Revealed: Top 20 councils in XP hall of shame
Councils defend their reliance on Windows XP after 8 April end of support
Local authorities expecting to run almost their entire device estates on Windows XP after Microsoft ends support for it have defended themselves and outlined their plans to mitigate against potential security threats.
Earlier this week, an exclusive CRN investigation suggested that 52 per cent of UK councils will be running XP in some form after Microsoft ends support for the 13-year old OS next month, with six authorities running it exclusively until as late as next summer.
Security experts questioned their logic, claiming that running on XP after Microsoft halts the provision of patches and updates poses a "real and present danger" to authorities.
According to CRN's research, six councils will run 100 per cent of their devices – PCs, laptops, tablets, smartphones and thin clients – on XP after 8 April, with another 14 running at least 85 per cent of their estates on it after the deadline. (For the full list, see below).
"No extra risk"
CRN contacted the top 20 councils running the highest percentage of Windows XP for further comment on why their reliance on the OS is expected to be so high, and of those that responded, three – Hackney, Croydon and Dorset – said they have purchased extended support from Microsoft. The support is thought to cost in the region of $200 (£121) per user, per year for the first year, increasingly considerably thereafter.
Despite the cost, it is a price the councils are willing to pay. Hackney claimed the purchase will ensure there is "no extra risk" to its systems.
Deputy mayor of Hackney, councillor Sophie Linden, said: "There is no extra risk to Hackney in running XP. We have followed Cabinet Office guidance and have taken out extended XP support after careful planning. This will provide an equivalent level of data security protection to Microsoft support. We will be moving from XP in 2015 as part of a wider programme of strategic system upgrades."
Bolton Council ranks in seventh place after telling CRN in a Freedom of Information (FoI) request that it expects to run 4,006 devices (99 per cent) on XP, and also claims that there will be no more risk than usual to its IT systems.
In a statement it said: "Our informed view... is that data is no more at risk within a locked-down Windows XP environment within a secure perimeter than in any other client operating system on the basis that all other components are subject to six-monthly security health checks and penetration testing, which must be passed successfully if the council is to operate critical public-facing services."
Swerving the risk
But some councils seem less confident about avoiding the potential risks Windows XP might pose to their IT systems.
Of the 322 local councils and central government departments which sent CRN an FoI response, 30 (nine per cent) refused to say how many XP machines they would run after 8 April for security reasons.
On being asked for further information after featuring in the top 20 list, one authority asked CRN not to include its name in the rankings for fear of inviting additional security risks, which highlights the perceived risk that remaining on XP poses to councils.
Another council which said it would be running some XP devices after D-day got back to CRN informing us it had purchased extra security support for its XP machines in light of appearing in the list.
Wirral Council – which will run 3,780 devices on XP after 8 April – put its XP reliance down to a "major infrastructural change" which delayed migration, but said it is aware of the risks.
‘We recognise the risk of delayed migration and are following government guidance to mitigate security risks and safeguard public and private data," it said.
"For obvious reasons, we can't go into specific details but we would like to reassure residents, businesses, and everyone whose data we hold that we are committed to keeping data safe, and are satisfied with the plans in place."
Sutton Council, which will run up to all its devices on XP after D-day, insisted it was doing all it could to prevent security problems.
A spokesperson said: "IT security is one of our top priorities and we are upgrading the whole of our IT infrastructure to provide best practice protection against cyberthreats. We've made substantial progress and the programme will complete this year.
"We are putting measures in place to minimise potential risks during the upgrade process. We cannot disclose the details for security reasons, but we are doing everything we can to protect our IT systems."
Top 20 UK councils running the highest percentage of XP devices after 8 April
1. London Borough of Hackney: 100 per cent of its estate
"There is no extra risk to Hackney in running XP. We have followed Cabinet Office guidance and have taken out extended XP support after careful planning."
2. North Somerset Council: 100 per cent of its estate
"The council has an extensive investment in Citrix technology which delivers virtual Windows 7 desktops to the organisation. Access to this environment is achieved through PC systems running Windows XP.
