Corporations are in business to make money. That’s the premise of the classic business book The Goal, and the point of The Goal is that a lot of companies forget that.
That also means they’re not exactly happy to spend money unless there’s an obvious reason why spending that money is going to help them make more money. So that’s why you see 30-year-old minicomputers in data centers. That old system is still making the company money and with no clear financial benefit to replacing it, most businesses are perfectly happy to run the machine until the minute before it will no longer power up anymore.
That’s what makes quitting Windows XP so difficult for businesses. At this point, Windows XP and that 30-year-old minicomputer are both about as sexy as a Plymouth Volare station wagon. But they get the job done, and they’re much better than what they replaced, so the business leaders are content to just keep right on using what’s already paid for.
But that’s the fallacy–Windows XP, Windows 2000, and Windows 2003 aren’t paid for. Businesses generally get an enterprise license, for which they pay an annual fee. Then, when Windows goes end of life, they pay an extra maintenance fee to continue to get support and patches. At least they’re supposed to pay a maintenance fee to get those two things, if they intend to remain compliant with regulations and their contractual obligations to their customers.
For Microsoft this means Windows XP is the gift that keeps on giving, because so many businesses can’t quit it. The thing is, Microsoft doesn’t want the money–they want XP gone.
For businesses, this means the effort to save money actually backfires, because they end up paying for software twice. And in the case of Windows XP, the price doubles every year.
And there’s a lot that can go wrong. When you’re building an old Windows box, if you don’t do everything right, you can end up with a box that’s missing MS08-067 on it, which is open season for attackers. That unmanaged server under Bob’s desk is an MS08-067 risk. Getting an enterprise license means it’s probably not illegal, but if it’s unmanaged, it’s a recipe for breaches. We’ll probably never know the details behind the big breaches of 2013 and 2014, but in all likelihood, the attackers jumped from unpatched server to unpatched server until they found what they wanted.
There is a way off this treadmill. You can run open-source software. This isn’t quite as crazy as it sounds–the only thing modern Linux doesn’t have an equivalent for that offices want is Outlook. That may or may not be a showstopper. Linux tends to work better on servers for business use than on workstations. But it’s an option. You have to upgrade it as well, but the software dependencies aren’t quite as onerous, usually. If upgrades are the problem, Linux may not help as much as you would like, but if money is the problem, the free upgrades take care of that.
The downside is that the software you want may not run on Linux, and there may not be an equivalent. But if you want off this treadmill, Linux is probably the best way off.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.