The BBC has today revealed that the UK’s second largest police force continues to run Windows XP on one in every five of its computers. The findings, obtained through a freedom of information request, found that 1,518 of Greater Manchester Police’s computers were still using the obsolete XP operating system. That figure represented 20.3% of all the computers used in the force.
Windows XP is a 17 year old operating system that is no longer supported, and indeed considered obsolete, by Microsoft.
In fact, XP reached it’s “end of life” over three and a half years ago now, so businesses and organizations have had plenty of time to update from XP.
Given the issues that the NHS suffered in the “WannaCry” outbreak back in May due in no small part to their continued reliance on obsolete operating systems like Windows XP, you’d think this would serve as a further wake up call to UK businesses and public sector organisations.
So just how widespread is the problem?
Over the past 12 months, I’ve seen Windows XP running on staff machines in a Tesco store, and at a major Ford car dealership, and on a patient monitoring system in an Intensive Care Unit at a large NHS hospital (which rather worryingly had also BSOD’ed! (“Blue Screen Of Death”))
It seems just about wherever you go in the UK in 2017, you’re likely to encounter a business still running on Windows XP.
So why are UK businesses and organisations relying on XP and not upgrading?
Here are 5 common reasons why organisations still use XP:
1) Complacency and the “If it ain’t broke, don’t fix it” mentality
Let’s face it, XP’s subsequent successor, Windows Vista received a pretty universally poor or at best a lukewarm reception.
XP had been around for some time prior and had gained a reputation as being a “solid” and “stable” OS, whilst Vista wasn’t seen in the same light. Consequently many organisations were reluctant to transition to Vista when it became available, and instead stuck with XP.
By the time Windows 7 became available, XP had been knocking around for 8 years. Many organisations who didn’t upgrade to Vista, didn’t see the point in upgrading to Windows 7 either, because XP was still working well for them (and still receiving security patches). They’d become “comfortable” and “complacent” in their XP world.
This mentality should have changed by April 2014, when Microsoft stopped providing security updates for XP, but for many XP-reliant businesses this didn’t phase them. In fact, so large organisations even made Microsoft millions to go on to provide bespoke XP support/patches for their organisation.
Many organisations felt that the cost to upgrade all their computers from Windows XP far outweighed the benefits of running a newer operating system that to many looked “different” to what they were used to with the familiar XP desktop.
This was true for organisations of all sizes; small non-profit charities couldn’t afford to upgrade their handful of computers, larger profit-driven private businesses with hundreds of computers preferred to keep their profit margins up, than to take a hit by spending thousands on a company-side operating system upgrade.
Then there’s the public sector – and the NHS and the Police are both prime examples here. As public sector budgets are squeezed ever tighter year on year, where funds are spent is being dictated more and more from a PR position, than a practical, operational, and IT security position.
For example, if the Police announced they were going to spend £100m on upgrading all police computers to Windows 10, there would be a public outcry – because the general public would rather that money be spent on “front line police services” instead.
It’s the same in the NHS; tax payers would rather their money be spent on more doctors & nurses than on expensive IT projects (which the NHS doesn’t have a particularly great track record on anyway!)
3) Lack of Knowledge/Expertise
It’s sad to say, but there are numerous businesses and organisations within the UK where their in-house IT departments have big knowledge and skills gaps – if they even have a dedicated in-house IT team, many smaller businesses and firms don’t and choose to either relay on an existing member of staff who “knows a bit about computers” to fix their IT problems, or they outsource all of their IT to an external IT provider.
The drawbacks of a business “outsourcing” IT to an external agency/provider is that the provider can be perceived (often incorrectly) by the business as trying to “upsell” unnecessary products/services to them, and especially if the business has little or no IT knowledge themselves, they will in most cases turn down any additional services/software offered by the provider if they don’t recognise or understand the particular necessity/benefit of the offer.
Also, tasking an external IT provider to upgrade all your business’s operating systems is not only significantly more expensive than doing it in-house, but also because you’re placing the task in someone else’s hands, there’s always a small risk that they could mess up and leave you without IT provisions for a period of time – which is a risk that many businesses are unwilling to take, and so they decide it’s just easier to keep using XP.
4) Time Factor
Many organisations lack the physical “man power” to upgrade their infrastructure in a timely manner. Take for instance a typical large secondary school in the UK which has around 1,500 students. There may well be several hundred computers in the school for student use, not to mention a few hundred additional staff laptops and office machines. There could easily be in the region of 1,000 devices on site. A typical large secondary school may have around 3 full-time IT technicians, responsible for the day to day running of the network, and resetting lost passwords for students/staff, etc.
It would be difficult to take just one of their IT technicians off the day-to-day tasks in order to upgrade the operating systems of 1,000 machines. Even if he/she could upgrade 15 machines a day, that would still be in excess of two months solid work! Of course, the logical time to upgrade a school’s computers would be during the six-week summer holidays – however, this will also tend to be the time that IT staff take holiday, so again there many only be a single technician working at any give time outside of term time.
5) Software Compatibility
Operating system aside for a moment, many businesses run other aging business software which are no longer updated/maintained by their respective vendors.
Many of these aging software products on which the business relies may not be compatible with newer operating systems, forcing the business to choose whether to stick with Windows XP so that their other business software continues to work, or upgrade their operating system resulting in their other business software no longer being able to function.
A good example of this are business “web apps” developed in the mid-90s. Back in the day when Internet Explorer 6 was the default browser on EVERY XP machine, software developers created web sites and business web apps which were designed to run on IE6. No thought was given by the vendors as to compatibility with future incarnations of IE.
Businesses which relied on web apps designed for Internet Explorer 6 found that these no longer functioned correctly (if at all!) on newer versions of IE included with more recent Windows operating system incarnations, and so if the app developer was no longer maintaining their app, the business would simply not bother upgrading their operating systems, as it was deemed more important for their apps to continue to run than to be running a more secure operating system where their apps wouldn’t run.
The way forward….
I’m expecting to continue to see sightings of Windows XP on computers all over the UK for some years to come yet..
But how can the UK kill off XP once and for all?
I don’t believe the answer is just simply for businesses to “spend more money” (although, if Microsoft really wanted to encourage businesses to ditch XP once and for all, they could certainly consider lowering the cost of Windows 10)
At the end of the day, I believe it essentially comes down to education;
- Businesses and individuals need educating on the inherit dangers of using obsolete and unsupported operating system
- Tax payers need educating on the need for public sector organisations like the police and health service to spend money on updating their IT infrastructure. Yes, it would be a significant cost outlay, but this year’s “WannaCry” attack affecting the NHS shows what could potentially happen if they don’t. Lives could literally be put at significant risk without adequate IT spending.
So I encourage you – if you see Windows XP in use at a business or in a store, or at your dentist, or your opticians – challenge them on their continued use of a 17 year old obsolete operating system!
…and if the business wants to enter your personal information into a computer running Windows XP, consider taking your business elsewhere! If the business is happy to continue to run XP, then they don’t take data security (and the security of your personal information) all that seriously.
Have you spotted Windows XP still in use in the UK? Let me know in the comments below!