Windows XP may be 12 years old, but the operating system still owns roughly 31 percent of the market share to date – that’s an estimated 500 million PCs, according to Net Market Share. The widely adopted  and battle-proven system offers a user-friendly experience that many organizations have latched onto for employee productivity and day-to-day business operations. On April 8, 2014, however, the extended support for XP is scheduled to end, forcing those enterprises still running on legacy systems to either migrate or be left open to security vulnerabilities.

What does this mean for security managers and Chief Security Information Officers (CISOs) at an organization still running XP? If there are any problems, threats or system infections, then these organizations will have to manage the issues without Microsoft’s resources. The absence of support leaves enterprises open to countless security threats, especially as hackers are actively pursuing XP’s vulnerabilities to unleash viruses and access the sensitive data that many organizations host on their XP devices. This situation could quickly become an urgent threat to any business still running XP.

Windows XP is already the most at-risk of Microsoft’s supported offerings. The company recently released a security report showing that Windows XP users are almost six times more likely to become infected with malware than Windows 8 operating system users. And it’s no surprise – there are a lot of people still on XP, so there’s a bigger return for hackers and would-be malicious software exploits.   

All signs point to an upgrade, so what is holding these companies back from migration? A major contributing cause is that some mission-critical applications were custom-built for, and can only properly function in, Windows XP. Companies in niche vertical industries in particular have expensive and specialized applications that aren’t apart of a normal OS upgrade/refresh lifecycle. So in some cases it’s not as simple as a migration, because IT cannot make all the apps work on newer operating systems. And without some of these tools, business processes will suffer a major disruption—so abandoning the applications isn’t an option either.

Everyone should make a plan to migrate as soon as possible – including structuring the replacement or upgrading of XP-dependent applications. However, there are a few options for organizations to give them more time beyond the April 8th deadline:


  1. Hire the person who built the applications (now sometimes over 10 years ago) to rewrite the application and make it compatible with other operating systems. Most organizations that have/can afford this option already migrated off of XP, but just in case, explore it now.
  2. Shim the app, or “trick” the application into thinking it is running in an XP environment. Not all IT shops possess the skills to do this, and even in the best hands, this is risky and most of the time – it just won’t work.
  3. Go the Citrix virtual route, for a while. It is a more secure approach to running XP in the enterprise, but also a significant drain on IT’s budget if you don’t already have a Citrix environment.
  4. Virtualize the application so that it will work in a different operating system – surprisingly effective, but not always a “sure thing.”
  5. Keep XP, but lock-down administrative rights and don’t allow any new installations (virtual applications would be a good route here, as they don’t require installations to run). The device will run like a specialized workstation for the legacy application – and only the legacy application. This, of course, is a worst-case scenario and would only be a temporary option to buy you more time after April.

Those that can’t make the first option happen and can’t afford/justify a Citrix solution will probably have the most success with option four – virtualizing their applications. This can be technical and usually requires some expertise to configure custom apps to run as virtualized versions, but most IT shops can make it work. It is the most practical option, in order to keep running a secure business without negatively impacting an organization’s bottom line.

Hackers are researching and gathering their resources to target equipment running on Windows XP after April 8, 2014. In the long-run, companies will need to rebuild applications and redesign business processes, but for the next year or so, they can look into options that will keep business as usual without putting the company at risk.