Myth: “I use Windows XP/Server 2003, but its ok I have a great anti-virus/firewall.”
As of April 2014 Windows XP is no long supported by Microsoft and in July of 2015 Windows Server 2003 was no longer supported either. This is a major issue for any business that still runs these in conjunction with any aspect of their organization. Regulations are becoming a greater presence in almost every type of business and should be at the forefront of any organization’s mind.
One of the most talked about in the IT realm right now is HIPAA. If you are a health care business that is still running either Windows XP or Server 2003 past their support end dates then you are automatically not HIPAA compliant.
When you partake in this sort of security practice you are placing your organization at risk. Any IT professional worth their salt will always try to mitigate risk where ever possible, and when you place all your eggs in one basket by relying on a single point of security to protect you, you are increasing your risk factor.
Without appropriate support from the manufacturer your system is in the deep end of zero-day vulnerabilities. This scenario will not end well if you have to justify your actions in the event of a litigation arising from any breach of said regulation.
Here are some steps that you should take if you feel you fall in line with the risky business mentioned above.
- Don’t do it all at once. Panic will set in and you will want to do this like pulling a Band-Aid off, all at once. This is not a good idea if you have a business of 15+ workstations and a server. Both monetarily and time-wise this will end up hurting you more than helping. You need to be able to do a few machines a week and then when the workstations are done, pick a weekend and tackle the server last. Being compliant with regulation is important but you must also remember that keeping your business operational should be prioritized.
- Upgrade your entire system. Whether you go the route of buying new machines or just upgrading older systems, you must do the entire network. Yes this even includes those systems that are not physically connected to the web. These lonely islands that are protected via obfuscation are not any safer because of their isolation. Most regulations do not care if your machines are connected or not, your entire system must be up to snuff.
- If you’re buying new machines, go with what comes with a warranty. Building your own machines or having custom built ones can at times incur a slight discount in overall cost of the new system, but without a warranty what you just saved can be easily lost. In the end it will be best to go with better built, covered, and generally more stable business oriented OEM built machines. Most of these machines come with at least three year warranties which cover internal parts and labor.
As long as you plan accordingly the entire process should never be a headache, just another step in the right direction for your business. Do not wait for the last minute because if you do that is when things will be most difficult to correct.
Last minute projects always entail higher costs and greater room for error because of their rushed nature. Remember this is an important step to moving forward and keeping your business in line with regulations and overall security, so take the time to do it right.
