ICO warns businesses of Windows XP deadline
Organisations need to put measures in place to protect data or risk huge fines, the ICO says
The ICO has warned businesses that still use Windows XP they must take responsibility to protect data as support for the aging operating system ends on 8 April.
PCs running Microsoft's Windows XP and Microsoft Office 2003 will continue to operate, but will no longer be updated to fix security flaws when Microsoft ends support for the products next Tuesday.
The ICO has said the systems, and the personal data stored within it, could potentially be vulnerable, and therefore it is the duty of IT managers to ensure that measures are in place to keep data safe.
Importantly, if an organisation fails to spot problems with its software that led to a serious breach of the Data Protection Act, they could incur huge fines. One organisation, the British Pregnancy and Advisory Service, was hit with a six-figure fine on the 10 March after the names, contact details and addresses of 10,000 people were leaked because holes in its IT systems.
Microsoft's XP operating system is still being used by millions, despite the imminent discontinuation of support, which has been planned for six years. Almost 28 per cent of desktop users are still using XP, according to data site netmarketshare.com.
This week, the UK Government managed to secure an extra 12 months of support from Microsoft to accommodate the public sector organisations still running XP at the cost of 5.548m.
The data protection watchdog, which upholds information rights in the public interest, said problems will get worse over time as more vulnerabilities are gradually discovered, leading to more "opportunities for an attacker to exploit and potentially gain unauthorised access to systems".
The ICO's technology group manager Dr Simon Rice noted that it is important to remember organisations regularly end support for their older products.
"As a responsible data controller, it is your organisation's responsibility to make sure you have the measures in place to keep people's details safe," he said.
"Anyone using either of these two products must consider their options and ensure that personal data is not unduly placed at risk. Failure to do so will leave your organisation's network increasingly vulnerable over time and increases the risk of a serious data breach that your actions could have prevented."
Rice offered some advice for businesses to help protect their systems as the switch-off date nears.
For small businesses, he said, checking for updates that need to be regularly applied to desktop and laptop operating systems should be relatively simple.
For more complex work environments, tests may need to be done to ensure the updates are compatible with the existing infrastructure. And where businesses cannot apply an update, they may need to put additional measures in place to "mitigate the risk".
Although the ICO did not explicitly recommend upgrading to new systems, vendors, including Microsoft, Toshiba and Lenovo, have been offering cut-price packages to entice businesses to upgrade their IT infrastructures.
Four cyber security essentials that your board of directors wants to know
The insights to help you deliver what they needDownload now
Data: A resource much too valuable to leave unprotected
Protect your data to protect your companyDownload now
Improving cyber security for remote working
13 recommendations for security from any locationDownload now
Why CEOS should care about the move to SAP S/4HANA
And how they can accelerate business valueDownload now