Windows XP, Target Data Breach, and Cautionary Tales For CIO Hopefuls
In the wake of the high profile data breaches during last year's holiday shopping season, many companies are turning their attention to their own information security measures. The most spectacular of these heists was that of the information on 70 million Target customers by way of vulnerabilities in Target's point-of-sale system. The result of the breach led to the resignation of Target's CIO last month and should serve as a cautionary tale to any ambitions IT professional on the importance of change management when it comes to any company's software platform. In the end, the death of Windows XP could well be responsible for the downfall of not just Target's CIO.
Contrary to the initial reports to Congress by the secret service, a follow-up investigation by security firm McAfee revealed that the malware involved in the breach of Target systems was "off the shelf" and "far from advanced". This type of malware is surprisingly easy to purchase from hacker forum websites that exist in the seedier corners of the net. The reason why many point-of-sale systems are susceptible to common malware is because of the operating system that they run, which is typically Windows XP. Since XP's release in the fall of 2001, hundreds of vulnerabilities have been discovered and subsequently patched by Microsoft. In the over dozen years XP has been on the market, Microsoft has dutifully worked to patch security hole after security hole until now. At the time of this writing, Microsoft's support, security or otherwise, for Windows XP is over.
Just how difficult is it to upgrade from an established software platform for companies? Difficult enough that entire countries (UK and Netherlands) would rather pay Microsoft millions of dollars for dedicated post-end-of-life Windows XP support instead of switching to a newer, more secure, operating system. Is it any wonder, then, that companies such as Target - whose CIO was aware of the weak security underlying the point-of-sale systems - find themselves unable to make the switch?
In this lies the lesson for anyone in IT: no platform is permanent and if there is no plan in place for future growth, no established guidelines for change management, and no budget to support such transitions, then not only will the ultimate cost for what happens be higher than it should have been, it may cost someone their job.