Millions of businesses will be putting their customers’ personal data at risk if they fail to upgrade a version of the Microsoft Windows operating system that is set to expire this summer.
On July 14, Redmond, Washington-based Microsoft Corp. will discontinue technical support and security updates for Windows Server 2003, a popular operating system for computers that host websites for online shopping, banking and other services.
Opting not to upgrade to a newer version such as Windows Server 2012 may save businesses money in the short term, but they also would be exposing their customers to a higher risk of data theft and other problems, cybersecurity analysts said. They might even be operating illegally without an upgrade.
There are no hard data on the number of businesses running Server 2003 in Maine, but Microsoft estimates 12 million computers worldwide still were running on it as of July 2014. Its popularity is both a blessing and a curse, analysts said.
“Being the market leader has its downside, and because of its massive installed base of server operating systems, Microsoft often finds its products held to a higher standard than competitive products,” Al Gillen, an analyst at Framingham, Massachusetts-based IDC, wrote in a white paper about the impending Server 2003 expiration. “With Windows accounting for 73 percent of server operating systems installed on servers … it is clear that any action affecting a Microsoft product will affect a wide swath of customers.”
A server is a computer that is configured to respond to requests from other computers, known as clients. Servers can be used to provide client access to databases, files, printers, email, websites, video games or other types of application. Any computer can be set up to act as a server with the proper software.
Hackers and developers of operating systems are embroiled in an ongoing cat-and-mouse game, with hackers constantly finding new security holes in each operating system and developers patching those holes once they become known.
For Windows users, those patches are released periodically as Windows updates. Once the updates cease, hackers have free rein to find new points of entry that Microsoft will not subsequently block.
“That’s an enormous problem,” said Edward Sihler, technical director of the Maine Cyber Security Cluster at the University of Southern Maine.
However, operating system upgrades can be expensive – especially for businesses – and can create incompatibilities with older hardware and software, Sihler said.
“Imagine if you have a $15,000 tape library and you are no longer able to access it,” he said.
History shows that a significant number of businesses likely will not upgrade to a newer version of Windows Server before the 2003 version expires. A June 2014 survey by Russian anti-virus software-maker Kaspersky Lab found that more than 16 percent of all computers worldwide still were running on Windows XP two months after Microsoft discontinued support and security updates for that operating system.
Hardware compatibility issues are partly to blame for the vast majority of the world’s automated teller machines continuing to run on Windows XP despite several incidents in which hackers have used unpatched security holes in the operating system to empty ATMs of their cash.
“Windows upgrades are incredibly expensive, and they’re painful,” Sihler said. “There are businesses out there that still use DOS,” a text-based operating system that predates even the earliest version of Windows.
Failing to upgrade Server 2003 to a more modern version of Windows will put not just businesses at risk, but their customers, too, he said.
The United States Computer Emergency Readiness Team, or US-CERT, issued an alert in November warning users of Server 2003 about the dangers of failing to upgrade before support is discontinued.
The alert focused on three issues: elevated risk of malware and data theft, higher likelihood of incompatibilities with newer software and hardware, and the potential illegality of operating an obsolete server.
“Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 2003,” the alert said.
Regulatory compliance isn’t the only legal concern for businesses that fail to upgrade their servers, said Mark Jennings, senior sales director of network services for IT services firm SymQuest, which has offices in Lewiston and Westbrook.
If customer data is stolen after Server 2003 expires, and those customers file a lawsuit, they would have a strong case for negligence, Jennings said.
“(The defendant) wouldn’t have a whole lot of room to stand on,” he said.
Server 2003 is popular with government agencies, too. The city of Portland still has a few servers running on the operating system but is in the process of upgrading them to the 2012 version, said spokeswoman Jessica Grondin. She said the process should be completed by the end of July.
Small businesses in particular might be reluctant to upgrade because of the associated costs, said Christopher Claudio, CEO of Portland-based information technology consulting firm Winxnet Inc.
A license for the deluxe “Datacenter” version of Windows Server 2012 is $6,155, according to Microsoft’s website, and the standard version is $882. The company also requires each employee who uses the server to have a separate “client access license” that costs $189 for every five users.
However, there are lower-cost upgrade solutions that involve moving services such as email, website and file access to the cloud, Claudio said. Some cloud-based services are actually free to small businesses. Cloud-based services allow customers to use servers that are hosted remotely by the service provider and are accessible over the Internet.
“Because of the cloud, a lot of businesses don’t even need to buy a server,” Claudio said.
Both Jennings and Claudio said they have been working with clients over the past year to upgrade their systems so they don’t get stuck dealing with it at the last minute.
Upgrading from Server 2003 is akin to buying an insurance policy, Claudio said. It is possible that nothing bad will happen to those that don’t, but if something does go wrong the cost to fix it will be much higher.
The fact that the operating system is well over a decade old should be reason enough to convince most businesses that it’s time to opt for something newer, Jennings said.
“If you’re still running something with 2003 in the name, you’ve really got to think about it,” he said.
Send questions/comments to the editors.
Comments are no longer available on this story