"An ICT Transformation Programme is in place to move the council's entire computing environment to an Agilisys cloud-based service which will see all legacy Windows XP removed along with Windows Server 2003 before Microsoft support for that product is removed in July next year."
3. London Borough of Sutton: 100 per cent of its estate
"IT security is one of our top priorities and we are upgrading the whole of our IT infrastructure to provide best practice protection against cyberthreats."
4. Royal Borough of Kingston: 100 per cent of its estate
Declined to comment
5. Bracknell Forest Council: 100 per cent of its estate
Declined to comment
6. St Albans City and District Council: 100 per cent of its estate
"We have in place a wide range of protective measures which provide us with a high degree of insulation from XP-related and other risks. For example, our software protection includes a suite of products that are supported by the manufacturer to run on the XP platform through to September 2015."
7. Bolton Metropolitan Borough Council: 99 per cent of its estate
"Bolton Council takes its responsibility to protect customer data held in our IT systems very seriously. We have been aware of the issue around XP and have been planning for this for some time, to ensure that we have mitigated any risk as a result of this."
8. Wirral Metropolitan Borough Council: 99 per cent of its estate
"We recognise the risk of delayed migration and are following government guidance to mitigate security risks and safeguard public and private data. Information governance is a key strand of this work and the council's Information Governance Board is monitoring the risk."
9. Lichfield District Council: 97 per cent of its estate
Declined to comment
10. Dorset County Council: 95 per cent of its estate
"Our Windows XP estate is in a controlled environment protected by multi-layered security and so the increased risk, in itself, to our data during the period between end of support for XP and the completion of our new desktop rollout is felt to be minimal."
11. City of Westminster: 95 per cent of its estate
"The XP build is provided and supported under a 10-year contract with CapGemini which ends in November and is being transitioned to a new provider – BT.
"We realised some time ago that we could achieve significant efficiencies by running the upgrade from XP to Windows 7 concurrent with the transition to the new support provider. The savings this generates significantly outweigh the additional cost of Microsoft Premier support agreements to ensure critical security patches are available during the transition period."
12. London Borough of Croydon: 94 per cent of its estate
"We plan to purchase Microsoft extended XP support during the period of transition from XP to Windows 7."
13. London Borough of Southwark: 93 per cent of its estate
Declined to comment
14. Exeter City Council: 93 per cent of its estate
"We are aware of the perceived risks [and] we fully protect our network. We use appropriate systems and processes to protect our data."
15. Scottish Borders Council: 92 per cent of its estate
Declined to comment
16. Tunbridge Wells Borough Council: 92 per cent of its estate
‘Whilst Tunbridge Wells Borough Council uses Windows XP, it only does so to access thin-client applications on modern, centralised servers that do not run Windows XP.
"Internet connectivity including web browsing is not carried out using Windows XP."
17. St Helens Borough Council: 90 per cent of its estate
"We have the ability to access services and data via our Citrix virtualisation platform and not from the Windows XP operating system. We have in place a removable media lockdown policy.
"Following the notification that Microsoft is extending virus warnings for Windows XP to 2015, we have also received reassurances from Symantec that our end-point protection suite of products will still be supported during our transition programme."
18. East Cambridgeshire Council: 90 per cent of its estate
Declined to comment
19. Moray Council: 89 per cent of its estate
"The council is aware of the potential risks arising from the continued use of Windows XP beyond the end-of-support date. Migration to Windows 7 is regarded as one of the highest priority projects for the next financial year.
"The council has various controls in place to mitigate against the potential risks from viruses and malware via email and the internet, including a recently deployed encryption and port control solution to guard against the threat via removable media."
20. Hastings Borough Council: 85 per cent of its estate
"We are currently in the process of upgrading all of our machines to Windows 7, this will be completed early in the summer. We have multi-layered procedures and systems in place which we believe mitigate against risk."