Indian Banks at Increased Risk Once Microsoft’s Windows XP Support Ends

Eric Ernest November 13, 2013
Indian Banks at Increased Risk Once Microsoft’s Windows XP Support Ends
The US Software giant will end its support of its 12 years old OS in 100 working days, with Microsoft advising Indian PSU banks to get their migration-from–XP act together in the meanwhile to better protect themselves against threats and a negative financial impact.

With the 8th April 2014 deadline looming, for an end to all Windows XP SP3 support including the security patches, Microsoft is aggressively increasing its focus on getting organizations to move off its 12 year old OS

With only 100 business days left for the deadline to come into effect, in India, Microsoft’s XP-migration focus is especially directed at Public Sector Unit (PSU) banks, given that a Microsoft study conducted by Ascentius Consulting showed that Windows XP still has a penetration of 40-70 percent within this segment.

The wide ranging impact of this can be seen with the study revealing that some 34,115 Indian PSU bank branches are at risk due to the continued use of Windows XP. The report noted that letting such a situation continue could result in loses of Rs 1100 Crore worth of business opportunity in a day for banks.

Moreover the report, titled “Strategic Impact of End of Support of Windows XP on Banks in India”, stated that banks could see a loss of income to the tune of Rs. 300 Crore over a period of 3 days – given that it takes that long for a major incident to be resolved and the system to be up and functioning normally.

The report noted that while Banks were aware of the eventual termination of this extended support for Windows XP, many Banks that have not paid sufficient attention to addressing the risk emanating from this event.

This despite that Microsoft has been warning companies for more than a year that the support for the Windows XP SP3 is going to stop. Back in April 2012, the company had said "If your organization has not started the migration to a modern PC, you are late."

Even the Indian government has lent its voice to emphasize the criticality of the Windows XP migration. That the Indian government released, in June 2013, an advisory encouraging organizations to upgrade to later versions of the Windows OS to avoid non-compliance issues that may result in the “suspension of certificates by Certifying and Auditing organizations,” should point to the severity of this issue.

“With 100 days left, the security threat is going to get worse [for the un-supported OS users],” says Amrish Goyal, General Manager, Windows Business Group, Microsoft Corporation (India), reiterating that now is the time to move to a newer OS.

The Ascentius study reported that the 100 working days timeline fits well into the estimated period required for banks to move from Windows XP to a more modern OS, right from the time of taking the decision to its implementation, which would amount to around 4-6 months.

“The private sector banks have fared much better in this migration. The PSU bank and government sector are lagging behind significantly,” says Goyal.

Surprisingly, its not that the move away from Windows XP is not feasible (in the timeframe till the deadline) for banks – In Goyal’s view, they haven’t wholeheartedly taken to this migration as they cant quite fully understand the significance that Windows XP support will end in another 5 months. Goyal is of the view that these banks still feel that their outsourced IT service can still continue supporting their infrastructure, and as such they don’t see any complication in being out of support.

“This end of providing support is not just another routine system maintenance issue. Indian banks have not faced a situation like this before and so they don’t feel that they can be at the receiving end of an increased threat landscapes,” adds Goyal.

 “The biggest block in moving to a new OS is [dealing with] the compatibility of existing software and apps with the new OS. The good news is that there is no company in India that is exclusively running Windows XP. They are running a heterogeneous environment with Windows 7, Windows 8 and Windows XP,” explains Goyal on why there is still hope of successfully migrating from Windows XP within the deadline period.

“As such the compatibility issue has already been resolved. Now it’s just a question of moving to the new OS – now its just a question of intent and action,” he adds.

Moreover, it is important to note that even without considering the earlier mentioned negative financial impact, there is the expenditure related to supporting the Windows XP environment that organizations have to take into consideration if they continue to use Windows XP.

A Microsoft sponsored IDC study found that running XP machines costs organizations considerably more to support than comparable PCs running Windows 7.  The analyst firm estimated “that the cost of migration is roughly one-third of the cost of nonmigration.”

Such costs come about as a result of having to run XP on older hardware which is more expensive to operate in addition to the rising OS support costs once Microsoft ends its support. IDC had noted that organizations spent 82% less time managing patches on Windows 7 systems than they did on Windows XP as well as spending  90% less time mitigating malware, and 84% less on help desk time.

More importantly, these PSU banks have a more tangible reason to upgrade given the productivity benefits of moving away from Windows XP that the IDC study noted. For starters, Windows 7 users wasted 94% less time rebooting their computers and lost 90% less time due to malware attacks.

The IDC report also noted that for every 230 PCs running Windows 7 rather than XP, an organization could shift one full-time IT person to other work –  or even do without that resource entirely.

“The move to a modern OS like Windows 8.1 will not only alleviate the risks for users and businesses but will also open up opportunities posed by modern technology, like the cloud, for banks”, adds Goyal.

The software giant had also warned organizations that the chance of malware infecting their Windows XP PCs will increase by two-thirds once the April 8, 2014 delaine is crossed.

Interestingly back in August of this year an expert had even suggested that hackers might even sit on zero-day exploits they uncover between now and April, and then sell them to criminals or release them themselves on unprotected Windows XP PCs after the deadline expires.

While such a scenario might not have yet materialized, the mere possibility of such a scenario becoming reality should propel organizations to have completed their move off Windows XP within the timeframe of the deadline.

As Goyal puts it, getting organizations to migrate so that at the end of the day they have less than 10 percent of their existing systems run Windows XP would go a long way in reducing the impact of the risks involved in continuing to run such a system.

Infact to show just how serious Microsoft is in its efforts to get these organizations to move away from Windows XP, Goyal stated that the software giant will put up special offers to make it financially viable for these banks to move away from XP. Moreover, he also said that they will be “ready to hold the hands of Banks” by setting up Proof-of-Concepts, with Microsoft directly paying the partners to set this up, without the banks themselves having to do so.

“We will put resources on the table and help the [prospective] banks with the deployments,” concludes Goyal.