ICO warns businesses of Windows XP deadline

Organisations need to put measures in place to protect data or risk huge fines, the ICO says

Data breach

The ICO has warned businesses that still use Windows XP they must take responsibility to protect data as support for the aging operating system ends on 8 April.

PCs running Microsoft's Windows XP and Microsoft Office 2003 will continue to operate, but will no longer be updated to fix security flaws when Microsoft ends support for the products next Tuesday.

The ICO has said the systems, and the personal data stored within it, could potentially be vulnerable, and therefore it is the duty of IT managers to ensure that measures are in place to keep data safe.

Importantly, if an organisation fails to spot problems with its software that led to a serious breach of the Data Protection Act, they could incur huge fines. One organisation, the British Pregnancy and Advisory Service, was hit with a six-figure fine on the 10 March after the names, contact details and addresses of 10,000 people were leaked because holes in its IT systems.

Microsoft's XP operating system is still being used by millions, despite the imminent discontinuation of support, which has been planned for six years. Almost 28 per cent of desktop users are still using XP, according to data site netmarketshare.com.

This week, the UK Government managed to secure an extra 12 months of support from Microsoft to accommodate the public sector organisations still running XP at the cost of 5.548m.

The data protection watchdog, which upholds information rights in the public interest, said problems will get worse over time as more vulnerabilities are gradually discovered, leading to more "opportunities for an attacker to exploit and potentially gain unauthorised access to systems".

The ICO's technology group manager Dr Simon Rice noted that it is important to remember organisations regularly end support for their older products.

"As a responsible data controller, it is your organisation's responsibility to make sure you have the measures in place to keep people's details safe," he said.

"Anyone using either of these two products must consider their options and ensure that personal data is not unduly placed at risk. Failure to do so will leave your organisation's network increasingly vulnerable over time and increases the risk of a serious data breach that your actions could have prevented."

Rice offered some advice for businesses to help protect their systems as the switch-off date nears.

For small businesses, he said, checking for updates that need to be regularly applied to desktop and laptop operating systems should be relatively simple.

For more complex work environments, tests may need to be done to ensure the updates are compatible with the existing infrastructure. And where businesses cannot apply an update, they may need to put additional measures in place to "mitigate the risk".

Although the ICO did not explicitly recommend upgrading to new systems, vendors, including Microsoft, Toshiba and Lenovo, have been offering cut-price packages to entice businesses to upgrade their IT infrastructures.

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

What are biometrics?
Security

What are biometrics?

27 Nov 2020
Black Friday's best antivirus deals
Security

Black Friday's best antivirus deals

27 Nov 2020
Veritas Access Appliance with IBM Spectrum® Protect
Server & storage

Veritas Access Appliance with IBM Spectrum® Protect

27 Nov 2020
Ransomware protection with Veritas NetBackup Appliances
Security

Ransomware protection with Veritas NetBackup Appliances

27 Nov 2020

Most Popular

80% of cyber professionals say the Computer Misuse Act is working against them
Security

80% of cyber professionals say the Computer Misuse Act is working against them

20 Nov 2020
Cisco acquires container security startup Banzai Cloud
Security

Cisco acquires container security startup Banzai Cloud

18 Nov 2020
46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020