Patrick Gray and Darren Pauli of The Register blasted the continued use of XP on Risky Business last week.
But I think their criticism is based on an assumption that may not be correct.They are assuming that because Microsoft’s extended support for Windows XP costs $200, nobody is paying it, because $200 per machine is outrageous.
I don’t think that’s so outrageous. You can easily spend more than $200 in a botched migration. If a visit from desktop support costs $50, it only takes five visits for it to be cheaper to migrate after some preparation. I think $50 is a bit low–that’s what a desktop support call cost 15 years ago when I was doing it. Also remember you’re paying someone to not work during that time.
There was a time when I did backup desktop support for a department that did a botched upgrade. They spent around $4,000 per computer, conservatively, in support costs before they finally let us fix it right. Compared to that, paying $200 per year for extended support to get a year of proper planning sounds pretty reasonable.
Some companies just weren’t ready to go yet. Many, I’m sure, bet that Microsoft would blink. Microsoft didn’t, so now they’re putting their migration plans in order. It’s costing them money, but that’s business. Sometimes you win your bets and sometimes you lose.
They’re also assuming that everything that looks like XP is pure XP. The version of Windows XP on most cash registers and ATMs is supported for another five years, without incurring the $200-per-seat support cost.
I’m not saying XP is a great option. But given the choice between trusting my personal data to a company running XP and applying those patches they’re paying so dearly for, or to someone running 7 and not patching–and there are companies that patch poorly, or once a year, or not at all–I’ll take my chances with a patched XP.
You can’t assume just because an organization is running Windows 7 that their IT organization is in order. And while an organization running XP could be doing better, not every shop that’s running XP is a disaster, either. There’s more to the quality of an organization’s IT governance than that.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.