vendor opened up somewhat on the challenges upgrading from the 13-year-old operating system posed to customers.
"The upgrade from XP to Windows 7 is quite hard, primarily because there are significant changes to the security model of those products," said Craig Dewar, senior director of Windows commercial marketing, in a bid to drum up reasons to migrate. "The move from Windows 7 to Windows 10 is much easier for customers."
But while XP has been consigned to the history books for many customers in the private sector, it lives on in a number of local councils in the UK, as CRN research found out.
On the eve of the end-of-support deadline last year, Microsoft and the government thrashed out a deal for 12 months' extended support, giving public authorities a lifeline in the form of extra time to upgrade. A year on and the government has not extended the offer and is now going it alone. When it made the announcement, it said "good progress" has been made to upgrade from XP. But just how well has it done? CRN found out.
Below eXPectations
Back in June, two months after extended support came to an end, CRN sent Freedom of Information (FOI) requests to all 435 local councils in the UK. Some 105 replied in the four-week period they are obliged to do so and provided CRN with data on the operating systems their PC estates use.
Thirty-one per cent of councils that responded said they are running Windows XP on at least some machines and of all the PCs declared by the authorities, seven per cent are still running the ancient operating system.
The majority of machines (79 per cent) run Windows 7, one per cent runs Windows 8 and the remaining 13 per cent run another operating system, such as iOS or Android.
Two councils run more than 80 per cent of their PC estate on Windows XP and another seven run between 11 per cent and 79 per cent of it on the OS. Although most councils which admitted to still running XP had it on less than 10 per cent of their machines, according to some experts, simply having it at all is a risky enough business.
Independent IT security expert Graham Cluley said the figures are shocking.
"The worrying thing is that as members of the public, we can choose which businesses we share our information with but we cannot help but deal with our councils," he told CRN. "We expect them to be responsible when it comes to securing our data, but the fact that such a worrying proportion of council computers are still running Windows XP is truly alarming.
"It's not as though they haven't had years and years of warning that Windows XP was coming to an end, and would be vulnerable to exploitation by hackers through vulnerabilities that are being patched on more modern versions of Windows."
The Cabinet Office declined to comment directly on CRN's findings and directed us to a blog published in May which it claims outlines its latest position on the upgrade.
"There has been good progress in moving away from Windows XP across departments and government organisations and with many public bodies this transition is complete," said the blog.
"We expect most remaining government devices using Windows XP will be able to mitigate any risks, using the CESG guidance. Where this is not possible, they may need to review their own short-term transition support."
Microsoft said: "It is very important that customers and partners migrate to a modern operating system."
Money, money, money
During its migration campaign, the words "Windows XP migration" were rarely far from the lips of a Microsoft exec, so it might be difficult to believe any council is still running XP through ignorance.
Slashed budgets and technical troubles may be to blame, according to Quocirca analyst Bob Tarzey.
"Perhaps this tardiness by local councils is just complacency, but perhaps [it is] also because they are cash-strapped," he said.
"The easy thing to say would be ‘just upgrade', [but that is] not much use if the budget is not there.
"As new vulnerabilities are exposed, organisations using XP will be open to attack. So ideally they should upgrade to a more recent version of Windows. If, for technical or financial reasons that is not possible, then steps should be taken to minimise vulnerability in other ways. Anti-virus does afford protection against known exploits."
Peter Batchelor, head of UK public sector at ForeScout, agreed.
"Reasons [for sticking with XP] vary from budgetary concerns to underestimated migration timelines to lack of internal expertise and manpower," he said. "But by far, the issue of legacy applications seems to bubble to the top; lots of councils use applications that can only run on XP because they are incompatible with later versions of Windows.
"Regardless of reason, the fact is that many councils are still struggling to complete Windows XP migration projects. With XP use so widespread, there is also a chance that migration projects will miss several machines. Some councils are not even sure which machines are running XP and which aren't. Hence, it is extremely important for them to take security measures for XP systems that have not yet been upgraded."
Tick tock, tick tock
During the year-long migration campaign leading up to the end of support last April, many customers in the public sector had migration projects under way but were unsure if they would be completed by the deadline.
The extended-support deal was designed with those in mind, offering them a lifeline to finish their upgrades before it was too late.
Roy Pickard, EMEA channel manager at security firm Bit9 and Carbon Black, said this extra time should have been ample to complete the upgrade.
"The fact that so many local councils continue to run Windows XP is startling," he said. "The extra year should have helped significantly, but as the figures show, it clearly wasn't enough.
"Those still running XP are making themselves an easy target for hackers, who will be able to exploit newly discovered security flaws and hacking techniques to breach their defences with relative ease now that extended support has ended. These vulnerabilities could lead to the compromise of councils' critical infrastructure and the loss of essential information - including citizens' personal data."
But according to security vendor Avecto's vice president Andrew Avanessian, giving councils extra time to upgrade was somewhat pointless.
"From my experience, if they were in a position to migrate away from XP, they would have already done it," he said. "Giving them an extra year just means they can delay the inevitable. You'll probably find in another year, the percentages [of councils running XP] will be much the same. Really, they should have been planning this years before - it has been well publicised as well."