An insurance agent approached me just last week during a break at a seminar I was teaching to ask: “Does my five-person office really need to change to a new operating system when Windows XP is working just fine?” I suspect there are a lot of businesses – especially small and medium-size – asking the same question.
In truth, nothing will immediately change. No features will be disabled, you will not be forced to upgrade, and even technical support will still be relatively easy to come across. Literally millions of articles have been published about Windows XP, and they won’t disappear overnight.
But – and it’s a big but – the biggest problem your organization faces is the financial ruin you will suffer when you have a data breach because you have allowed personal and private client information stored on your systems to be exposed. Federal and state data breach laws will come down on you hard. And you will have no excuse or defense.
Microsoft revealed that it has been alerted to a serious security flaw in version 6 through 11 of its Internet Explorer web browser. It is working on a fix and will roll it out to users soon. Unfortunately, if you continue to use Windows XP in your organization, you will not get a fix, leaving yourself vulnerable to attack – and the possible theft of client information.
Microsoft created a dedicated webpage that provides more information about the flaw. The company explained: “an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The discontinuation of security patches is the most damaging part of terminating support for XP. Hackers are constantly creating new ways to attack systems. But your computers running Windows XP will no longer be receiving patches to protect them from new malicious exploits. Your system security will continue to degrade over time.
This is especially troublesome for the insurance and financial services industry as they store more private client information than virtually any other business. But – and don’t be fooled – every organization that captures and stores private client information is at risk.
Here are a few suggestions on steps your organization can take to temporarily protect your systems:
- Stop using Internet Explorer until fixed. Use other browsers when you can, including Chrome and Firefox, which are not vulnerable. This can be difficult as many insurance company agency rating and customer service websites only work when using Internet Explorer. The reliance on Internet Explorer only was shortsighted on the carrier’s part. This needs to change so agencies can use whatever browser they deem best.
- Inventory. Take the time to inventory your systems. Know exactly which computers within your organization are currently running Windows XP.
- Verify your legal responsibilities. Because of the data security requirements contained in the HIPAA / HITECH legislation regarding protecting sensitive personal health information, any organization continuing to use the Windows XP platform after April 2014 will likely be considered non-compliant and possibly open to regulatory actions. If your organization has an actual data breach, the fact that your organization negligently compromised security by using a program with a known vulnerability will be problematic at best.
- Understand state data breach requirements. Forty-seven states have some type of security breach notification laws. Generally, these laws apply to citizens of the state. If your clients are residents of multiple states, you need to understand the notification requirements of the law in each state.
- Move to a cloud-based platform. This may be the time to seriously consider moving your technology infrastructure to a third party. Software as a Service (SaaS) systems are inherently more secure than in-house installations. It will be much easier to upgrade just your workstations than your entire network.
- Check cyber liability insurance. If you have purchased cyber liability insurance, check to make sure there are no exclusions or limitations on the policy for using outdated technology.
- Obtain cyber liability insurance. If you have not looked into cyber liability insurance, now is the time.
- Don’t delay. Plan to move off of Windows XP as soon as possible.
Now is the time to take action. Start working on your strategy for moving your organization off Windows XP. Moving to a newer operating system will help you provide a more secure environment in your organization and ensure compliance with HIPAA / HITECH and state data breach statutes.
What steps are you taking to make sure your organization is protected? Please let us know.