The end of support for Windows XP means that Microsoft willno longer push out bug fixes, security patches, or other critical updates for the 13-year-old operating system. As such, businesses have been rushing to upgrade to Windows 7 orWindows 8 to ensure that their PCs remain safe and secure.
As support for Windows XP comes to an official end, the real security lesson is hidden. Broader than what to do about it today is the consideration of what it means for the future.
This year marks 12+ year run of Windows XP (which was launched in 2001) and it comes to an end (today), it holds some curious lessons. You may wonder Windows XP is done, What’s the big idea?
For a bit of history here, Windows XP was, and remains popular for individuals and organizations. Estimates range from 18-30% of systems currently accessing the Internet use Windows XP.
That means that despite the notice, extension, and dire warnings of negative consequences, a large number of individuals and organizations simply opted to stick with what they had.It’s a curious finding!!!
An accepted “good” practice is to diligently review, test, and apply patches and updates to operating systems and applications. The number of people clinging to Windows XP suggests perhaps that this good practice needs a boost, a real boost!Or does it?
Contrast that experience with the reports surfacing this week that iOS 7 adoption is at 87%. Without question, this is not a direct comparison – especially given the difference between computers and servers versus mobile devices. And while there are other differences, the outcome is what needs to be studied.
Exploring why the adoption of iOS 7 is taking off even as people cling to Windows XP is important. Understanding the differences in approach holds clues for future efforts at upgrades.
Steps to take if you (or someone you know) is using Windows XP
If you, or someone you know, is using Windows XP, then it means taking the effort to protect or replace the system(s) using it. That requires a structured conversation about business process, risks, and the steps necessary to upgrade.
Why has Windows XP stuck around?
Initial support ended in April of 2009, moving to a scenario of extended support that offered paid solutions and security updates. After warnings and even an extension, today is the day that all support options and updates end.
While many see today as the day people are finally forced to take action, the reality is some situations preclude that course of action. For example:
Purpose-built devices: some of these devices lack alternatives, are inaccessible or are governed by strict standards that prevent a change
Custom applications: organizations that invested heavily in customized solutions may have (had) a legitimate cost analysis that kept them staying the course. Curious how the actual end of support changes those numbers.
Concerns or struggles over the costs: whether accepted or not, a lot of folks are unable or unwilling to spend money on new hardware, operating systems, and applications. It’s a costly change. Chances are the impacts are less understood, too.
Exploring each of these (and other) reasons deeper reveals the real lesson about the assumptions made.
The hidden, single biggest lesson for security
Hidden in plain sight is the single biggest lesson for security:
We need to challenge our assumptions at the beginning of the process.
How long is reasonable to expect hardware and software – especially the underlying OS to be stable and supported? Y2K and the long goodbye to Windows XP is evidence that the timeline for these expectations is short, and getting shorter.
When coming across reasons to keep Windows XP – even now – we have to question why? Instead of shaking our heads in a knowing way, informed by over a decade of experience, it’s an opportunity to engage in conversation.
It’ll likely be uncomfortable in some cases to probe the assumptions upon which the solutions were built and decisions made. Take the opportunity to learn first, then find the right solution forward.
Want better security? Practice asking this one question
As we reflect on the lessons and experiences afforded by the long run of Windows XP, it reveals a simple question that allows us to improve security:
And what if our assumption(s) are wrong?
The key is to simply ask and guide the discussion across three dimensions:
Question and document the assumptions about how long each of these elements tends to last. Then ask how long it needs to last in order for the project/solution/decision to make sense.
Then follow up, again, by simply asking, “and what if our assumptions are wrong?”
Thinking about assumptions and outcomes earlier in the process is a simple and effective way to improve security today and in the future.