Many businesses, schools and government offices still use their beloved Windows XP operating systems and Office 2003 because they are reliable, run all the software required, and upgrading could be a painful process. It took several years to get all that software set up and these venerable systems are not quite ready for retirement yet. Are they?
Unfortunately, Microsoft will cease support for these time-served workhorses on April 8. This is a logical business decision dictated by simple economics and market forces, though many have criticized Microsoft for dropping this beloved combination of OS and software. Really? Hey, even a new car warranty runs out eventually. Why should Microsoft expend resources on outmoded technology? If they did, we would all still be using Windows 95 and that would not be fun for anyone. But I digress…
Not everybody can simply upgrade to a new operating system or Office suite. Apart from the software costs, larger organizations have service contracts tied to their current systems. What exactly does this cessation of support mean to those still tied to and dependent upon XP and Office 2003? Well, first of all, don’t panic. Everything will continue to work as it does now. I have reassured several people on this point, worried about the terminology used by Microsoft.
‘End of Life’, as it is referred to, is simple industry speak which means Microsoft will no longer provide any support. Nor will they create or release updates, bug fixes or security patches, for their decade old operating system and Office suite. It does not mean you need to rush out right now and buy new computers. That said, it may be a good idea to do so, as there are security implications you need to consider carefully if you plan to keep using Windows XP or Office 2003, either in your organization or at home.
So. To recap, neither Windows XP nor Office 2003 will receive any updates at all after the April 8 deadline. Ever. Microsoft, to be fair, have been exceedingly loud and clear on this, so any resultant fallout after April 8 is definitively not their fault. Any security holes discovered in the future will remain open. Forever. Microsoft knows this, which is one reason they are pushing users to upgrade and avoid any risks.
Hackers know this too, and it is believed that many have at their disposal a number of zero day (AKA presently unknown) vulnerabilities which will let them easily break in to these old systems: They are simply waiting to launch their attacks until April 9. At which point they may copy your data for later resale, steal your identity, empty your bank account or install the ransomware we have often discussed. Ah. Yes. This could be a problem.
Dialling back the paranoia a little, in simple terms, it comes down to this: In the absence of the benevolent hand of Microsoft (there’s a phrase I never expected to find myself writing) your security now rests firmly in your own hands. You’re on your own. If there are security holes yet to be discovered (zero day), then whatever security you have implemented yourself will be the only line of defence, so please do not take this situation lightly.
We strongly urge Windows XP and Office 2003 users to beef up their security as much as reasonably possible, adding antivirus and firewall protection if you have not already, and if you are a business you should revisit internal security policies and practices. This is always good practice and should be done regularly, so it represents no additional workload.
Though the best defence is without doubt a physical upgrade of equipment and software, (to continue to receive security and bug fix updates), this situation need not be the end of the world. Carefully considered and well implemented actions now will reap dividends later and may mitigate (but not eliminate) some of the potential for issues.
Keeping your computers disconnected from the Internet may seem drastic but it will stop any bad guys getting to your machines or your data from outside. Many larger facilities use sub-networks which explicitly do not have Internet access, for exactly this reason. On such networks the likelihood is far lower that any security issues will be encountered, though of course never one hundred percent. No guarantees.
Each scenario is unique. Home users should do some research and ask knowledgeable friends (and I do mean knowledgeable, not just that loud-mouth know-it-all buddy we all have). Maybe get a professional around for coffee and a chat. For businesses, the cost of hiring in a consultant for the day is a small expense in comparison to the price you pay after a successful hack attack. An IT consultant may see things your own team did not and can often offer alternate options you may not have considered. This may be a worthwhile business expense. Again, each scenario is unique. Each person and / or organization must make their own determination how best to proceed, but again we strongly urge consideration of all available options…including the option to upgrade.
If you must continue to use these products, cover your bases. On April 8th make certain to perform every last available upgrade as there will never be any more. Then, start backing up your data and operating system. I strongly urge, as I always have and always will, a full and complete backup of everything. Because I have seen what happens when you don’t bother. So backup, then backup your backups, and back them up too. And put them in a safe. I neither joke nor exaggerate. I could tell you some horror stories. If the worst happens, you will be glad that you took the time and trouble. If you need help with any of that, well, this is not a pitch but you know who to call, right?
In conclusion, the end of support for Windows XP and Office 2003 is not necessarily the worst thing in the world, but it really should be given due thought, in advance of the fast approaching April 8 deadline.
Please, do not ignore this ticking time bomb, or it could be the most expensive conversation you never had.