Have You Upgraded Your XP Yet?


Microsoft officially ended support for Windows XP in April 2014, but not everyone has made the decision to upgrade their operating systems. By choosing to stick with Windows XP, users may be leaving themselves vulnerable to security risks that would not be present if a different operating system were used. There are serious implications for businesses operating on the Windows XP platform, particularly when sensitive information, such as customers’ credit card information, personal information or even company trade secrets, is being stored on these machines.

Certainly, companies have their reasons for not upgrading, including cost and lack of compatibility of programs that have been used for years with newer operating systems such as Windows 7 or Windows 8. The risks of not upgrading may not be self-evident because Windows XP will continue to function as it has in the past. However, users will no longer receive security updates for vulnerabilities in Windows XP. Even more concerning is that cyber criminals have reportedly developed ways to exploit Windows XP vulnerabilities, saving them for when security patches are no longer being developed and deployed.

Another important consideration is the impact the Windows XP end of life will have on embedded systems used in point-of-sale (POS) systems. Microsoft has extended support on Windows XP Embedded for POS systems until 2016, but support for Windows XP Professional for embedded systems expired in April. Some merchants may be unaware that their POS system is running XP and could unknowingly expose customer payment card data to malware, especially as the number of attacks on retailers increases.

Vulnerability, Stopgaps and Noncompliance
Additionally, operating a single Windows XP machine can leave a business vulnerable to a breach. As the saying goes, “a chain is only as strong as the weakest link” and even a single Windows XP machine could provide a potential intruder with a window into your network environment, and that computer can serve as a pivot point for an attack on other systems.

Although upgrading is recommended by many, there are certain stopgaps, such as application white-listing, monitoring and profiling of activity, multifactor authentication and web application fire walls, that can increase protection and help to improve security. Where Windows XP machines exist, segmenting them from the rest of the network would restrict their ability to communicate with any other devices in the network, except other Windows XP machines and the router. This would enable quick containment of any attacks exploiting the vulnerabilities in Windows XP onto those machines. Simply using a browser other than Internet Explorer, such as FireFox or Chrome, may also aid in securing a computer, as those browsers will presumably continue to be updated.

Even with stopgaps in place, there is the potential that continuing to use Windows XP may result in businesses’ noncompliance with regulatory standards such as HIPAA, HITECH, PCI DSS, FISMA, GLBA, SOX, and ISO 27001, which require organizations to monitor their networks in real time, ensure high levels of security and provide network compliance audit reports to auditors on demand. Noncompliance means spending a lot of money and time upgrading systems and covering the increased cost of future compliance.

Of course, the safest course may be  to upgrade from Windows XP if at all possible. The short-term savings of not doing so could be substantially outweighed by the costs of responding to a data breach, responding to regulatory investigations or defending a lawsuit.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wilson Elser | Attorney Advertising

Written by:


Wilson Elser on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.