ICO issues data protection warning to users of Windows XP

The ICO has issued a warning about the potential data protection risks due to the end of support for Windows XP

The Information Commissioner's Office (ICO) has warned businesses about the risks created by the end of Microsoft's support for Windows XP and Microsoft Office 2003 on 8 April.

Microsoft has extended security updates for the legacy operating system by 15 months, but many businesses, charities and other organisations will be on their own after that.

This means if a security flaw is discovered, Microsoft will not release an update to fix it, which is important for businesses using these two products to note, says the ICO.

A lack of security updates will put company systems and the personal data stored on them at risk, the ICO said, estimating that 30% of all PCs are still using Windows XP.

Research by UK software firm AppSense indicates that around 77% of UK organisations are running XP somewhere in their IT estate.

While Gartner estimates that up to 25% of enterprise systems are still running XP, and that a third of large organisations will have more than 10% of their systems still on XP.

The ICO said this could become a serious problem and means many organisations should already be in the processes of migrating to a supported operating system, or taking steps to mitigate the risks.

This echoes Gartner advice to find an alternative to Windows XP as soon as possible.

The ICO warned that the risk will increase as more vulnerabilities are discovered, creating more opportunities for an attacker to exploit and potentially gain unauthorised access to systems.

But the issue is not confined to Windows XP and Microsoft Office 2003, said Simon Rice, the ICO’s technology group manager. “It is important to remember that this is not a unique situation. Organisations regularly end support for their older products,” he said.

Rice said even organisations running newer versions of software have to be vigilant, as vulnerabilities will be discovered over time.

He said that as data controllers, organisations are responsible to ensure they have measures in place to keep personal data safe.

This means having processes in place to ensure new vulnerabilities can be addressed at an early stage.

“Failure to do so will leave your organisation’s network increasingly vulnerable over time and increases the risk of a serious data breach that your actions could have prevented,” he said.

Keeping supported software up to date is relatively simple for small office environments. This mainly means making sure all software security updates are applied, which can often be automated.

“In a more complex environment you might need to test these updates first to make sure they are compatible with your existing infrastructure," said Rice.

“Where you cannot apply an update, you may need to put additional measures in place to mitigate the risk."

Read more on Privacy and data protection