Running an unsupported OS does create valid concerns around security, drivers, performance and so forth. Once Microsoft stops issuing updates, you'll be left to your own devices on those fronts. Nonetheless, some businesses that still use XP today don't have April 8, 2014 -- the date Microsoft will stop supporting XP -- circled on their calendars. Their reasons vary, but as one managed services provider (MSP) put it recently, XP is still widespread because it works. That's not likely to change overnight.
Yet while some companies and IT pros are comfortable with the risks of running an unsupported OS, they face other requirements and challenges -- some of which have only an indirect relationship with XP's end-of-life date -- that may force them to upgrade. Let's look at three of those scenarios.
1. An Unsupported XP May Mean You're Non-Compliant
Much of the XP end-of-life discussion understandably focuses on security. Microsoft regularly issues updates and patches to fix issues that the bad guys could otherwise exploit, which has led IT and security pros to wonder: What will happen when those fixes stop coming? (The answer varies depending on who you ask.)
[ Is Microsoft patching fast enough? See Overcome The Microsoft Mindset: Patch Faster. ]
What you hear less about is a related issue: the complex world of compliance. That's indeed a source of anxiety for some companies still running XP, though. MSP and Microsoft partner Valor IT caters to many healthcare firms, and some of them are still running XP. That could put them in regulatory hot water next year, according to Valor's business development manager, Christian Castro.
"One of the big concerns in healthcare is that an end-of-life operating system could be interpreted as not being HIPAA-compliant and grounds for federal fines in case of an audit," Castro said via email interview. "I have spoken with some healthcare providers that are going to continue to use XP and remove all security concerns by essentially making them thin clients that securely connect through a terminal server to access sensitive information."
In another heavily regulated industry, banking, there's no gray area. Banks and credit unions with ATM machines still based on XP will be considered non-compliant with payment card industry (PCI) guidelines as of April 8 unless they have an ongoing support contract, which can be expensive, according to Dean Stewart, senior director of core solutions product management at the security firm Diebold.
"PCI guidelines require that financial institutions provide current operating system patches, security updates and software support for their ATM fleets," Stewart said via email. "Financial institutions unable to upgrade to Windows 7 by the April 8 deadline face increased risk of noncompliance if they cannot adequately support -- and demonstrate that they are supporting -- operating system patches and software upgrades that ensure the security of payment card data."
Penalties for PCI violations aren't widely publicized, according to Stewart, but estimates run anywhere from $5,000 to $100,000 every for each month of noncompliance. "That can be catastrophic to the bottom line, especially for smaller financial institutions," he said. That leaves these institutions with little choice unless they can procure -- and afford -- an ongoing support contract.
"The simplest way for banks and credit unions to protect themselves from potential penalties is to upgrade to Windows 7 by the April deadline," Stewart said.
2. Microsoft May Make It Harder To Downgrade Windows 8
Eric Schlissel, CEO of GeekTek IT Services, said some of his XP-based customers are worried about a murkier deadline than the actual support cutoff: the point at which Microsoft may make it difficult to downgrade new hardware running Windows 8 or higher. Today, downgrading to Windows 7 is relatively painless, according to Schlissel, provided you've got the proper images and licenses. He's got an ample supply of both, and downgrading a Windows 8 machine just takes an hour or two per user.
Schlissel's fear -- and specifically that of several of his customers who intend to run XP past the end-of-life date in order to stretch their hardware budgets -- is that Microsoft may eventually make it tougher -- for technical, licensing or other reasons -- to downgrade to Windows 7 on new hardware purchases. Microsoft could want to do that to encourage wider adoption of Windows 8.x and the company's broader reinvention as a devices and services company. The reason why that's a problem for Schlissel's clients: The ones that have tried Windows 8 universally dislike it.