'Like many businesses we are increasingly dependent on our IT systems and it is therefore essential that our IT supplier is one we can both trust and rely on. Discus Systems have been our preferred partner for over ten years since... Phil Hyden, Harwoods Accountants - Lichfield
And lo, it came to pass that the Windows cut-off deadline did pass in the year of 2014 and, oh, how the people did fret and worry, for the hackers were amassing ...
Do you remember the fear-hype of last year when Microsoft warned all who would listen that failing to upgrade from Windows XP would cause untold misery, pain and suffering?
It’s not surprising that the folks at Redmond went hard on the scare-mongering. After all, anything that could get people to move away from the ancient system and spend money on something new (particularly Windows 8) was to be encouraged.
Microsoft had willing allies in the security community who expected hackers to have exploits primed to go the moment the deadline passed. They probably had something of an ulterior motive, no doubt hoping to get some fear-induced exec to sign up for a hefty security service fee. Ulterior motives aside, there was some justification in these warnings. Windows systems are targeted regularly by hackers, as evidenced by Microsoft security updates being celebrated each month on Patch Tuesday.
However, almost nothing happened after 8 April 2014 relating to Windows XP. The only notable problem occurred when FireEye uncovered a campaign called Clandestine Fox which exploited an Internet Explorer flaw that evolved to focus on XP machines.
Microsoft, though, in a manner that rather undermined its doom-and-gloom message, issued a fix for XP to squash this bug. That’s been about it. In fact, the hype versus the reality has been reminiscent of the Millennium Bug that dominated the headlines back in 1999.
While the XP apocalypse did not happen one day after the support cut off on 9 April 2014 (phew!) an even scarier, and much more real, threat emerged in the form of Heartbleed (argh!).
This was serious stuff: almost two-thirds of all web servers were affected, leaving millions of web users at risk. Supposedly secure communications, containing user data and passwords, could be snaffled by cyber crooks. The impact was instantaneous. Reports subsequently discovered that hacks taking advantage of the flaw began within 24 hours, something that was supposed to happen with Windows XP. One of the biggest incidents saw hackers steal the personal data of about 4.5 million patients from hospital group Community Health Systems, as noted by Reuters. You’d like to think that the threat, and hacks like it, meant that organisations reacted quickly and did everything they could to stop themselves being at risk from the flaw. However, as you can probably guess, they did not, and still haven’t. New data released to coincide with the one-year anniversary of the discovery of Heartbleed has found that a staggering number of Global 2000 companies are still at risk from the flaw. This is a sorry state of affairs and suggests that big companies just don’t have the staff required to realise that this is a problem, fix it, or even raise it to a level where someone with a sign-off budget can authorise contractors to do it for them. But this doesn't really make sense if you think about it. If you're in the Global 2000 you must, surely, have the clout and personnel to Get Stuff Done? The only logical reason is apathy, not believing the problem is something that affects you, or could affect you, to any serious degree. This is the problem with so much of security.
And I think, culturally, that the Millennium Bug is the reason. Everyone but proper security experts who know what they're talking about, treats security threats like Heartbleed or Windows XP cut-off with a dismissive sneer and some lame joke about 'Oh, yeah, just like the Millennium Bug.'
Windows XP is this era's version of the same problem. The warnings came thick and fast, but millions did nothing and have carried on as normal with no impact on their operations. So perhaps it's no surprise that other problems, like Heartbleed, are being given the same treatment.
However, Heartbleed is a real concern, not some theoretical threat. The bigger issue is that, when another major threat is discovered, and rest assured it will, the response will be more like XP and the Millennium Bug than Heartbleed.