Why are people still hanging on to Windows XP, and are they dicing with disaster?

Avast and KPMG weigh in on the debate

Microsoft is ending its Windows XP support in April 2014, and with recent revelations that a good many public-sector PCs - including those used by GCHQ and even the NHS - are still running the 13-year-old operating system, panic seems to be growing in some quarters.

Antivirus firm Avast's COO, Ondrej Vlcek, certainly believes, based on data from the 20 per cent of global consumer PCs that the company's software checks, there could be a considerable problem brewing.

One of the main issues, said Vlcek, is that many of these XP-based PCs are still running Internet Explorer 8. Released in 2009, the software is full of security holes. Next to this, a great many XP users are using pirated versions of the OS, with the Service Pack version 2, rather than the more robust Service Pack 3.

"Irrespective of whether we want to support those with pirated copies of Windows, the problem is that all of a sudden you will have many machines connected to the global networks with low-hanging fruits for attackers," Vlcek told Computing.

"This could lead to the creation of much larger botnets with the capacity to take down more global machines. When hackers take over the machines of most XP users, it will be much harder to counter attacks."

Vlcek believes that many owners of XP-based machines purchased the computer "as an appliance".

"They don't think of updating or upgrading the operating system," he said.

When it comes to the UK public sector, Vlcek attributes its slowness to upgrade not so much to a lack of understanding of the risks, but more to reasons of "cost cutting".

"They would have to buy full licences for those devices, and also upgrading to Windows 8 or even Windows 7 could challenge the hardware configurations they have," said Vlcek.

No stranger to bad habits at IT management level is Mark Carter, executive adviser in KPMG's CIO Advisory division. Carter told Computing that he still has a few clients who he is "trying to encourage" to move away from Windows XP. He sees risk, for sure, but does not appear overly concerned.

"I'm not sure it's going to be the complete apocalypse that everyone says it's going to be," Carter told Computing.

"I think there is potential exposure to hackers who are waiting out there to swoop on this, but it's hard to quantify how big a problem it's going to be," he said.

But Carter advises CIOs not to "take the risk and leave yourself open".

"I guess it's a bit like the Year 2000 issue - everyone prepared for it, thinking the worst was going to come."

While no planes fell out of the sky on that occasion, risk is risk, reasons Carter. That said, he added that there is an element of hype in all this, with Microsoft understandably keen to shift users away from a platform that's no longer making it any money.

"Everyone will watch with bated breath, of course, but it's in Microsoft's own interests to get people off XP, and they're maybe culpable for a certain amount of propaganda in this space," said Carter.

[Please turn to Page 2]

Why are people still hanging on to Windows XP, and are they dicing with disaster?

Avast and KPMG weigh in on the debate

Vlcek and Carter both acknowledged that many critical XP systems are entirely disconnected from the internet. Machines such as ATMs or customer kiosks commonly run on XP in the UK. Carter said these "unintelligent systems" posed little risk, unlike XP users who connect to the internet and are reckless in their online behaviour.

"The real risk is from the people accessing the internet, accessing dodgy websites and stuff. People who have a level of privilege and admin rights, and they're on the internet sending and receiving emails there, and thus opening themselves up," said Carter.

Like Vlcek, Carter also believes the recent financial crisis and "pressures on budgets and capital expenditure" that caused people to "hold off and watch their assets", thusing slowing migration from Windows XP.

But Carter also cited the "complexity factor" of upgrading IT real estate, and how this situation has only become worse as the demands of both hardware and software have grown since Windows XP was in its youth.

"I've worked on many migrations as far back as Windows 2000, and it's getting more complex," Carter tells Computing.

"It can take 18 months to two years to do a full migration. It's all around the applications - understanding what you have, then testing, mediating and replacing applications if they don't work."

Carter also believes that many IT managers are still smarting from "the whole Vista thing".

Windows XP's successor - which many felt removed more from the Windows experience than it added - was, in Carter's words, and professional experience, "a big disappointment".

"I remember it came out, we were ramping up to migration and then nothing happened. So I think people [then began to think, with subsequent releases of Windows] ‘Okay, this has come along, it didn't do what it said on the tin'."

On top of many users' wariness of new Windows experiences, Carter believes there is a wider problem, for Microsoft at least: the client software model has simply become a dated concept.

"Apart from the Modern interface and the touch, I don't think Windows 8 offers anything significant over Windows 7," said Carter.

"We are in a very different environment these days. We've got cloud coming along, and VDI is not new and wondrous anymore - it's out there being used.

"People are saying ‘Well now we really have to think, rather than sticking with the Windows thick client approach, we need to make a change'."

Rather than waiting for Windows 8, or even Windows 9, Carter wonders whether CIOs should begin asking themselves - and Microsoft - about ways to make the jump towards delivering operating systems in a different way.

"That's a hot discussion point in a lot of companies now," said Carter.

"We're at this fundamental turning point that's making people hold back."