Chief financial officers and audit groups should be taking notice of an issue that would normally be the domain of the IT department and make sure their company has a plan to move off of Windows Server 2003 before its end of life deadline on July 14, experts say.
Many businesses had to scramble last year when Microsoft Corp.’s popular Windows XP OS saw the end of extended support finally arrive. With that cut off landmark passing, no more security patches, software updates, and likely third-party software support would be continued. Computers still running the OS after the end of support date would be exposed to hackers praying on unpatched vulnerabilities.
Now the same is true of the server software that is used by many businesses to serve applications, store databases, distribute emails and a number of other critical functions. HP estimated last May that 11 million Windows Server 2003 installs were in the market, meaning a rate of 25,000 migrations to more modern server software would be required to meet the deadline.
In Canada, Microsoft says about 40 per cent of the install base is Windows Server 2003. That’s big surface area for attacks.
“It’s one of those hot potatoes that gets passed back and forth between the business and IT,” says Vinay Nair, senior product marketing manager of Windows Server at Microsoft. “From a business perspective where you’re focused on the bottom line, there seems to be a misunderstanding about the risks.”
Beyond the spectre of getting hacked, organizations that have compliance requirements in the financial industry may find they’ve fallen out of compliance simply by not migrating away from Windows Server 2003. The Financial Services Committee of Ontario – the provincial governing body for the financial services sector – is one example of a body that’s issued a mandate to all its members requiring that they be running supported software, according to Nair.
It is not alone. The Payment Card Industry’s Data Security Standards (PCI DSS) also require companies to keep systems up to date with vendor-supplied security patches. According to a white paper from Visa Inc., there are scenarios where “compensating controls” could maintain compliance, but it’s “a nearly impossible feat, even for the most security software.”
In a recent report on trends among enterprise audit groups, professional services firm KPMG says these oversight bodies are becoming more concerned about cyber-security. In the wake of several big data breaches reported at major retailers, audit groups are recognizing the risk posed by having corporate IT systems compromised.
There’s an upswing in the amount of legislation requiring enterprises to be proactive about preventing data breaches, says Paul Hanley, a partner of advisory services for cyber security at KPMG. Audit groups should be asking the hard questions about what an organization needs to be doing to compl with those new requirements – or face the consequences.
“In some countries if you have a data breach, the penalties do include custodial sentences,” he says. “So it’s possible you could go to jail.”
While Canada isn’t among those countries, the consequences of suffering a data breach because your firm was running unsupported software are still serious, he says.
Nair wants to be clear about the risk to Microsoft users.
“Anyone that has to handle customer information and private information and is storing it on its Windows 2003 server is running a risk of not being compliant with some of these bodies,” he says.
Days between now and July 14 are running out on the calendar. Chief financial officers and audit groups alike might want to check in with the IT department about their migration plan now.