Despite looming end of life, study shows XP remains primary OS

A series of customer studies by Fiberlink shows a pattern of risky behavior, and widespread usage of a soon to be dead operating system

Examining data from one million devices, Fiberlink, a mobile management firm, examined the often forgotten part of mobility in the workforce -- laptops. While IT and security vendors focus on Google's Android, Apple's iOS, tablets, and smartphones, Lenovo's ThinkPad and Dell's Latitude chug along, remaining a stable fixture in the workplace. According to Fiberlink, almost 50 percent of the laptops observed in their study are running Windows XP.

[Security experts questions if Google's Chrome Apps is worth the risk]

Not counting extended support contracts, in April 2014, IT and security managers will be forced to face the fact that Windows XP has reached end of life. As is the case with other operating systems, XP will remain as a legacy installation and cause its own share of risk in some cases. However, the explosion of mobile in the work force, which includes laptops procured years ago that now live their life in a constant state of rotation between staff, means that organizations will have some choices to make.

"Looking at the laptops we manage, we see close to 50 percent of customer devices that need to upgrade or be replaced by that time. When speaking with our customers, they are typically not enthused with migrating to Windows 8, which leaves them in a situation where many are going to upgrade to Windows 7 instead or are waiting to see what Windows 8.1 is going to bring to the table," Fiberlink explained in an email to CSO.

Organizations have had some time to prepare for the change from XP, but that doesn't mean that such deployments are finished. However, CSO was curious about the mindset of many IT managers when it came to OS changes and security, particularly management. When considering the two, IT has been looking at platforms that enable them to manage employee-owned and corporate-assigned devices from one instance, and lucky for them -- there are plenty of vendors that claim to do this in the MDM market. (No, seriously, there's plenty of options.

"We were surprised to see that almost half of our laptop customers are still running XP. That number continues to shrink every day, but it's still unclear what many CIO's and IT executives will choose as their next move," Chuck Brown, director of product management at Fiberlink, told CSO.

"We're seeing businesses consider many different options as Windows XP gets closer to the end of its support in April 2014. Potentials options include upgrading employees to Windows 7, waiting to see what Windows 8.1 feels like, and even moving straight to the Windows Surface Pro 2."

Employee-owned laptops (much like employee-owned tables and phones) are a growing trend and a source of risk. IT doesn't want full control over these devices, but if they're being used to access sensitive data or communications, there needs to be some sort of visibility and management, such as pushing patches or enforcing VPN usage.

[Attacks multiply as hackers target unpatched IE flaw]

Speaking to CSO, Brown, said that the enterprise is certainly not abandoning the laptop. In fact, it's quite the opposite as CIO's and IT executives are just as concerned about managing laptops as they are about phones and tablets. All of these devices have the same concerns related to compliance, protecting corporate data and applications. But laptops are just one part of the BYOD profile.

Prior to examining laptop usage, Fiberlink looked at other security metrics, including the use of passcodes on mobile devices. According to a random sampling of 1,000 customers, a majority of the passcodes allowed by IT are simple PINs (93 percent). Of those devices with PINs, 73 percent require a length of 4-5 characters, while 27 percent require greater than five characters.

Further, in July, Fiberlink looked at data risk, and discovered that of those employees who use either a personally owned mobile device, or one issued by their employer, 25 percent of them saved work-related documents into a third-party application (e.g., Dropbox, Quick Office, or Evernote); 20 percent said they've copied work-related documents into personal email; and 18 percent noted that they've used mobile devices to bypass IT's Web filtering policies.

Again, laptops with a soon to be expired OS are just one part of the problem, as this data clearly shows. Long after employees are migrated away from XP, the little things such as weak PINs and risky data handling will still pose the most risk to the business. This is why mobile device usage is such a hot topic, and just like laptops were mid-90s, something that will require planning and time before IT can get a solid handle on it.

[Despite risk of aiding hackers experts favor disclosing vulnerabilities]

Today's workforce is a mash-up of personal and professional gadgets, platforms, services, and applications. IT can no longer sacrifice personal usage over professional, so they're looking for ways to make them work together securely, but making that solution look as good in reality as it does on paper, is easier said than done.

Tags securityMicrosoftWindowssoftwareoperating systems

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Sophos Mobile Control

Data protection, policy compliance and device control for mobile devices

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.