Whilst Microsoft’s utopia may be for us all to automatically upgrade every time there is a new version of Windows, for many organisations this isn’t always an option. With some still coping with life after the recession the cost of upgrading to new platforms can be restrictive, especially if XP and Windows 2003 still works perfectly well and provides you with effective tools to operate business as usual. For others with large technical infrastructures, again the cost of upgrading can be a massive drain on time, resources and money and needs careful budgeting a planning over a period of time.
But with the withdrawal of support on Windows platforms and applications comes risk. Security patches no longer get issued, and as cyber security threats continue to be developed exponentially so these platforms become vulnerable to attacks.
The obvious choice is upgrade as soon as possible. But if this is not an option you need to assess the risk of operating in a non-supported environment as part of your corporate risk strategy, and where required identify activities that can help you minimise risk. These could be more frequent external penetration tests, stricter acceptable usage policies, updates in security awareness programs or additional monitoring software. There are risk mediated options available but only if you go through the proper process of analysing the threats and impacts of not upgrading to your business.
But upgrade when you can …