A recent article by IT Governance highlighted that 31% of UK local authorities still using unsupported Windows XP which on the surface appears to be of great concern. Windows XP was released nearly 14 years ago in October 2001 – in April 2009, Microsoft announced that it would be end of life in April 2014. Organisations had 5 years to put in place and execute plans to upgrade to avoid being unsupported. Also, the IT Governance article does not comment on the private sector where a significant number of companies are also struggling to eradicate Windows XP from their estates.
When it comes to unsupported software (i.e. software for which vendors no longer provide security patches when vulnerabilities are discovered), Windows XP is just the most obvious example and the tip of the iceberg. In organisations (public, private and third sector), another problematic software product is Java which is installed on most computers. Often multiple versions of Java are installed and there is no process to manage versions as they become unsupported.
IT Governance are promoting the use of the Cyber Essentials programme launched by the UK Government in 2014. However, their article does not explain how UK Cyber Essentials will resolve the issue of unsupported software and eradicate it. UK Cyber Essentials is a good initiative but those 31% of local authorities are unlikely to achieve certification because of the evidence that they are not maintaining their software and patching it in a timely manner. Like most certification programmes, it will only highlight non-compliance to an organisation. This is only a first step but not enough … corrective action is required to address the non-compliance.
It is important to note that running an organisation’s operation on unsupported software is not directly a security problem but it will have significant security consequences which will continue to grow over time. Further, these security consequences may not be limited to that organisation but could also affect their suppliers, partners, customers and anyone else interacting with their systems.
In the case of unsupported software, it is necessary to build and execute an action plan to upgrade that software to a supported version, preferably the latest version. Additionally, it is highly desirable to put in place the necessary processes to ensure that the software in maintained and kept at a supported version in the future – a good roadmap which is followed can achieve this.
It is worth considering how some organisations end up with unsupported software and the road blocks that cause this situation. The most obvious road blocks which are likely to be faced by many organisations are:
- Software upgrade costs – there may be significant license costs to upgrade unsupported software, especially if it is multiple versions behind and if it is used by everyone. Also, the organisation’s management may not perceive any value in upgrading some software, such as operating systems which appear to be functioning adequately for that organisation.
- Hardware replacement costs – the new version of the software may not be supported on some of the current hardware or may require hardware upgrades (e.g. more memory).
- Application compatibility – it is unwise to upgrade one software product without considering the interdependencies with other software products. This is particularly true for operating systems and desktop/laptop upgrades are the most complex because of the number of interdependencies.
- Knock-on application upgrade costs – it may be necessary to also upgrade some of the applications to newer versions to support the main software upgrade. This leads to further costs.
- Implementation costs – if there is a significant number of systems to be tested and upgraded this will be a complex activities with many interdependencies. Typically, this will involve significant costs.
Thus, upgrading a major software product, such as Windows XP, is complex and needs to be well planned and executed by skilled professionals. The road blocks will apply differently to each organisation and therefore each organisation will have its own way of overcoming each road block. However, this will just get the organisation back to a position of running supported software but not prevent a similar situation recurring in the future.
The way to prevent recurrence of a similar situation is to change the culture to one of keeping up to date with software versions as a matter of course. To achieve this change, it is necessary to have clear roadmaps for all the key software products so any interdependencies can be planned well in advance and the costs of the key software updates can be budgeted over a longer timeframe.
The problem of unsupported software is a typical example where the situation will not resolve itself over time and will only get worse developing serious security complications. We believe that determining the road blocks and devising an action plan to remove them is the only way to make lasting and transformational change in an organisation.
Contact Corix Partners to find out more about developing a successful Information Security Practice for your business. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Security Strategy, Organisation & Governance challenges.