Councils issued with XP security warning after FoI bombshell
Following CRN Freedom of Information request, analysts warn councils running Windows XP could be prevented from connecting to central government systems
Councils that continue to run Windows XP after Microsoft ends support for the OS are leaving themselves open to an array of security risks which could force them to pursue "draconian" measures to rein in the threat, according to experts.
Yesterday, CRN exclusively revealed that more than half of local authorities will be running the 13-year-old operating system after the 8 April end-of-support date next month, based on a series of Freedom of Information (FOI) requests sent to councils across the country.
The findings suggest that 52 per cent of councils will be running at least some XP devices after D-day – some for as long as until next summer – with six authorities set to be running exclusively on the OS.
After 8 April, Microsoft will stop offering security patches and upgrades to XP users. Throughout its XP migration campaign, Microsoft has talked up the security risks of remaining on the OS, claiming that its latest offering Windows 8 is six times more secure than XP.
Independent security expert Graham Cluley said anyone on XP should quit using it as soon as possible.
"I can well believe that many [organisations] are hesitant to shift from Windows XP because of the cost of upgrading systems, but there is no doubt that Windows XP users will be at increased risk after 8 April, even if they are keeping up to date with their anti-virus protection," he warned.
"After April, hackers will start exploiting vulnerabilities on the Windows XP platform for which no official patches will be available. Anti-virus vendors will attempt to detect the malware they see exploiting the vulnerabilities but there is no substitute to patching the hole in its entirety. That's the best, proactive step to take to permanently close a security hole."
Getting cut off
Local authorities connect to central government systems through a Public Services Network (PSN), via which they can share essential services in an effort to drive efficiency. GCHQ IT security arm CESG provides advice and certification for councils using the PSN.
According to Gartner's public sector research director Neville Cannon, CESG rules state that in order to connect to the PSN, authorities must run "patchable" software, which means those running XP after D-day could be in serious trouble.
"[If councils] do not run patchable software then a breach is possible," he told CRN.
"It will prevent them from connecting [to the PSN] and doing business with central government. The whole government connects to [PSN]; it is essential to keep it secure. Councils must run patchable software so any vulnerabilities are dealt with as soon as possible – on XP, that ability is compromised."
TechMarketView's research director Angela Eager agreed that workflow in the public sector could be slowed down considerably as authorities are forced to enact "draconian" measures to keep systems secure.
"[Threats] are not going to hit on the day that support stops, but the longer it goes on, the greater the threat [on XP machines] will be," she said.
"There are some precautions [which can be taken] such as shutting down administration rights [for users] so they have no access to web or email.
"But that is draconian and affects their ability to do jobs. It is not a case of balancing against ability to function and security – you have to prioritise security."